From df905e016ff9465954f18323fc9cd3deb12b8f7c Mon Sep 17 00:00:00 2001
From: Sreedhar Ande <sran@microsoft.com>
Date: Mon, 2 Jun 2025 15:47:54 -0700
Subject: [PATCH 1/2] Updated workbook with new ThreatIntelIndicatorv2 parser

---
 .../Workbooks/CofenseTriageThreatIndicators.json   | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/Solutions/CofenseTriage/Workbooks/CofenseTriageThreatIndicators.json b/Solutions/CofenseTriage/Workbooks/CofenseTriageThreatIndicators.json
index c9f520949e3..2aca9674193 100644
--- a/Solutions/CofenseTriage/Workbooks/CofenseTriageThreatIndicators.json
+++ b/Solutions/CofenseTriage/Workbooks/CofenseTriageThreatIndicators.json
@@ -140,7 +140,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "ThreatIntelligenceIndicator\r\n// Select cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n                        iff(isnotempty(Url), \"URL\",\r\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n                        iff(isnotempty(FileHashValue), \"File\",\r\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n                        \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=stacked ",
+              "query": "ThreatIntelIndicatorsv2\r\n// Select cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n                        iff(isnotempty(Url), \"URL\",\r\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n                        iff(isnotempty(FileHashValue), \"File\",\r\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n                        \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=stacked ",
               "size": 0,
               "showAnalytics": true,
               "title": "Number of Cofense Indicators Imported into Sentinel by Indicator Type and Date",
@@ -173,7 +173,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\r\n| render barchart kind=stacked",
+              "query": "ThreatIntelIndicatorsv2\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\r\n| render barchart kind=stacked",
               "size": 0,
               "showAnalytics": true,
               "title": "Number of Cofense Indicators Imported into Sentinel by Indicator Provider and Date",
@@ -192,7 +192,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n    and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n    and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n                        iff(isnotempty(Url), \"URL\",\r\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n                        iff(isnotempty(FileHashValue), \"File\",\r\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n                        \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked",
+              "query": "ThreatIntelIndicatorsv2\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n    and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n    and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n                        iff(isnotempty(Url), \"URL\",\r\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n                        iff(isnotempty(FileHashValue), \"File\",\r\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n                        \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked",
               "size": 0,
               "showAnalytics": true,
               "title": "Number of Active Cofense Indicators by Indicator Type",
@@ -211,7 +211,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n    and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n    and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked",
+              "query": "ThreatIntelIndicatorsv2\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n    and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n    and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by SourceSystem\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked",
               "size": 0,
               "showAnalytics": true,
               "title": "Number of Active Cofense Indicators by Indicator Source",
@@ -230,7 +230,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "ThreatIntelligenceIndicator\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n    and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n    and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\r\n| order by CountOfIndicators desc \r\n| render piechart",
+              "query": "ThreatIntelIndicatorsv2\r\n// Select Cofense indicators from the table\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n    and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n    and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\r\n| order by CountOfIndicators desc \r\n| render piechart",
               "size": 3,
               "showAnalytics": true,
               "title": "Number of Active Cofense Indicators by Confidence Score",
@@ -249,7 +249,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "let DomainQuery=view() { \r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(DomainName)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"DomainEntry\"\r\n};\r\nlet UrlQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(Url)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"UrlEntry\"\r\n};\r\nlet FileHashQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(FileHashValue)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"FileHashEntry\"\r\n};\r\nlet IPQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"IPEntry\"\r\n};\r\nlet EmailAddressQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSenderAddress)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailAddressEntry\"\r\n};\r\nlet EmailMessageQuery=view(){\r\nThreatIntelligenceIndicator\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSubject)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailMessageEntry\"\r\n};\r\nlet SingleSourceIndicators=view(){\r\n    DomainQuery\r\n    | union UrlQuery\r\n    | union FileHashQuery\r\n    | union IPQuery\r\n    | union EmailAddressQuery\r\n    | union EmailMessageQuery\r\n    | where array_length(todynamic(SourceSystemArray))==1\r\n    | summarize sum(count_) by SourceSystemArray\r\n    | extend counter=1 \r\n};\r\nlet MultipleSourceIndicators=view(){\r\n    DomainQuery\r\n    | union UrlQuery\r\n    | union FileHashQuery\r\n    | union IPQuery\r\n    | union EmailAddressQuery\r\n    | union EmailMessageQuery\r\n    | where array_length(todynamic(SourceSystemArray))!=1\r\n    | summarize sum(count_) by SourceSystemArray\r\n    | extend counter=1\r\n};\r\nlet CountOfActiveIndicatorsBySource=view(){\r\n    ThreatIntelligenceIndicator\r\n    | where SourceSystem startswith \"Cofense :\"\r\n    // latest data of cofense indicator to avoid duplicates\r\n    | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n\t| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n    | where ExpirationDateTime > now() and Active == true\r\n    | summarize count() by SourceSystem\r\n    | project SourceSystem, count_\r\n};\r\nSingleSourceIndicators\r\n| join kind=fullouter MultipleSourceIndicators on counter \r\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \r\n| order by SourceSystemArray\r\n| extend solitary_count=sum_count_\r\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\r\n| extend total_count = shared_count + solitary_count\r\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\r\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\r\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\r\n| order by unique_percentage desc\r\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\r\n\r\n",
+              "query": "let DomainQuery=view() { \r\nThreatIntelIndicatorsv2\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(DomainName)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"DomainEntry\"\r\n};\r\nlet UrlQuery=view(){\r\nThreatIntelIndicatorsv2\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(Url)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"UrlEntry\"\r\n};\r\nlet FileHashQuery=view(){\r\nThreatIntelIndicatorsv2\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(FileHashValue)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"FileHashEntry\"\r\n};\r\nlet IPQuery=view(){\r\nThreatIntelIndicatorsv2\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"IPEntry\"\r\n};\r\nlet EmailAddressQuery=view(){\r\nThreatIntelIndicatorsv2\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSenderAddress)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailAddressEntry\"\r\n};\r\nlet EmailMessageQuery=view(){\r\nThreatIntelIndicatorsv2\r\n| where SourceSystem startswith \"Cofense :\"\r\n// latest data of cofense indicator to avoid duplicates\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSubject)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailMessageEntry\"\r\n};\r\nlet SingleSourceIndicators=view(){\r\n    DomainQuery\r\n    | union UrlQuery\r\n    | union FileHashQuery\r\n    | union IPQuery\r\n    | union EmailAddressQuery\r\n    | union EmailMessageQuery\r\n    | where array_length(todynamic(SourceSystemArray))==1\r\n    | summarize sum(count_) by SourceSystemArray\r\n    | extend counter=1 \r\n};\r\nlet MultipleSourceIndicators=view(){\r\n    DomainQuery\r\n    | union UrlQuery\r\n    | union FileHashQuery\r\n    | union IPQuery\r\n    | union EmailAddressQuery\r\n    | union EmailMessageQuery\r\n    | where array_length(todynamic(SourceSystemArray))!=1\r\n    | summarize sum(count_) by SourceSystemArray\r\n    | extend counter=1\r\n};\r\nlet CountOfActiveIndicatorsBySource=view(){\r\n    ThreatIntelIndicatorsv2\r\n    | where SourceSystem startswith \"Cofense :\"\r\n    // latest data of cofense indicator to avoid duplicates\r\n    | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n\t| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n    | where ExpirationDateTime > now() and Active == true\r\n    | summarize count() by SourceSystem\r\n    | project SourceSystem, count_\r\n};\r\nSingleSourceIndicators\r\n| join kind=fullouter MultipleSourceIndicators on counter \r\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \r\n| order by SourceSystemArray\r\n| extend solitary_count=sum_count_\r\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\r\n| extend total_count = shared_count + solitary_count\r\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\r\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\r\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\r\n| order by unique_percentage desc\r\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\r\n\r\n",
               "size": 0,
               "showAnalytics": true,
               "title": "Uniqueness of Cofense Threat Intelligence Sources",
@@ -307,7 +307,7 @@
             "type": 3,
             "content": {
               "version": "KqlItem/1.0",
-              "query": "ThreatIntelligenceIndicator\r\n| extend external_id = strcat(ExternalIndicatorId, \"-\", SourceSystem)\r\n// latest data of cofense indicator to avoid duplicates\r\n| join Report_links_data_CL on $left.external_id == $right.external_id_s\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| extend [\"Threat Indicator Link\"] = strcat(\"https://reltest6.phishmecloud.com/threat_indicators/\", indicator_id_s)\r\n| project-rename URL = Url, [\"Date [Local Time]\"] = updated_at_t, [\"Triage Indicator ID\"] = indicator_id_s, [\"Confidence Score\"] = ConfidenceScore, [\"Threat Type\"] = ThreatType, [\"Host Name\"] = DomainName, [\"File Hash Type\"] = FileHashType, [\"File Hash Value\"] = FileHashValue\r\n| project [\"Triage Indicator ID\"], [\"Threat Indicator Link\"], [\"Confidence Score\"], [\"Threat Type\"], Tags, [\"Host Name\"], URL, [\"File Hash Type\"], [\"File Hash Value\"], [\"Date [Local Time]\"]\r\n",
+              "query": "ThreatIntelIndicatorsv2\r\n| extend external_id = strcat(ExternalIndicatorId, \"-\", SourceSystem)\r\n// latest data of cofense indicator to avoid duplicates\r\n| join Report_links_data_CL on $left.external_id == $right.external_id_s\r\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\r\n| extend [\"Threat Indicator Link\"] = strcat(\"https://reltest6.phishmecloud.com/threat_indicators/\", indicator_id_s)\r\n| project-rename URL = Url, [\"Date [Local Time]\"] = updated_at_t, [\"Triage Indicator ID\"] = indicator_id_s, [\"Confidence Score\"] = ConfidenceScore, [\"Threat Type\"] = ThreatType, [\"Host Name\"] = DomainName, [\"File Hash Type\"] = FileHashType, [\"File Hash Value\"] = FileHashValue\r\n| project [\"Triage Indicator ID\"], [\"Threat Indicator Link\"], [\"Confidence Score\"], [\"Threat Type\"], Tags, [\"Host Name\"], URL, [\"File Hash Type\"], [\"File Hash Value\"], [\"Date [Local Time]\"]\r\n",
               "size": 0,
               "showAnalytics": true,
               "title": "Cofense Threat Indicators Data",

From e19db2eb74874a831a5809be3ce4611db96fd291 Mon Sep 17 00:00:00 2001
From: maheshji001 <v-maheshbh@microsoft.com>
Date: Fri, 20 Jun 2025 14:34:05 +0530
Subject: [PATCH 2/2] Solution Packaged

---
 Solutions/CofenseTriage/Package/3.0.0.zip     | Bin 13061 -> 12908 bytes
 .../Package/createUiDefinition.json           |   2 +-
 .../CofenseTriage/Package/mainTemplate.json   |   2 +-
 3 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Solutions/CofenseTriage/Package/3.0.0.zip b/Solutions/CofenseTriage/Package/3.0.0.zip
index b9a02a11dcc63286e6d83d8f1db6e3c9b2df72c3..8b664cb1f3c1040adce1b97f86f30f3a50f0f2ed 100644
GIT binary patch
literal 12908
zcmZ|0Ly#{_@GLsEZQIrv+qP}nwr!uWZF}bY#<p#H=6?5X-h2NSw|Y_0xu{iFWJGqR
zq6{b)8W0c=6cC5QlD24u`M3uJ5YQ+(5D?~nsEM<gk*k@Sm8hAymA#d#m4iKlwTpxO
zw5FZICI`}we&O$aA$+9SnzORu8WJ6TQ^^@jiB6IyJ;WbE%X2cPB2OBrQK@dAPx?=*
zPjb*oOquipwo#rd8Kk6fpF=(m#P9oaRG?cM{IX2uTcn<)OkKhm^JD2m=1CNQVs@Y(
z6&eJw*>ZmVH6-L<vsK+)_Mx|XaU%BD^D_0AuJf=IL_Mt0+a}$cUdq>04wnvfN|K<N
zUGGT|iCiOeeBMoZxbz!N+6h^$<G5yP9_uIzTSbcp6yY^WAZBu`SCbadU5Ed;028`b
z1QKhJ)529v=84f|i%zU!MD%G{(-+??${Y=^HpjY>Ek4;+$!OJFg>dqi`NYYXnDS4a
zej%G~ai*Cpu4*%@wB)Qjm3XC79hVH#-0I{)2z!F8cgs`XH$}gecOr>`@}jSR!Bi<;
zLI6cb#36GJ@&sG(5EeQXND9da8CY$ntYH{4H5fyyk?<ONcfAxEN4`iy*U!%*BbP_i
zmF>_0p3L@2Y9HS6etOXkVS!SlTOwv!Q>~yynsqt%1j+6P@Jf<bGz_sxdxNm1u9UXS
zo;Ic(<Qh6G3*Tbe;D*t4iHs4Uvue20xp14-K902oMdE8p`m+nVW<5=Rkt?3D@|-Ho
z67!$Q`?pkV2ud>Y@bJ{ORTrk9`#1c`YV>)vPGd7ni;2`w0FEgw4Ipqqe*nS7ZHfO2
z*pFVW&x6oj8AItT<F2ww53}06vpo=Kk9tY90%@13>qH5<MN9`|gXxD{Vl+2xRc<$v
zJ$+OC_Rqu!ZKd7)<$Cr~+Kg7Dclzpzg=`_qY1n|?1`o{^{S^}b-_Qto7L1k^eVse!
zN2gW!tinY2GFp*g67#i}@M|C5=(*>V0#8$$7Il^&cHv-%jv!5?6C!FVV2Z2`cHX7A
zlHx<XP4Z3J&J)@ow}kHT=MP~68k&dvUx0fOCZ{eggB>h;l_hP}Z|zSdx<i+x3eL4V
zjh1=u0}7kP_-(f0hJM!OR+MdBDfQ)^rr9{R0I?NX)D1NW^C<_6gZ(^#i;)FzjXfv!
zqM@=mke%#6smzU68mOZbP#lOzh?0bdB#W~Mz}kS!o~1HLFe}q_N$Ow%(KhtQbhrPi
zLh-Fn&@MchjQmebPX^=3_SBQJxv~W_88!>6b%@ImByaXr>)c%>&_~d*ulDr9UyIM#
zm-5eDxmU!OFByk3cgk*ir|&3CPhl-_7B02af(32&5^$ZOhJ)edL|6=CX%ZT%p|Ea3
zLwc;Ms$fYaf_37i6XC#yS9#?Y>0&kHk0kP<IAdKLJ~+JC9Tug+?Pm<^e-dUw@zS2L
zFI_-uk0Ca+{6W$)5r0n&JHZZ>6X5dZanxEd?<NWadpR@%`UHZIIWxKWxK(f@)X=Z}
zbkn&Fydz{B96;0odD#Oy3psRrr;~R#+xfR1wB1#9bxaqpk?vz0^p*6g=o@C+d@X}t
zgC|Da)@y+Eed`UJG5n%5L*$uGr=6=*(ft#3hXp&%C!<+}G6)A*hn=mM1n!+oLhvw+
zUeY7MUD{UVyjCSl-)$Nj0uvpAU^iHte!Q4-7KOJs7^p1Q=JIB6qat`Sdnj&p-648(
z5jM+^Dxi3ikPH3;?#8|mUTQk0B;-O<TB9OM<V`m>x6R^asX<Z-5t)TTGIZQ7YiQd!
z?5J9XHoe#a?;w@I<K@AOK0zB(%fEUvd{r9UR*MJ9>Ks7?ole>?qnopxk;3?<akuG{
zf4tWeFSJU1t=Sc9rZ=N+-N}6(o!-y?mPpKY4Hxy-#w=@*&)W@l4z<hPRhXOaNU1os
zA>Hl=>&tJr&gLcCqSkhQZca2rB-jzfS^WB4&h@S+{b60`^P?!Ga*pwn#PU#%*9OX1
z?q2LLjOz+Z6y;{cSN^;$jo1j`kj18Q?N#~n03OsY)e~~~3-j=cP$6d|=|oY6EoCn$
zXNT*76oA)4m^LH9HVeBsQz3%T4SfzM^|H2lqs6{Yv`e_oo4~#EUV9V*^EYSaRYme+
z;~+O+_Jv>7#gx56tm6b8ZFt@cb;1VTDFIudMpQAp(TD?c3zLAY2-?@9SSrR2+k>7$
zYByT04hstV2RS}~ark%WNGwClVF!J2<#I!3MAwS-LzZRQ)Rg+}6y*ZCk1=!Z8G1a@
z<}t229p59f-DK7c4*z89XL~?riSTdy#7Ufq8AQ#p0!PMTce%n%KL0zU;{S)Mip5Us
zUTJ`U_-TQGkpJT<J0mN5RWmzB+y5Br|FG1x-?=j`ciYKt{F#Sf^B-}N9I5CH+iL0T
z>Lxw4=!fE@qpD6L9#umM$>KCwQ}X2Gb$huj%1nbt3xBy0-VMKCuh1wLAX5?z25no7
zc{L-MEJ->@i(&482!((jRN}aPDGvZei<2PEAs522P<wU0D+OC2DTk5JR?%;+c+FvS
zls{$nrcSTL%t~GJ@})Q3(<t1OUW3%xVy4><vDn?JI4-WE7*aFQPnKA64A928Tic$%
zxBrmw#XOex9W(*bLgAt(9SPNkE}Rw-wo_zocv0j*fXg!KS!@+hPNv`^N*@>I58DX|
zQR599c68*KHv@^hL=AAkcGZdq&OCIC7Fq3!-@bAMsh_AMX?_?SPNLIDNRkyU#6XA!
z9oFdK81Q*%0v|_-ioj3ShsxKD-$+TOIKw9~%A#ZQI&-aW!zB%p$SV1EWJH%j9485d
z%481*wyX&X(+P9JNN}jCwD8|3)Nu_ma~6vJzJ)lhQxoQAzSFqKyxYu2(l}lXPrzrZ
z$OL2To#0rkw<2xSc<h%qX)!Ifat3!<PJeO^v&VR-%t2$M0c!#rDf8e#eZ15IurlV)
zRuv&y5wsOrwQg*mmoS4|-D@3`E{=nJZX>dDI8n4k6dS<!L>y(DI2l+2=yc#s)*{N3
z-(|l%&V7nK2lwP#y!qYeXN^^)4qJ=8ou2K;K-Pz>5S1LHek2kPa;ac+EA7Y}Kq9X1
z!ik~`XW~2)oCyhtI8UR?4{sI0hH_eVDZE%NV<L^mJdB)wBfIO6F+rYuFK#VN%}fG~
z$kxXUH#-lu!Exfb%c_N03w0(OSN$8nkfMB>!o$INw=d3$d^=WZ#CfI_1UG7&KD8x<
zPC*Q>vNsaqVU=)aKsk1SS836rS^ojJvHlplsV~a9kx;n28Tvex9xm|g4Ljv{R}V;~
z8b@_-A>E&vks^Ax#QRrA&A_=aa^cYkNfq`k9;?TLm<8K%yRJQ$ek>}>nSC8+zmec_
zB2P*%oBU(ja_V=z1(zH5!nW5hmz5kLSACdK%Gds>uS_CfW9DWGnb6BEBdJsPM25Y;
znJ88<R#5=QqC_J2937PYtf}+0DCw!fdEP;xDO;}@j>2)<`q~!gihCWGGYIh`hz353
z4(^7ZR&ZF}e`a3+bAqhbsw}KF{M_l4^>9jp^`L~^US2Yh)?_j5ZKi;E)_h6=m5Ccu
zAzr+|VcplTSxu$B-c}jx7pnz?Ci!mBtSkM`^VA%9$0{Wb2m9X>4dt6!$SjNLc}JC`
zibTq6u^?}|e2^;Y0EJMQs(gY@Hm}a6-$eas9bG@;RUcYdhw~n|6a&7m{&e=sV~D;H
zV8Or(V7{!3XJ2G14(D7KOptrLNEUB*7}%p>!th}e6Yb0yJHq~|N!FdME6!wF9v8m#
zpxf5o=CLF^4^8Smy&k8g>XTTiUQ6VX?rOej8TVQ$oJz;qMCeUt8brAZK`nOoeyZUa
z4qoXaCZVZ-PO3>8hj>0QBpFH<-FZEb&OO#jfWv%}vUTT~TUT7aoSGa<S=Hk-1<I<m
z9!^NylgOqD$C}ElRs~L%t~l}!48*>fk(D-Ns~ZKHHGrk0BC(@5Cg*xhmz$dXe5Jh_
zMp}6g9Z?Z?ia9P*L%ERXj?dz<vU!=7TD#A=+IT63Ib(7v&hnUal08G^;xVAgtP?By
z3_%G`&e+syNF`rA2^L4F&}76Ez&ix0i<w>%m?nxuFamgej|6A9Bs(zwG0iGe|5})L
z!v1hIR}ToAl+;)*MFoZxz;MFiejJb#CNKDar_cHx6CxxLfvY-y;nDdP@7~>G&YAE(
z-1{!)XEEq^x~tjdTv%|xJED0z=lorAy(BYFDIp<B@nxVWg3?67MUPT@#a(S^5a3co
zMmc%LCEW0nDR%wb8m2hAG0foeX*z{FM_patF8?!Q81S3*=;{!oyz2MS(%u{+$FRgm
zgqi-9^iIrwe;)Y$cJ}*S@cS$<iKueJ>{~Rxy9v@Y!TPe9DlxYn!j;YP{gXS&j3_>L
ztneL<7n6fY<38_z2Up3sZr8mF^bLv{7}s<A`qy7T(ChY<oqjI@6eQsHPs*JFZh(>=
zZ9oQ6eZ7zCW?lVzTt$s$Z<pF`z!|6gW<ff6Il;@jYhvWlu@q7>RiS@)Hu}hy-BdC5
zN{O(XVlLhfqH!&^n6<c96t-ILFDCG9%oD)Di0o%@D^s%CgmNdEZt6H;>rwOWUnY2c
zsE-=ffEbVD-_z&6{-pSkUhL79TsIUDLePcAA9*`<?X7%RJl&tO-ZM8di9D_yuYmiP
z0$aXyrvik0gvxx%Z}836%-7f#ybsrLH}`@ohd;CK`Q9@-hHtK1TlelgdF8Z`QG7)&
zyf+$vL(_}#FT6_gMe&iUF8G>Z6aIp`OtH6`xZiR(qVg2zxHkc8Y{0`~dX8EyxwE7x
zUeF?(?pAAmqTcA^x^}i*FbEK#xqge=T)Nj$;@!R@>nG0py$XK$u6+x1d{*HdC*}$3
z#b@+rv~-v^frhRFzhCv3y1q~tLKo$WDi1jB403koA6tjDO^=rXxR=~*dg(liO@#vP
z%|Cy7^FM7JJnBzha0yxHx|@4@$9w240=nD53!ZWZIlj7P-P<EXK1xon>j#>o@TN{y
zdm|24Q-!nt+*S>W9yLN`5{BHXcAbdPV4qSK$e*D<cE)mcu2S^Yn&;qs`rp5=s4uFr
zcA684;CN~xNkH6Io6=(N<T_q`rXL*<oPtrF6M7<~LZWPFt8?(Lv$%h@PD+#+<y`yt
zgxIyeww&^=d%cXTZ#((SG}qE!*b12SQu?Iwm3|JRul)ootYO28W4G<r8u~2G{`b^4
z)p*}=pxXLdKV4yew$lG_an&{y4{XKWFR`fcZtpI$AMHNn+vZGFZ-#Lf_c7Y%E11zy
zRJtrizK8B#9GiUkkx@W%Kl~l1G39+k*Au?^w06ERiFdF|rqr8zpc?QP9n{*9AM=3F
zKoa<-^(xQ_KXVi9YWZofN*_>1fi|W=a&jh%spAIIYVyjpZ{9`38$W*y@fVn2A0#g#
z!*k(28H`k%xRLV282C8Jp3F>GB7t6+7D1Ndd2dbDMw9}Pv0*j=L}8V5W=b5XhHo7k
z!!T06s<pb}#6ZV&%J>D8X@615NRI?NBCaS6Yi-cC;-$Qo{XPo(w3CgOQ-WoIHpSE6
z2^))3YAy%*@G4Vl*v9#}jt?M{!}78lV@-XH5+NEZHQih$rUYVbFEZ$0b+Hj~A}7$&
zPIGK40gj^w&YBB4k3er8v917=HepX?4UtZxWF^R)TcgMScFUIfk+4fk)RD9><cByN
z>Vt~b<l=+cFVzFg-y?O<P~zBvcTuv82_(XlT6?y#ntK3L-AiZLT&jRCRpYw$G~`S7
zRzVbcJdX1eJ*X-j>>R&%V}Je><{TvKMXGeH6%fV+zzXnJa!bfOAX6|AL>M;gC6M{N
zb&ue_tO#*dS%8@RlnqBu{%l-s&RC!Us0Zw%RY%SdMBiVv&x}R(PUSkD!p{qV%qTQD
za2rYEZBZ%_nHi7GliWDdy+KZ1e)A|Sut7Jc=a0`a#jZ<1YgFXKrYC@8Q76{JyV5@x
z8^UHbB1abjge2hJ_K{q&?P6QX^U4c3r3u<i%WS6st0y0`&=EwHi?STujK<)MqDo)j
zRR1ZDajUva`z}BCK$u96IO7|5e6;F94=f(u_x0v#`JsT6d?xds$V@QTu7VgPh9@11
zs<PdF%&|@g_h-@+^M;uoI<HP)nXg(jrr>z02M%>T%z5|{BP<)Z7@Nv7ZlbSc8AuL{
z$etA@78V9sHN3!JUCscn+c;ZvjPsMOY{=X79E<`X3TD1tF_oETyBq}XgcRO+T+Vf|
ztrmk<BRG^Wii*64lOX98aggCzQ7rWc3{(}<<S(?fgG_hvBnB>R-H6F`S5KBa1YMIz
zx_UPys-4$-I+^-70fi7YxOZP+L!s7C)WWvUJ2Flu5~DyD78xzHyX~@%^0Q4oI0o>f
zvwS^}IP$Brer4prtvQ7?R`aBSEOrz?_8?Idtv{?1Y|;G_m~KCh-+f-<JIv=EtAG99
z`;jE&L8AUj6@SgN&yPftS3(iTRd{vF7zxbY{qe6VrD1>uk0JKprWWju2vk0{a2d=4
zJ@m-5IjaH&@*8Uo#eL?Oscbzqw5aUbIFblz)GkoX2MPhnIMAXn?U7~F6tN3u5%QYu
z#n@N2nT^1h#nBzop;9UPP^w&Ltkj4u#>iUu3|JRQF7UHeVp}&=QdDu1*mmn<pZm`0
z%;&<)XYbqb;@(ZT)@3rvr>^73uVtHugPqT6+iP`0Z$fY6+eS;q#V4U$0H4-ned~|*
zC1Y)WvabMv#Jyq8VJ9ugimp;tSZ-y!=7!BFL951wT=4hTU#t3^mEH=*f>Ce3_uaj9
z;u0v%oTHTd8SU$rZbkL#=u&Lo_l+7;iG<}BC$#x>V%xpWRJxrO10xeFu~F|S(Kba7
z*8cT!#o}6;F58q0p_-0wCO!ItX4f(Mex+ZK=AIbe92NfBcT+3=ptaF$tRuZ60UnE<
zm@k|*CgON@hpjlyrlR6*C#kYJiBrr)Z}`RB+`9E+`>Q5LvKRZ@RJKKm&S=8CT6uXJ
zEEtnQ9@B2~+U`bmDWorZS=E}m`K<Ai1TWjCY$+)T+iCIFLGeXk*`;2l#Hx$OhWL{x
zoE7fV!3hiPKNNtZW5P&wO`E!>{r<g*4k#4D?l+1<b94in5N%&2#aMJP+p_kU3ae7V
zLK#A0PY#p)X%L=$d+4;BhzP#VN7wWt*QQD+-N@{N@)r%B%BWE-*ELcx=l<|R{Qc~`
z>3&|Y!I-C&Mnd!~smbqc*<~FvpW3>Xh^~^pP=(tP)<@Sa$lmqa@#<>%9E@e+nJFwY
zf3DUnXtfSmaGdLmym#kPbJcSJFhtcUW3FdE=CDT;HD@VN!!=rHER0h^Y*s#P)$zC6
zcK$@+(5B!?REUhBQ|37HjI}fo?mXR%;h9Lpd}odNd)|FhR{9-U%u4sVAl=Kx$jX8h
zOU}F34@UIF39|_jDBfYGa1oR!t3A6h662*^fdBT@#khLRw7P>$wVd~KRUWA|+Y4|5
z_mKm}dmtom%*i>7VOak=95bS`9bt067?RBO62)@#QXrRWXOIA(b)Mq(?lMryD_hl3
zv!bastQL!XwWs)3pF=F8EgzVUNg`Ca0(d*%y?c8Lc0AG2b`YeZSE=6WstTwhEmwAG
z2w}T?GUSPuD0FxnImKk(hsAHp!4WgSdh<3Q@@{~jrE-iKjW}g7L^6lT7$`47bzoKC
zkQk>T$}d#Wr~lsS@<rtq1EFl&Sd?ENm=_j(tVxGIHSvRP1yT*tbL13bwhz9uzHbp#
zyL0s2ffPfx475+Rq-RUpyZ)&Ooj!MD&HoM0w)h~k?I2@ICLuK=+ue~B&#j5K8LBg*
z6sKyEl~>*4{Bcj3By{=sQKM2A@WiGRzOwi)Li^21xi@0)6p=1jgSR6Xldy^MVVZg@
z@?9|P8-d_ChiMg41#y<G>d`5~ibkDqQ-NSF@xg|b(%4h*V|$&}8H&MM=NZ<Q<bfd3
z)=!otfXOdAoFMi+c`T!mp<3a))P&2+NZJB-^%z!5OphxA&CY_VgrlZ1_#%lXAlS@5
zRJKw2xB|t>St28l93qHayo{vzuAxdA_9D{0&6EOQ12CXR-*}|xil;$mvrK{INiGdp
z{i9h8p~pJ4k!3Ish8b&bypNv#@8RVo7G6lipEJ%xRZE=j*Iw3%`|nZhdWy3RMAuEQ
zIB8idMM*;oU(Coftsu1^Q+{o2t(mMYwhg1rc6!BM!@(C!J|urH7BW=e4rCJ?BxEW$
zWALe1qJJ=oLJp^aes~)bmbK}F^#^?l5QYv7MEFoPIilPGsCVvAZwz@d>>Woye2C#B
z9@bb~`nQQw2%G!`!8!VKT(tFMD5#*55Kz2<PsNC}T&+khYxwYR5e3*GEC=_VJc6*v
zc>Om75mSXAk)6OYE&ytab^JHuxjaSeX34+f<dW8rsE|yON&-}2iwiU22&-HwWT1ID
zA_o78F4cqFgIJkR=HZx^;HX@H73e;R5E<K`lDCG|;-H~6K@{ybfwnZmw>3w~x-q$y
zz<Mzg8T@Dt<*+|^K?|&eBurYhL}yEZ)|(t%eqSb4zfp7WSDNlPM=(i&(_v%v+H58C
z6Z(kNw<8P?;<q`^hJss@7?B`Tz!@wa6uHCl+OezyeudCw20bqSS?_RV0a=$8Nl9_j
z+eh@ytZ;%|Kk$;^K25TosAwwZEqLnw!cTp10)dv|1nyAxaqe!rUs*Att|f{?RcMBF
zXo9z97As=((~sse)DQ2`<49$eccl+?E)~$`sWD)vW5UtdY2l}zWq_z=v}p=w(!KcJ
zZ;~t&`-x1Hi}9$>mntv$haLBeYCMes#k_>&UOu>dsJiS5-lSx*_Rt=uiaQMyM=S5e
zty9%-fWbrP0|$$@uIss;<(Fd6j5`R^&%NE}V4`ok0BevRv_KVG|D>+yqw&zP6{hJI
z<4xtvFnz(+;>%DeiiMGXsAGV=UFA(dIY9XM4Azw%(|%~Yyoo@^Og~0l8Pwih-*XCs
z=YOfhfv}p<6b8p+ZV*oO$t&vq;}6R~-<@6#eBtyio|&(&?Ls)J3m^CWREgWx!tZWV
zf~nD883eiV?W6FIaL8!LK*!wm-ETO5enqcoTqFefqc<9&C-S_DZtOjJ3|#=p@twbt
zDWgxs0(szD?yu(yNuQ+W%STrB=LEjv^Tsso*k$PL_9=}cjo&cpgrOgTQb9y>czwnN
zy~P+Omn268x*}wpi1_H!D)23+No!u13;#_wJ`GZ@U$=p6&<01(>p(nYsTu5JUg=v0
z`HZ<<K3Nc$?k)nv5XH!p0iL=T%9#RDQh=xzO#A*1O;&~?I5L%}Xv3UR%-6sH$`pAy
ziVGV@Vp0d_sG1>$*}HW$4MFMwjqqhjX?cZbS4?it00-Iwnb57K(OyLjNvL)S4{Ma0
zoyP<&@>1NJFd1%SO;JB`P?XFJF4RH^Pf7AS9l3&rn7s>HB@r!x8KfZPqhG*a_=RZR
z_B#!*=i5*DG8uk|%(Fg(K9wg>NB(!<mHPyC%-{9b)Xx>)2>@33TazP6+Y$3?*3eUI
zq4F{xL98mI5X2P35T>E%TY@hm33}G6W^6;LvE+<?z5x(UB^fgAP^WYd3$tNg2l0Iz
zQNCljp|Vot$uWYHEGv2805Y@n-l~IzF%Gx*-hP`LP6yog@n3`Pd`Gj4@E)Ju?c<<v
ze)qBak=34jgcA3K%j{R|xM2BgZ4f&&W^9uj2oH8C7ORx9l#Y0O0oR4l_JbWSK%@6>
z@@{V4cW+6Go&x6~)3zw*iB<g%t?QTK)zvLGC&@!E?v0w23m8baUglIEJ-%yZ1J}Ws
zE~9CIV(aj`Q3qG6xzTkqGVBRB%gIgAmgMuUxSR<n&9eBCkKJuwF`5>P!9aSO>7m$|
zI-SBMIVdwWPn!QHlgW%`&Fq9$fS2vc$G_7f`r~-)W-$9mXMg3-CZsgCcE;rqy{d~E
zdS;o1EfO_)RG;d|xkah7=06o952Y+ZnA0a~8LN(3oKAOL!6>=0%9ncP-#qMKUv|JJ
zmyj}69CQdiV1^ND7}p@-{tf^wq4C(6e{&6BXx)WGn8j*Y_MftU+uRKJAlJ$J$rwKV
zWlV~1BvL7CQ&_7LG;7ZlUk(9U0#~$?&}67u$+ml=g;|Ztmz|{>e1IQFEjBn9jS-p+
z{a)-9c+o&I297v<IUWnp5RQcIPkNowiYAj8RLPlXRA)4V!@9BGrHkn(coJm(l84Gi
zG`z7VSj@T^dyoUOF)yK34i|-sFSCtyGgoa6vB*H}Denl4hV~S*_>+s9r(<U0Hs`J4
zaC6fwxr&}i+TPfDsWq!-Tk6Ff6IwE)r~I;0--gs?ylAi#)LEDmt#_m#{E|?2hk_Tb
zrhd}M07KLUzrkZKdcvd^X$W0HWR&v^yBF4F(b8)0pT;GMp)wF#X>|UXlorLY{O+=<
zH6=-7VBKZReXKTbw0$+G*v7=XBE4d@5smf6BG718(gNR?L>{SKtUYPaVp~`pUGBJE
z0dh5=;7Z0Lt@zgLBGE1GIG;Z!Q7P#k9OOV)$_r^F58{VKf6AOq=BbuRcjoW26u>BV
zU2fbjSi6#!HEEWnd(tv>9yLcfd||H<*(qRMO9nIr`Bs1rzta2_hBU^}Q4^fD`fqLV
zI++CQO%((Fpd#OCit441TrMEP8lQ$k=656opo4PZ-;_|>-*B_t<<fH4)QzmWM7=}F
z!Y7t=@EfFo{xe9eHglY2F4aDaU2U$@dabzX^2@WJH*@|^`(L%bjO_?AIZC>_4~-?J
zY|tDL$BXv_nxm0J3>8d-^pX(iMsYJLj5NpL4w9af2&zJvwS#aPfmCrZW`!$)Fad_r
zch%^*{I*}PmrR%bV6>e}<27Hv7&klfP_O+pN!ook6l<`0NW~kTJGMT^voSP!C&*^(
znvNi8k~$o^#`T<scsBD8qiNS3gZ94}E=4{%5~~g~b!dG`aXAsEvu|xGA(KgbcpAyP
zGJr?FbRI>oJTM^4wxC_;{+Hxp-}Hv=VFb|fHqOe{LkX|8)~phiVAz))q7zlIJ>@mu
z_bZWz*RJJsVALmQ(FU7^EdBH^OP*AwRwoDSfZ5yv_aT(`DR|P!IEVhT-KXxwYjr+_
zVxze=v5|Aam3G29x6elK8m(W0&!~~}l&xTlOHTQ4k!o5GS=czawF^r0gj-|<PJojg
zU5a2;o0Mx@YF7j@M9NH18*di8&?COT*<^O9cih-Hwcv>Dfc4QH0?aVC4zpIvx=q&Y
zv@f)x(Y)vg-14fz>{l#rs7m-&DhMKE*J7LvSdDyPCjs%BbSDJrg1vqoXyLm6uA`?p
zmhnX!JB)$90HD*?0*%=3*o9m??~v#ETvZG(=B6Nyhrk)AuBMH4%_fn}Hm-cjX{Svh
zI{^vZr-472WYVEt#E0nN=Ck?VtZ#WU?5;C|^dbXiP0)E+!HOpz2|w`cpsmw)A=B#B
zZvOWVsZT_WsNqL&dQ`0=L@2462M^`Og<a+MW%^haFnyd18r5Mw6^dqqD}_mQO4T-V
z>}$CXYfmzMl1j@6_xu+gl01}Me>7nd#Ay%K;$d}*)#kbX5%MZ_H_Z&5hHQk=J5_DF
z4!H>|)GkfOZ#cQl?CB$vAULM-RLW`BKD_AAzuA_H>=gZ2w(1{pT&q{x`DKwtl1UuF
zcTe)FJYTs3g(KnV6({H>s>5Q?)nd3q`GWe4+)Wd>YPFY`XNlFOH(@0%jKfw3U30&Q
zoIP*Ai=cnvKg4vY4P>_xBO2P&*kV%5KFQh1O>1-zr~E6Ik_25L{$(f=wJwLMOyauB
zVenR#+wANz1YW*Tj~IB-RvWuQmD9KA0gJ|Posjsz@V>+o8allqbt&&0ZsWm^mN-e_
zTeYs<Ltapc;V4@e)a<X{Y%ODlXo^gs6YnDEHt&P#?w9NI2{Te3ud&3#38z-rG02;S
zRHxl6ROd}lWc`EUXH@bG^Kqmri&f|#3Bvhr*w-A>n>g)3TvWe%j%dpR@r=z-SZUXS
zZ=C$p&#E+43)=GAMOoD&&`+fdijG~0Vq-JiQXpdbO(cw7^e2XZ-x6gz><PFc9WDt4
zztkL%J+E46%0E{n*)9j_#u}pzn_ZRtLqfu0%Aji{nS#IR8`%tPzY%(fXLp+%1$EE}
zu&FVb1?AR|u5cUEMfOtv##NrBVS`OigUtHbkUfA&2pUsd1kY0`aFzmbpC<X+7T7C}
zmfJyGv5}QIG<AjZgqm>{;Wj{R5vGkX$6?UZ^iKQC8^IIp8;`RuLRHx0PM}SF9jH7N
z?wfBR!cSXKCZ-x3&nkp%*&&bkMYIQ+X^Zdn0bDG<@wQ&|pJK1PG2rWW)fGq{2~5AA
zGM#d`x)*zR0Yfx8clV)vQSiCd8_X4w-p0`u*1=jCbKn(iZcT;MCdr$u3SK%AiXih1
zPPZ+K3j7(lVS*U3YkhuRSk>RyfVNYAOBS<X?ddsO`BGyfhStGb@>9RT*$5%XmmrI^
zg+<0beTTBF{;xs-WDwRdVDEtv$*xCF`rH<seR105>J*hrF8E@h#WDPy;=w}>dJ#rZ
z#wxC>$pg*2upHD!fKNgRFwa`EQ{qCJ_n%yskjCGVc~fSbUDFM#sM1++G7MX{yq9<7
zITdXc(DI}YH3Y&nQL>GD6_gyi02JDKTW8lbRTLHnyAwop$A|=UgZKF(UTp?n2)~te
z3y#C#qvY%@T%!ukEqqH<3q~MlX~jZHf-^r*v&YQqwxsU-8Y4ZExkG4>i;*VND0`4l
zq93?DD_j0RTB~lb;vu&DECLn-AqcLPZHLTF4-HM{OBdz`2QIBUQTn$9QB&+R9NrQu
z9bdH)UX0hU8<GCnXJpVYDJ|+Oeos;dr&uAkY>Pteg5=4*I;^=h)FmFC4tZb|q(D={
z0mR0j8A)7-$XXB4I~fnz4=2-hcu<ro@u42<8Fay3i~erH1!k(_@Qf9!AEj^|ND{GX
zCUaR`MjjFsA@_4&u~h-@!Iv)7^yoS#<NSW^35bRuLS`ltwMg(c(D|aWE0qb_!o~>v
zn_M?uoeLLS<>I4ana9iT<K^n$Z5mv1-@~?I=1eGU%{EDZMt+#gu08EOf>A1YnB6J#
zY0zqfk}cb)!+x<8Sn#@&<ftK(4z6E{C}rjwdp<|kcjY|Loq`kay1%RIn2%=xQYc^q
z)M5|WieFH(YpPnHGm}4EPb&=t#PrdB=c&6}$dH?OGg1xcTB0mYsq*D9gz_|<Rj?~v
zrmh9J*PW8&4j%OkL0BtaUNa{2WfKP&H~Wy*j~*sSZ$s|(Wh@%s?p=XU*lO}(&_IZm
zH)fuxfLCtdn1iv;W8*7|JGNk|)kkag&3VgFuIkXU2m&<R_%#XX;&*?Kdl@{7V71S4
zX*aSY;ir*dT>)zN)51m0XmXJKO6Y8#LO9sMyXY!NhC<r(J_g`iGUzhX>adP(tv=Ep
zgYi+k<)`^}Hei(QpH2eu%9u#0E3+(B?7vW{Ro>>3@NY9Yux8ykWUp4n6aNZmUFvqJ
zNmG7F9$QL$arD{>%&9FC^m-K{bUf46Pm)!u=~rnZi_Rp<lis*U8z{uluH?)#Dt7@r
z0?R>jRj-m;(F*&8a{Jq(TqsUgtoT)+UX6>L>2~zKAJVZ)KrjwVb@oyWj*TYsV1+e3
zm5BW}?ofM{XSA_dKI}+@&=<6(hp565$VYIhD3s>&qLfWyh066PZ3l<N1b2?;n77!2
zcCGT|j@>-=l#;qBJk2?QaTRFg(z#|92AzS(>%9Cv+how8vmsS1n~xy%tJna%H_ntX
z0Jnimmz1e+2=()KmbA(V>QWA)a;?`i^*gqc%%m6Za|h9E*m(B8Idm4t`bHsRHMms)
zi%mZ+f%esT`crpND~Z&SKdeMfVSE38RdDBbB9K9S6(1hC!*ev&zEZzT(=9{@Cb_8h
zLYqD5g8Rdfhs}U*&{W?2#E4W9&w%JagsuKQ3vYq-73#0cgJSLb>ZA;-@bU9Wc|&NC
zkDQzhe1jl|0R)fYiQ!OT(d~hjh<9(W%82&E3*%X|kSHKFfLC1sJfO&XZt++RjT52Z
zDt}a8IZQh~9vkx6>;t2PLPsR%*+xL7%q*%x_69*SB_WsN>>1+D2k42VoV5uxNkDO|
z6z#voE&LIcSHMtlm^Ucwwf|m|lc|UXRkk$GokLQJ#7ctnT|r!F2c?a~3Ti^G`e%LI
zv`5sYr=hLN$DYqZ*yd5an1#j|RS+0=Rrv5!7(UCt=h{!v>BVV~P#D3@vnl?xfc7e)
zmY2bh$<9Jg0|*|JyHZ3&O_8E-iDCuG++wdOR>h30a*n9rzda4vEp?2lwcyCtAhhjv
z=g>Rc&veMYiH<Y2MJr!jTeM9d!vd{ZPv^QJ9L5%Hj>@W5Lj1GnekU+NReLXJNMiLV
z_mO-QJCxvr?N!r+a2x^gPN6|%mY*Ux32G~NGQizNg)^z5A=t1W?F=Z;bY(QbqB%Fh
zO@x&DWeDr0c}gH2kGuPbSLuQCOfgfbqKiN%0T@vVN_k0n^7W9YQEl1*JhH5@72L^B
zB#PX?ks&3vq7aU(2;yN$(|{jVgRKThyQU^+Mx(1+Vqx0g4?eXjxT`{CiDK!tGN(%K
zao(%fzD9zIT{gDgNJxBVS&$-?mX1rY4QPoJYd{kXT9XTEhaFq3UP!ocGVYMXS{NmT
zVyQXw7S9DGZ_56RZ1MvzsRYvXf?OpuRrWGlzJ0&U!F*WV-^I-J026IVlZ#EMymhFi
zrB&U)O9@DIz~^lyZuw}jW?uXR^F{ph1JkktIiV2H!r|(c$Z2KmJ>ht)$pga(X@jhT
zaL7QiX*^h_tmhURY}NCDRj;SE|2<g$hjFT|=Oe?xdUPb{645)0p<ulh8usUP402H!
zkT|Uzh0rb4C@@o`=<u<8MfAFaXtb3HG?=36@}+xIoUjYupv&>D=FBDH!N+zdjhv?A
zG-*)QxO-Cs*|+*9M<p1|@4>(Z^)Fs~PQ%&Ap9?4jcTr14z*AdaWhmN%eMFB~2=M(n
z3-cJ&ePClC6VpFO+L-8`cI{KNjC8~}yYJGiS0!kkFU40sQ>2k<#_x%P)}8N*1OPr_
z0e&wR>{~V{qdrV!8wN~IQ`tuh)k*M>Mv)C;IC0ITrh!yrU$Sv0E%nK{>gVdSA8^bL
zW<zH3gaM9XCFuhv<Q8M{<JTrQ%dpmQbkH%4raCJBkr}91cmD!8s6k;~eP3i@UzPIN
zZ<>QhMGx!V>#6RRo&ms(;^sh9l?%}&H(V??>^Ltp){EK$<{~d>G%rwA1zkLV*`z--
zsh;zu8s~YlGy2YD8@O>~8xhgzbok<;@+3aOdYS!IJ|dz!#VDv7YsG`9=GIVicd(%^
z1bBJ;10lTr2_c-@gAvW7;MHe!=<inJ9hC<yAOUB06(2@sH?QF-5BgvHG5?LYXYL<l
zf>Vaj?)xDc4}z`dx{&T2r^LA1<F66xwcCr$<MiP7pW^-AQ`TW;rX2$c-`9h`x^V*i
z5S}+Y#F|Lq-8`#Ygvjj((65NV&EH1Lyf^q(pXdYT0SpUY%!UmDm~Q?2nwN+%HUMr7
zBJ`*aa$T>d_j;b}S>FV=(s@69vzDg{{>wBmg8?-$+U7w}J*lTa4di9&B=4(FYrv;>
z&F9whdh6N?tkFisO>`F}+~@dEodI;SzmVpw*<R17$>Qv2NkN2|!PfPHe+7142z&on
zW<O}#mk84?9^AXvXUT)b#3j?gKTTV1*|&N;SbyfqZqSoYLf}h3Zj!p-^Plb^XM?2E
z^a0!7FU@POJk`Swz_@Y2rDt8^>gw8MLP&4lQ?_MX;|~<prOfOUj*MSiY2TQ#fl1}A
zoL>#|;%er(4d990{3DNPQA3U2#`cMw;{ylxd#7<;1AUww;sXcNFD~e()VQ#oX4$6Z
z5ptBrz)gE4^P~WJ(HEHR@getwWNic1$eJ-wP2WrF<zVdyeRYf>I$iJOU1ZUWVeHMf
z2{4S-Ppfv*bLtca-!}$fFuds(cIR#Y#qri_6kK0X)u(=S`#JQbKe(%7;#1$)ySlbx
zV|&Zq_KLIli5Pp`8+@#5;#tq!vl^4j9{x%QKHPl+rvZ&{rV3ho97u*4RM!nkmkW%i
z)+SsBaqRUAm9gr!*5p<ZBO|z!4myq@grl<6v4x$BGa|D2@r|Xxl>Kh!`BWQAiX0oi
z6PbzcySdz-q*9>7TWejUTuR5MDCD=a)#p(B0YUJvw`uRWgxCk4@bllFJ>xvLQ#a6i
zda~0<c*HjttJBEgy=x!?oOJHTCbPT@XFS%WJk=G>IS$D``*6W+*6_UWq=}i4OV0Qw
z)Zm1^>xI9vvkY@0*>l)rFwuHb^we^v$7)3OAPmQ;lm3TL0i+iimcY6^cZW$-f}9Ld
z=Z-m{VombVOIKvu05OiH?h};I#*&UKz|{<~)wE5$oGfvJ0Vr`DOZ{S1)maeE6jJFf
zmv@=~n(`IV!m)vABMmB#&k%hzf7Z7v|D|H~C0P@W@VYCBfg|wUQJ8>R8pd0?g1D%7
zomhJ0j%%u*EIBI>V7aMi^dJo@Dp%6==(%E-h;u7uJmPySrT5OHUuX=j#o^&|KDeTN
z8EXssZg-Sl>+h=n^;xUdBFNejouiC>fn^|{m>@OR$J>cmotMVnCpzbnNymtJU2>&0
z>zCen!s$-1VwjY5U;S`X{SryP-_tDyCxun58aROd39Y&;@0hnj8tVgyGf<R4+oA2P
zIT=A=DF$s;N3d7E<Orjm<)21)$9D-58WUj!L9#Y7!d<4o$r0*5GU=2ye>K0@P#QN1
zl{MZp$@T8%hTb<1o3CDQbNZqj@_0&L!NBr@gxZ&lSl-t<imgOs4;^txsU3d5$~Ogm
z&woJ`Wq?7@fd229j{mH(|F8PLBs~7-kpF46{eLFZ{1+Gb|5<MpWx)S~fq+2%JE8ye
J1?K;K`(Mhh@<0Fp

literal 13061
zcmZ|0W2`Ss5axM&k8RtwZQC~Qv2E*rY}>xawr$(C=H1z3c6T<@{YyGsAF5LQ<w-hE
zDawF?p#lK`K>{^8^Jq<j$!mr}009l70RdtB7d3G*GjcIgvl2BkxB6@4VrBoA-rCvz
z@3f|!{U$r&55M8>{vO;Nj42lsqb=kLyq2;p_(F|j7kY3GLbIrhE~OGl#Xl<y!(KB1
zyIxcGrD!r4M}RRN1X!SGZrteM;}+jj_^bdZrjJ!nI)$wRZ1CE~6z;6~a712xvKa4v
z#q;{7uCsum6qkkhpPvGM)@jyWBp()@<!r5=$w`(T^on}nlAkJF?R)Zje-`R*<GuD4
z<J2&KjrL^<WHYn1-8af<=Y9ce&;CX}3G-h%b$JWfrVt%g;b;Wbkl;Y+RpJf!y#z-4
zVee8ATwNBce;TvZ=}1C{HXN8vD3*!qPRI6Q$bs|yO=dZG)9ikvw%K(~gKV{yR3gbZ
zZAk~ePso47CXQi~LWO2#)QYFBRBJq~-*jQ7s_p+49s{uxH#2?wepFrI^^E9>Hq`9q
zF)W&KXM7dY3gpV}wH!@3%=t{SX@aw#)T=93#!8ZC-nT5^idxeq0mLnLC^HuQ;sSlX
zzfTPu_L0{!Lx#Z_d=`~YtX1vW)-Jw3n=&7*lhR6>a$;wsS7(~?LQJASDHA-Wn07+8
zjnC@;$uE<G8_Dj#2I!HXPERGnr~~6z=wZea9d0m(;M-+162q$YdnC9frMfsDtEif7
zDT2jSEGv?rRr2vnjvvKnL6lL;c^am$yYPnN%aYrt^ypK$>cu2nA7r!S2n)kBrcBty
zFV2MFomT3_?<1UfRXle89&(!%K#zd?N;hZuEQfdpLvlvKtJZ@4XjkDNp^NIU(&bAX
z=G{Z4>l~};ahN|(Osm~~CXA<55Zz_1L#S9XqdTxnRxVq>%7k~1k?o$=91r9S;G2+^
zKxQ9fW0^w84OU%G>amz9gI9CtX~t+qB&_A+cTfx@bb37$K|&R!pdhg068{y_)U-+A
zl$J&VE>+yord3cZD@4;{A+1aqh)6k7i|wR%x)AiAqn_oyCxKZy8RjuUWKk8anaPT)
z9DOKo>Z&PZW6eBf9mbaX9O28&>#Av6h?&?ipE32OWvl*1$;mba;WBRlT-PN7oP|0u
zry{Ryh$=ApF5I%1g3nFSIj^B2Zvfs(CqTN$eTHVxv<Nyq4W;3=k%_NjN8CyHQn}*n
z_$>fV?9b-G26x6D>-M=X_iC9|1k#2=eb%@A;jUQOD@%4anu8C>c%`K5e+iJ?M!|6L
zWOMGcD2t70{5;&8-0Ao}EPR}}#(lnJm)AVQ(<BIYs$@{o0W39*EVK)BHsk8L08asI
z=17tTz&{D*4wqBVYN23XN=V1ygv>E<NhrXKUP&WxBn0sk3XxIu2)v1$fTPD-m=v#*
zdjQm=I5?pMIG^|+J8+oEZ`c$c<@Lzj6<0!PAKBDcrSntyBp2^{!=GhMhMy5jM&wkA
z83bvPK?$;`FoIOEnY7@;W5Y9}iv7sXiQs*wJ-R>ifS>hFqK>~rokOj2>G|@pmgcrP
zfJ||+x!TH$z(ykPdJjc4xC{Qx_|hEnEoN;g^oRC(`poWBkEf+J?wr4E`L7agoGo8D
z*H2mA?@SVxw+(2z?)*w|Pk7~MH<q!`cWM>YF0d)Q@TllZj$CMq>bZAS6GVm;mwYu;
zkWMBINJ=P9e-lXCAphYHH=3m&P}qQ7_zo-v3#S#4_K%>0C}0s6DO&Lq7{BjKtW#nT
z$t0#@iV#t^I;DVB?^;L3Qn$j4jN<R1iuCe-Ed7y;ev)I|-%9i{OGrjfYb=Cx8H#-b
z*vxm$6kLcb>y64w?~D&>E6+-wsyy)4@ZNIwY^GgZPc9$oNJ-?jWQn+A^Bj0u&C~aL
zunj##TUK<uSiy0E9Pnv7Bv6@b?&ef9Q#Ie*FpzvB@wWslC4Rq_47x~5piMzCsCvjn
zwNFKSA{wa>(@@ae6?D04w`o<`BV{+9WyDo%e=dj|1BbVSZmF`U5#}YlZ4U8p|I|_b
z-X?6EXfA*ysle*&9VSowD|%Zj|1NgH=jTsKQ=Lh0?Ic)&vU)D@lx6-RgLXz`<FWH*
zc=Rf~iSJ4aB!CJF2bwoCfqPfp#{ugYZ(#3sZ-H9EcJs@srzeq2q$aD66hj1c?zI;6
z_@sQ347sq{5fhG_#-+k?ylU!fz6cbz*t_UwuP=J5&oJ}U5wpKVTO7Ies@H_EyE-Eo
zW`%|W^bydM^P#qTq}28}ME%q5flpg<l=0+w*1aw$$<FG<fkj`QEH`WHK1`6CwO&q{
zK1TiB-xW~&|0tIj<1b<m4G@qM4KNVWf68TNWc63o%+A5~KmGcjnsx1a>9i%@c=8*&
z=1#eYGCBDaDi^ghT>3Hwpk)zH{YPqc4W%qpfOAGJZkZ34FXhO}?U=jwwIT3nL-H~|
zgK|Z3m8PX8xW93BA_mxQ6d?{2R#R8sp=P1ET=f5D5U&0r!_MY0u{loE<cdF(dMe*c
zQQ$V2Y!jbZyFZM3j<-5<f#}!lj_%OO>JGo2_P(ChUv(qbcM!Xd%efzFGA?_3rM&Ak
zu(}5d?u);_;h>1w>ML{f%8~m}=qBK4Fw<cYx{Ji$OJs|k4Nl19hYO1%;3}jmJU2xS
zx$lKNLIDwX>l2BwdW-1cgzmD62^6gkKpG@Ot;{=|8%|a~YnpX>ibT^60P4d!^zQE~
z<X@2Rz%-D<#U_jrStU4cumY+5UAULH=h}H$7;R-~F4h0aI+lCyOqz=fvf^~m59xPl
zY~7hJ>SFn%CKP!_gA;ZyG}QJ)8#2b`a+7%~Yq-N3b+bkKV{9yzSU=#%6DMH!qeQ#Y
zs~X%KKNDPG(ROe3Nm2G4jkXaCl-GR=dB1{GOE4T~rcy`D?>_W7N%(~*R~@*xV%UR`
zc6zg?`!BIRXRf<1VUQ8i`7upF^a0o;?Z+ooKvL8Md6+(HpCf*(eclxWc__f9Dtsn_
ziUbj0E>;{VRwqZgLC6+f9z+>_QWiLDGK)2*P*sy`y`uj7x%~X>-gKIq;WRx}Sy3~e
zynAsUf*_ayt`9+SKh)M$wT36EDMR5hRChxNTWE+GO>!51$%9X4e>Aixb*=g#bXTxi
zT8p7G0Lz1)7aoUp``HR33Sl^uQN5fX^E4GH%(fJ2h1Iw>0K)4#%OnOIl5=^VZGAMW
zwQxatZeo{0P#Z)EFwfkAYy`oMnubkm&w-Y0o`ZX_^GXvQ`fWA2sl}^6qkEwdU=fnr
zO~13wrsDLHcEi{aNI~}7y<yYeJkohqBF25aZdneY=K1tHikmqsuga3BqBH8#3khgv
z6o^=nkwCE!{CAt7+<$Z&BB!ycQ?-p6M`FPUxBW&PXwkxUdHG`2+r5$badWF8@i3SP
z{H8^9M1Dm^_fVz2BH{J`J8cxS0a7|T4r`!*8^K%McubZg8v<$6ZCq%ENE7Ri2=U^Q
z091>Ju0xOwOD?-%b8U-!p{`Sv_O13KBngWz1zX8aEpV!^OU-EdrzwG6f~vo=^kb_-
zR?mmeMZ#<;w~%;sLYM6@rCpbF_HH0N3Tgm5PI|QbeE_$vQ0sWD1Ll-O8yQ0RLyP8g
zfqA3dR+xvbL3_{ytK2EZfbE@DD0QX^n$4B-ofu>Ye+eqV8Z4c1ta)PGQ3PP&-3j&6
z@(1SemIWo17)3+At8cs{X*ODm&(CiGW{T?pJ-2D61+`4aGRr79yCR?5VvRM@DEd8n
zj0@wsrL=l0C!{|V=2GB-+Qn*wF_zut06TSZ<z%IGi?WrXz<HlLO<cuHDAl?JWEN{H
zW4ov(JDFLjaeB-Ta&h<m`m80-I3&;CGq6l*4%;Une^!P!2{9&Tq|?P*6AuWzvlLjz
z9CKCMQn*UN@qFa;oc=?YzG6(XZ~?nb*MLFYZI8!+ffN*N8`exTMH)Dml=Oi)E?{;&
zEh9(hMh`0dTmVZ|)j@ZDXc~k)NkLkz<NmrZ2H<kn|Ez^AeyV=9Mg|8ByK7_5-?xy$
zO1ImthIDby<yPdCD-4w<srzq!>0!%%%+8Z>X$Oyp3j33f*y@cHIWsjECLlh1uNt!l
zX7$w9XdGVC2@HEE?zEj`lz=lQWcw+P7HO%`fSZQ{<XiuI+rWrvLC^JEcy0tC4kNSO
zBneO~&!1CEIm4^x=^~v=6y9+z+?!Y1EU%%<=n$eoVJSHjPC#(baDe`mdbwxc>-`72
z+Sez`Mbt7X7vfNA?@)w}xZUPS5a&}OzBqiSK|y0@Kib91+Gq8IsM`D6duH&H=eoev
zf3By^#;)zNvlC$x!Hu2HhSB3Lzs)y3+!hR@AX?|^zyrnaK+AXZP~!LY_p9y~k)f0j
z+ppkccayYBG<@b(1p_RW!jaQ;>63&40xbs8R1i1kPugtpEeJwbDh5~He8Ld|9T0+(
zlNWYw?ng6!p1cAY{aLs~(9e&?9^`NH8wQm2dncG@88mT>>gHorexu3zMbp<0o}aaE
zCPt3+hQy-Z0KnptFcVRlA$S_vbN~pt?jOaub>WHe?QTfJDXcQvMQXVc)VBb*mO){e
zKWN%Fo=1=XC%EmdeuC)s8OCZW-tTq$;h@S#0b}5y3qX6ON}`PBT=c0*$x?2nGg3GK
zmNL?>(|vYl>jFXO7Qy@4dsC#!4$d9F^?Lg=>$U9<!pDETXj43gHo?4JiBzq&;@bwx
z-Q50dA^0m$zsd8xAH46dIpU9iZiwP6H0`=oqdCeH(Z^?8o$)U)d;dng9bxl+i%C>&
zZ1#>&1ZducH*Du4oa95}-F32tx(=|0vUZm+FRQx6)*I0QIBDwct2KtmM_^%?Q>@|8
zZy(&(eqmcYEaR5`g(ZnOrA>cd#aYZa_5=(?2@f~gX()I9Jhf!&c>Y0SJ_{RDnLx$o
z47aqXzrKR??)<NT@0=IDv6Gj<nm-7eI-8r_JA3;x-8nlzh~|=R-ZnO)4IG=DI^A*~
z#j7{=^L3pw-8Do*zOy@e0j4Md$x?MZZ4z}<VW_V98bRPhFS4RvS21mcfqscjBTCX`
zCSyFau?K7zPn&}$%Dneo2anU!uG`aZ1Mi#-K3O;qQ)j+t_QQcr6!|UvT<xP=BT{=L
zlfV%Eq9)UmIC--8pI<fi66S_USKd6|HA1&Sb-w<e`@Ul@LUrE`&WqOed=6f(?zE?Y
zEj+pbSMl2o&X)c9Y~w%r;OjP=z$ttwtnV~Lw(gHRpa~NvC#O!J;b|#usJL14soJH{
ze>z`P5#BkvKXp1DFC4961Df_8&RL^^9j&*jhtdge_4!8xNETA_Nd&xah@<LwBhw-;
zJ)Io?8pjG`Q7Q;3enoT#D^G;ABsJuWqaG>rVo<c(MQlhE>s-3qc){3$C61K|<5LXT
z48Wvi)2?&MW9Z(rZQ6as{yK{odYeW<xk;UBDhI-~xTDRpM1ZXJ_KA<;jmsflXCXo3
zxIcK4wG%{v+0_Koj9P`mhqm{f&9i3y1La6xkP&S(ZG)WtWAen+2hbl!`rRj`L(~dw
zi1l5%qXw7xJ6iZP_xpbPiz9qwXu#;GxTMq}vgcGkvZc1$B6Ni7bUdFOAM9Kh0f5WR
zW|A{|F-OGd%s1U#?U#n4^VT-Q84Ns*mI=^Yw{km+Bc)G>PPOQ5Puz6plT}7mXcX~M
zTN?^szFS#dIu@VxAI*K`9D^il4;}+J9Q1g?S&7`V;sV<*U;jM4B&whyN3s^~BIi0W
z;vi$HZBAZeZBEA2%cRu4h?HdAgg6!xU%H{G2!l(p;+!ckBavESb^8ug`?-YL{bGid
zpp77PwvGXoXkH@xq(+S5&1uJ!gl<9yJVdis#P&7@a^-owQa7M0q}vAO*VjJ&i36@e
z50gp)l4E0CnZa`XlV8l3B^uS_1W`0|k+tWr7I^7_BRTLsvDgo#lFUE^QGj%efAh(5
z16A}A9<m10=<b^?g;YRaR^NmRp7IQ-s*`diD7DQN-fkSGV|^3{J&+A*_$Y2t=dKlU
z*Vu<Fn&o}5?DV;qwD@Nw&)#TVUJ$4^RC^RfRJ;8yHue?n)O-Uxg)dwD`?3OE(sW<K
zV=#)UIEb(~p783Ke@|l~MJ)E@b@v1i%7#!7FG8?ooM`=+el45Ldo|~|F3p$G_-y7>
zdT69zNG&D;&8H^CtqI>{f(yzci7OY;parYTV6&J(%VjhBMeB#O81Wk}#ZO}E@`O9W
z9TVeoAyfqX_*iw9ybZy4bxhPJ=IEIVbp=Kp3*CEms2@^|QZXb5C5q>+Q6qe5Od-L!
zL|+Ld#|#KHW5fbblx<Zqilj1Q_jR01%zC;q<37)(9dxh{Z{ky4%zOcs_|BO@p2>Gm
z7|D%rIM~Y2U8e+A35R>{qrf~9(zy6p&nv3mJ!SpkgzF0xdVQ2G*V$&!i2fZ5xgymY
zySNpU%rxUF!jr4b$;CVTgUr1rqoA!SyB%&mGrLzuS56}+%*fta(_Wumx953Mx7(p-
zjDKnYxN;$V+mivHXc6Bc<AI*(_TJ+@ZNom=ex@CW0?-2gbaiGYi~B}LrVu6Xxn9Ih
zSHO`K5{qHmP&=uRKLf|mOi!gNi3UoPh7P&7%P8^5Wja;|cJ2noUw%UJBKbI*1!qe5
z0DYK)o8Y<l0py;rXlS@#Ni@bXS5E-PEMhH5TAVdK?0Xp!KdYfxyP@3(U;gL1y6hBM
zs`+{F;IG+IfA`c6_X_`BtZ(nttVnygAgQ%qTjr}D<uE$4HRUiYX4-M!JrZh2Cc%8T
zAjF36VKD5jBjt2#WZO>&GEL}GL(X4Y<mxt05`M|qNVWPi|G6eUXq+HI{)*%5^TIDs
z4_pimhNq*+U^=o4{*g6>fw_*2qM_WTvB=da4PMO+rG`A_R=TI|Tm=y7X3O!o8SR61
z0-2~?nL&XsTD^u@fieF`LqsW-3UI7S8EvfqbxJ}{K4KvRcX>R_rZ85QEhj00)ikno
z%)4hwvc=V$#TfkVFozd}R8nVOfK|4+BcHW&m{p|isJp!O=N~rFVJLWN0uw3yRf;+Q
zZQ3Q0a>F1G1!0o7dE!EyW$;rE8Pzr_mE32uCWo+SV-<r4e-yp-*eT?oR~!H^F3xTv
zm_)F=7F~kyD>XWiI8k+dbC4CYuI5vdY;!LrB&g2H1hs2RoVH91mgA{gYe5HpMRTRT
zEd-Ui`ugH^a(Yg^U&a=>7bKA)z}Bmr5xunq_3Bj^abs{!Ic6Gp_k8;obYIMeCNJS>
zt@!DCG3BaF@{|P+hTM1hTsL2#?$~hb@B$(mwyf;_zz+fiW0?vyg(>~Z#hL`8(J=#a
z37N6;<2Xnzda?IUErSU5V8to83b%pMa8?AO6|zir<nXh_foweSvQ$>mw0q%RcQxTt
z$XHRIvyhR71?&WVy_>l_&!DgmwSLdZWB6f9vu9m)jdnY*Q_-l9t*2G|36OuyuQED5
zSFiv8#Kz^zNFl`1LWD4QxvS-B^-}M74b#!LsI5J6s_nTF)sYM5v2P9bsSe}3?^)=&
z=?FY=z<@X0hV*D;2gM(1e0HM(t^=(>i2uTgtTzp(h-~L>mEUDYXrW)fU^3OX)mT+=
zKI+4J2T`BftF$kWUpZM?7To_STn?<%L`K~<87U#0(68kn&?OG1f3ld)?2%s*zxede
zxEegJ@k1_NNqizHtWlvudY3=2=2E&-uA<DyyvJWWZWLAu?Swy-_a7YmE+TwJSa0KH
z)3bSA>4Xo_>pFRPLb)N(&g~lfDUskURq(AZ?~-#C{4^XceD68ha}zFSy#XOJ3s8Ad
zs=0PEIU0QS60xATI_@Y%azoigtnXN~K}VQg6<!o7MRW>97VIP($eV^ro?{aCGksbF
z#Pr^-FHdIFs4NNOAoCtxZaRs`p_M3^K0gUX9#EF&!<|=De!dS(E`pg#U7P!dfhHC}
z-hC&|2@kT{TA4Q$aUT>29@6i8+Bk{g+^XLvcVrMlJLP2i#GR7aiqAUnC|bK#>7^)!
z$RDU8!<9AMROvHDzZrjX@N`=kMDf%Pb?2H>`V(Yrli-d?JoQ62zl7HrnWso}iUSFj
zgI?T%*xfVYp5kWDsO`$Ty4F*%R_oLQTQn`Fwa>V#Rrm7A;%bysxjkKVYpfU8nyU5Q
z!IvF`?#Z?FSNt;!PVu=#0005G!}Q@)^m%_wS6z8Z&seu!-J-;5p0EU`;)CM3)CDUe
zhj#!qP6B*^^YLSOJM%)W#^Ch4gi!P~JD;dutAMCE?s6ul1O%=+C0!LA49g@jEVWsz
z({eIENtsUNapIYGp2Bw!uEx)>SSfk2i7;9s;d_BADM<!?yYq)}EQggmN<&L^-73pM
zi?bmft+`pYkEkOCNA0@cg7G3irn8k6FSsab{N6&lAZ8CV{Y5L7RHC(0fn2#jdEZ&j
zu%<>qTw=Qi<EhgGhMP_m?G$ifqpK4qO%Yn=X9Y!X=5S<9WRYn)aeYGFdQAPGj`l%p
zVu%`|q3bS(;Y7bgILSYjMrxz%TkF_8TI`?`{9v!6deu<9W73ej9h<BuNByJhDvL1L
zfo}B9LdFs6w76y03Vo(4w$(^>@pGJXgB@gCmm1=asLu#3>73X&*?KLCQA7|j|GKlP
z@(J%?v@f+OI{VL!JQqa3dx7$*%RKFKoM)YuZcS%beSYL8om$U2JGoiqs`Zclr%=6q
zZm6kV!^2$v?wUHD=Dp`P$JC>M;yEQ3kPyYWzW-~x3B5PgU{Fvyq={O}NaaI})$znZ
zTgh|f<mVh4HXFqhvYzwuh-#iphT04|1Y}3DofZMaWg2=5JzfJC)4JF5uzmD0*0hco
zKO1m0Nb!R7Z{yD|ZhrYBSmr>`m+QJ8ge;po>Jfinz~QHwVa>=IxOy|O%~bW4b!v^#
zDNRaEqKR9U{5JcL@bOnmXDEdK!-W>OhoNLS>?$?7{<6QcHv_X?tarZ88En6R%0dGe
zsG4RvXe%>CAI2Z*!LAIiZ8#yBO^rT{mp47A$mzz&DTCPC>30z~=l<i~Wk|;D(!wr>
z2Kd*`#=4}5I<vfm$*5a%X~9RF7DWl$RdqcgC%xgK-fx}Q9j&gNYiTQ{7iJ)sl8Z;a
z_SH8xcwa3?tr-n{>+YYpV6*P$&GI(-?|#tOX93le=O`GA9@&a#oDGv1&-1aE#<R`m
z&jTCD$g7h}_RBu!tv<Z2bpzASY{VZNS2+0+I8EaA$-0^G!-N-y(tBOCI3`#5$QCQn
z6zDv}@QA!J{#D$V6&mq$*-!i+jD?`uU3yHwo(9dA;h(h1dOqEyi^<jy`~HIjPe%YJ
zv}LdWY<V;Bw5_2WZ7pv^iYIBp-n`5N(~qfGT#jMr<a7bS-zN`|E<t?-BxkAh0^B&)
z45=Amtg#7KGbWoNnm6JJYo>)WV-Y%~`zMU9I^M8qb*eS))MqDC(?ngmK42vH*Oq0Z
zI*{JKBcnn9QBzqw0;}Gm>PSZUN<Hd~S>-2}l2i8ZMCj%R)z%6{Gkmv@;^Rmjls9UK
zf4*;vf06snh<i?Z_=F6TtOG$NyzxXi6KURA-0DWWL^HTx-^~h+)W%JC6I=yFE>wg5
zETjP;BP7cW*$GBG<-K9;HCgP0kt9p!3_QENeVwIKr;B4cNm`78o<#P5mZIF75ndTG
zlBG-tv(38eezGnGVe_JE!*>1NLr>J!VCDWjYX)N8oQ&Ufzc*V7jXKx2b!CD%H96(Q
z_l{awj9jAk+P=#*3H76Zqf2BB`ib?F)vIEIVx~$d4f+SfjtAd+wom#zLmW4}FXLxp
ze|tkJIMA9n*o?;}%HgI`{=);@gRvLQ&RSq$Anc<q=}eC=dtRs9JALgEFcNw&wf&=6
zlc(9N5)0O0+hT5V%_aCmD={*~JF%?#Q?mlQ5`K3CyN82!TiS)H1xui!tpo5#oJV^+
zbd#5mg-|Hj-I>W|!M=o1UU7Gq)86%!+5nuStIL>%Ngh%xGsM<c_wgsexRZCXC>x&;
zwv+2kA9`2a&FQSsa<3vr9_yI(lV?gb%rcw>*@tAEM+F0f(@QowWj|f55#PK)4}#&d
zBpMx^Cy?@Ct8B&iGCyLGEWq(um>Gfx0mK{N!0V72W{uY{(;LaY&#0!YUzz1+opnhu
z$;64N9g$140_G+8fvY1!OM=#P5m8(r+Q>KhqWM;Bi^fc36Z-jYV+9M-a!W?7%xxLh
z<9|fX4$^f8PQ8AT2Ksred;CmPOB|WYpwuE`pc5Zs4fnmIdyuK7HBbLKvi@15!btTF
z#M@LsThogGZb5J*(2CnC8Bt=Bf9H?AX!tjc3(J}2s@Oot&@jaioTz^+Zd0`A8Jls~
z>7x)I$_BmC%5hz(Mg!MOFaFThjQ)84i=4tCwBo!;Gr63eS6@dq*elJQCjzR8kzO04
zoFH74Ks_eadO&3rrXPx^<yZuYX5>v;S4v}}K|iIA*p1zZ1b$83loTUaOh0JQR-Lk-
z6gK(v8f)UW+{gm+!;<0a7(;7!fp7b_$y;~F(2TX1MC_<dUS*m}i&a%)YB~LS1Z>H0
zgA0I5QvS_}O{lrn)gE@1KaN~s@6l*EOaW%CgY1XR){KV`sIuJLVMcZQ7`>vWB&~su
zCvN=E5-~!G=Fw_eb^z*S*6Ry*9+5;6t_;YjCdu<MdhL!W*Zelb#?e!pwPH;^z~$l)
zpkN;B-8}4bC&KFF7F`M5dOBne%8h6d-~HpuO|&B~vQ@hcfzr%0@*$kehmzqgxTM;c
z{CXO#Z1^7S)F4~R6|QO%bMLjV{E3gH$597VGb}rUru3y<Izw0(2c(SY;Ug?wlq5;(
zB2JHYpKrXN?nM}q%`3}O`BasV1`DyDQkiRLgeBf{1(>z_xU+dG`xrVg73Q;qBYbn}
zI{3a@J#>q0OkUjO{{9Q5g`RQ6iSPqobu3_>GU>y}yQco2%3Dw&5#8YaH(=z8Z^^)A
z)gES?J4Qz1`o6}C5vv2n*waJ=r(c1ug9zRe8V4uFtt(L>!6XEdE!SL;>O_!CP>uSt
zd&F3;`X90C*H5ceD{&VO0k;K2v;i?4g!9Zn(&mz>lx1ZlQ3W&>S2&ea6{5UncF|hK
zmZ-<k{m4kw>gX(iQL7I><@9HUI3k>xF0Ibl78uEEfPq4(!)}M536nUd0<^+;Xk|(U
z39F?GN(I~Se=pCvV4DeVc^vF~E-nwFg1+ZOcSQW`N!mCcys%?_+L|E4TY8L@Bqm;I
zd@-L<dE}-A2ESMgnF%&(a(qvF@F9eF@7sPlvj@tsDdlHI5h1E9KS`RzMb5(8G@#mY
zRoRtNOQeYP_qoeihX^d;DwFphS__4sI@p72cHzEu4}+xLJUw2uJK_fHq>1|@9jCg5
z&2!%p*T=!<18XgrGf;@!ugD3v&-+Cv6UJhEG8B)g)aj@PCw4vIxWRQK;j$04Pw*kr
z#qjsYVkVd5%Q=D4=tO+NhIyXL`()PCy_Es-AA1=rQh^CG5X6^GK;AVDCd2wL1)Gme
zRZD}T%h#9S6J<T9o&Okl@|H1>0ito_cwS>5n8I?lS7|KOhklkW4o<enFmbeUuy~~e
zS*_H{ox_5$3d1sy*gDVqC#|VTiA`bOzPb;qHt{H{?%Bu|^d7ADUE<UPH*r?H7mRFN
z(qSn~?VhAc#VQZ;;RU3&m&42&Q51lprQm6Dba(A+Ot+kaRv`a`Q_kC@$jm20L=uc+
zie_rehx}8Bc-xsi-K;<LcpI9(3=W1f7KnJWFPq7?NrbQ}@ras-D6?rKKY`!CNzN1@
z5PXEJY85xVW9>Sk?coH~WI5~&q@qEos@?;eJtH&o)`3l$zB)|tk*NBYEgb|48Fob6
zxUUXw4WP{tTV*oZmfXG!T)-vVI`3IHei@Tu*Z?6W+|bdkUu-oGmBT|o#O)Mrr^cBa
zKSjZ{%B*(Bbg0t69=;%@mA7P8LlxOix**R^g1CkuNt*2fe7OhOsYS$cB-|3%olI_D
zJNvAIPNPGrZo8*f2mcSfG0m|%fR_upUfsdo7>zETc&0se2aJcS9KBNwbIvTMZ+Wt~
zYgRkXx%P8Qn5qdy@xh{(@}~SnE`yM9NEFM)9;^C08E_xo*qZQWZ~Z|kg$j8NicE(^
zO2#Z*o8C}Zp*Zf7FPeyrW7FRzK;4jEUwIe5TNufb|2bJhYO;y<U=7G%5A%iivfCc)
z8I7MU>KX!(96D8o4BUm#G%NClL}{;NrL|Jun-5tf1qd0MNUF<0bG}pgz4p@;pzDb0
zle_^!*hrP4Z!9e!ppR3?d8$Rk+f~j=0-N72LZ@HrbvM;@3hU@BJa9nDZL>Ggr8h~F
z8|m}Pw9;ll3M(Qd75&JqML<`_12Gt-LG*2pUA=_#DN4R%l@gp~q^$CL{g?w<#ziqr
z1RGj^k2IJ^Jl(~}hBfcKqArOD>)(Njqc#aeD_F^>zLrD-O%1chD-t$|8zhyHl8KXm
z;+8O)T^B{(95`suN1x{FhGNL}V?jmsy8S^_I>^dajk$>FY&MYILEVi#Z&U1yWr0+|
z7xVt223;jT=JPCZus6S<9(55uhSR5$t(@T4mQ1DUv#@ndI_#7!lG4&YLx$tpBm1kR
z&lMrI7B7|Cc*~iS`?ONMqEruJ+Ek&X+Ap+3Zg@JsK=5?iv3I96S~cF%CudH0vf1Z3
z#sb%sjH)Qh?kjD1<3eKA`JP~vss#x;iC2IQjCI;rDHh0cu&c*!!+Qqq0zm(PQVdg{
z(c}RAld>AGh7)6xSBV?l*@9H-`%8$G;3kYP*23BYVjow(tj^=%roi`Cs>hoqm<9WT
zV)T#LzOrr78c7A3;Xnp3wZNkFy_t^&svd*z2CJf(BGr24omHev{(S=~rYx}Y))07a
z!xK@>T93=eTiI2<bPde``e?V^-(BFgrbX74oK6z%h18BSlp?CMV(6Xxhfd9;5m-A|
z#&A#rCZ9sRYo=@8XYq6_p)p^+aVcKKvcLwos2YAY$#aY$iuUa}ZPUb4uw?epb@Mql
zvJ~?oVXq}u@tVK3qKo{pR*E-t46F31m*<{9#K?69d<ya5rGFIPIdz>zbio?W2#n<U
zQ!whtZ)}IFNqd6=C$%{*!IKWKXNJEG5cCP~1w374b>EU$k}aOfW$;@i3DC-n01Z0I
z?~7@~k^9yH!XJBtE{X2W!#5o*z@pB1dwKtwLuqCG@v6+$>2Y(Z$A_J{@c=Ui$nf?b
z9H-eB3e50|upng?dJrw=dDRNcmGN{IvnQ);VuuBnp7#62)dY%c@``Qt8sd5vpz~51
zg875s@l($g*Uj9;DdQ?W*s`^jj`|NkYz5CNtKkM>34|#)B6UKC?or!1voh0COjlH@
zeIvlDQUr*^i2a&5)RMz1jDzKoQvv%97mM@y=-mq@@3P};Xu9Dp7tYffp8T44v~dbO
zJW6o!Y9b`rkNp=hBx;!?@N0}|zSS7mDH`*(j~tDlM?WRGM6G&UU_#hn%3EVqgeDcn
zRqYKzuC6JbQCPM%v(8>O>r3J;#;>gWu}O2_TqVm*F_zN;#0AuOR;nt#r!C_1H?E1F
ztV&16vnAXbx5a>Q|3pvi1^#FHEQKaa)>Hc3vPHVCiQ;zBZR+V~fDh#b5;CHIKGX(^
zGujnfg+>F;WS4+q++5{r%vO}bdA{5}9wF2LrVjFXC5a!?V0+kKI-jU6Wv;*hoQ&mI
zMOJ$^*la~A8t*8JGX84k%A$f=D+!Ng0v}Y`y7U+%PTbJ{epiHW6;Cw58$km|<=`g>
zO62&K2UAqLim=>G4uN3Y;`HiZLnTKlR63;^kgyJt1DmccWKbAUZ4}`B^)RHM@^sM5
zN{_|V?K}OKOZ{1lrn2wZ$}&QZjQye8K2u;-PC%DzW|b>E_q7i=YIUHq{H!~HM+VT1
z@w=3dfFg?NW8%)e&aVEoS)2-Y&<N#BM<|DtOR}&~It&k|`AU!%<_In*`zqdVB6VhA
zNcu_pEo?Rw;D|de<ny%$9X#}o3U<-$$ueQ>ra>;ig*x>)2~n0b=Msg^z$D<Q1FQsD
zvTJOdo>h%{$rF@RBW;`oReXkaB8Wi^nVbfJSg!u&SBm69VTKc)r{>40Y8{c2Zy_za
zJn;w9^i^RpEsq4<yp)wz!M8VbeKxh{E!p=45vBJXN-0D748Wr@uj4@xYTc>I77reX
z!=-(=oRub!a@N4pM)rjIf_h^t;h??yCIiST6!$8?+f$w_wV}q5fz2WtfG}UeuM&$t
z8mp39gn6Jy<@;&|y?bT-IbevUf><eQV=&=nsY~Qhjj-;`(>o~g=qGdGVKh^y@{;5-
zYN}eL>))6>7bV|xAa8BULz860a7$N)CaUoll{2M47H-4u2$^z}$Xs8p$u-0sZBUM<
z;L03#G3S;BM(VGm8PS?$cNOtqWmnr^Ka|E8vP3JKxaUqcScZBIr?59LOsChZ<GbiP
z#iI5`!r~s{yYgoXHS{Hhb}onTjOC+HhR2T0$Jt{**V-ZF+jSu}jJE|E4xF*rPSr*K
zUX?G>X&D)(x_lCs(qAqnvET->g9`)VlN41Xs=0EMly6S_7YHU&^Vc~cQt6Ne^n&~H
z0uMmZE$-Z&yqXiLtCq_KSqH`dBv1^<sYxJ?sL9~KbJv_#Xy(j|?-qpoyvL+8DECOy
z-yyusfd+XhWSfc*DZI#PfJ}%bCYP~m(tk+tj8Cc5(*jPu|C~bz$`R=-x<$?Vl)|x_
zilt+x*1*bQOS`KI3viFfUy*_x40tM!s1vpR6jWJ}i{xYw9@BZnjct~M0bmqWt11Mx
zebU~FVDg*h)5m+~Ns9TOYl>&9|8Oa<>L#39Jj3O^8gQ}yMayz>pCCEa9Q#q)98~Q|
z@ezfW#35ccKddOZ5Xj}B|8t9odWsk-D@-zq%+5L2rg-MjRm-6|Ilbug$ohK{>GvF@
z<g`DXH8*`TU}(DdL$n))O36$lT+@4xFI$RT-=-{qtSU~06ND)L;6#BwJR?zyx_E%D
zE9gjQ&<0?I7JCkwP5Cv%tYZj@=8$M)6Yp>s3?PZGAq^+}R$phQ`Xl{$keEpIo4hEO
z?Xc^&1$9*pnpeZkU9#{|I`3`u(QO_o^s~;)ZqDGi8z=;>nGep0a_$*!K3Iia=6#+q
z25zn6PxtDpijLP)^U2SQHdMv%J+@-g{j*Gv!Gr&X%qlGGl`)ygE^v2ft&$D;0c~5|
zHe?OQ-3V?lKRu9QZ6gz?@uKRFG(1&!r?%XZwT!6lOIueAgq*6OJmp9>Oq*f-)6vC{
zf9?xB9U}U(5Fm|}*vqwNPQx|ZqesY+BUX!<UKi|1wr{7;uDJ9GqsM%QcH!yzDEqWA
z8>V8TE?=W2b^a?BU7@jybvMdFU(3K?j*YU)L`)qMj`ga^*4}IV<6XtP`kxU=Ma^G8
z&6$LdMRk}@b^0bR^Khr)<FgdK+v4I;R_LwdCLsOrCVcbXqmkpis`IEw%UPyp+2Hl|
z_}m_S*fAdLBoAh)J0tC_q2YZ)SMWYgcd*gOHjLQr>GV#E1BE;7*7!DbQ}+mmYxuyH
zJH?c*#Xy&Hdt@il&53+SXFJTkS9ASX&Y#up%e@YFT+?rFE}n*tEBEJXC+C#+pUO$^
zS@N*=2@n6A<Ib#EC#H`t^a<xxCZR#*t>uQ1^^)96>ir+83EN&B);MpuEk97Rre0L*
zA6&EgUR1Z<?#7kdOqnSx4MMcU4>n!Tr{g;AOgSHS*OGZTeKXeA>YlR{F@t_JF_@%&
zIz1_uXbq%gsKk$r*JZZbOPlS}+S%F~yWR3qUn}(`xaIoZs*Puu<!XD)74KZ9ohF;b
z*=i|)Ds*3_%@S7~8t$T%uf~xtHtWe<i2LbsA^{o&YX7jVT5%t&$Y~9fADlYy-I&W-
zrN{4C#Y<m)QhMdZZv?eTU!lybBJ<C*y5-z7DYnwtEA1;5xLLF7=l|%e=;nXTwbU~C
zhPSSs?WUg8zW86Pq7Y1Gp8qdaD>Hh^@3dCL4gM#+_Zw%?jfag8AOAP2+MvElwfZaE
zz02CC(e#szrSBM(Ry+Bro}RKzQg+wkY%MrT)OB67ot}0NQ8p%7>XY=JU#<7dO(So%
z%~O?BetOlqJg1IYI6nW2`Hejebrc^VrRSQJpPq`$U6?iR$&H==4gZ6U9T>|QGq~IT
zI0lz=_W)jK412|>+1GOqt15;+Q$-V<L<86=cido`?Ys0VRnQa;OMCA4gvu1DAG%qv
zXy~-oUKG-kO4%~D`c++)b~)HKNSbJK(7QvFl^zsSeEUU?UQK^FKD<d>Rf76Iy{RGc
z#QR-U?hXZ>_Gu7uf~!#om*PD3bd@J3eex;ns#Z>l6lRSdsu1M-p7#D46x_gY;6xD6
z1@e73+_F|=a1O}(Y@DWJWC1_iwz6w?IG%BCH;8GG=*1qDX9+33&Kc!fkw+A*m(j#8
zqxAn*Njsh;0k0{PwY8Q~Q4x&FT`w7e|6}h@S`Utx3dI28S5`vr0;G#>=*^i?G2)Kl
zrDcGQv9jppzldph5c8QPp`Z@S`I6~pV`V6W#8h?Gm6lcH4kXXFPoX=aNABxNXad>-
zR^@<zw099AF(534U)1Ri*}E7AORd-Oi?T~Cjgs~_k}4TW8^Q-T98`tBUsTwP2puLK
z9Rq=ZsdF7yl3{`~ZS;M*(>PId`5D2uGA@PD^XJepUOfB~zpw7(1oxNiA`2Yv-;RTo
zZR;0xHI)aw)BIZMb>AyhtLADj%cX8#LgUvcG{p+-`KWllKF_oqUxI4qR!+rIHd=J;
z(p~k-N8T0unT}ARYI5e^o?2v&#NrqGd5)b!aC#OE4n{A`It|AA@A#vjRxyU^^44i~
zZEZJZoVn66Y&IF`L7thC)JLTVawKk{+1Ml@XEG6U@Mo#R0FSRI`gB-#U#ay-UTv97
zk%3WF=Sq*aRoj>=;Ese08Bl_5Kc{rLUZ(r3wUr7bFOkrE7PC3I^=w*x1bW8~5VL3-
zTC5b0nBU+347<P}s6hYcVUzz{yZ^8Ce;7Ua-;@0BzTf{RL&tw}EdM_ju%Zn3e_<dX
PkpFhbf2R%e|8@Hx3)p}<

diff --git a/Solutions/CofenseTriage/Package/createUiDefinition.json b/Solutions/CofenseTriage/Package/createUiDefinition.json
index 85d000b4cdc..2edb86df599 100644
--- a/Solutions/CofenseTriage/Package/createUiDefinition.json
+++ b/Solutions/CofenseTriage/Package/createUiDefinition.json
@@ -64,7 +64,7 @@
             }
           },
           {
-            "name": "dataconnectors-link2",
+            "name": "dataconnectors-link1",
             "type": "Microsoft.Common.TextBlock",
             "options": {
               "link": {
diff --git a/Solutions/CofenseTriage/Package/mainTemplate.json b/Solutions/CofenseTriage/Package/mainTemplate.json
index 47fffb5a090..01b717053e8 100644
--- a/Solutions/CofenseTriage/Package/mainTemplate.json
+++ b/Solutions/CofenseTriage/Package/mainTemplate.json
@@ -90,7 +90,7 @@
               },
               "properties": {
                 "displayName": "[parameters('workbook1-name')]",
-                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"/subscriptions/ec3e5f16-67b5-40aa-9289-23311c95451c\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"# [Cofense Triage Threat Indicators](https://cofense.com/product-services/cofense-triage/)\\n---\\n\\nCofense Triage is a phishing analysis and investigation platform. Cofense Triage ingests employee-reported suspicious emails and automatically analyzes emails to identify phishing threats. Cofense Triage’s API allows security teams to bidirectionally exchange threat indicators and ingest Cofense Triage threat indicators into Microsoft Sentinel. In addition, Microsoft Sentinel can write threat indicators into Cofense Triage.\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Workbook Overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":3,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))==1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))!=1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n    ThreatIntelligenceIndicator\\r\\n    | where SourceSystem startswith \\\"Cofense :\\\"\\r\\n    // latest data of cofense indicator to avoid duplicates\\r\\n    | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n    | where ExpirationDateTime > now() and Active == true\\r\\n    | summarize count() by SourceSystem\\r\\n    | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Cofense Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| extend external_id = strcat(ExternalIndicatorId, \\\"-\\\", SourceSystem)\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| join Report_links_data_CL on $left.external_id == $right.external_id_s\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| extend [\\\"Threat Indicator Link\\\"] = strcat(\\\"https://reltest6.phishmecloud.com/threat_indicators/\\\", indicator_id_s)\\r\\n| project-rename URL = Url, [\\\"Date [Local Time]\\\"] = updated_at_t, [\\\"Triage Indicator ID\\\"] = indicator_id_s, [\\\"Confidence Score\\\"] = ConfidenceScore, [\\\"Threat Type\\\"] = ThreatType, [\\\"Host Name\\\"] = DomainName, [\\\"File Hash Type\\\"] = FileHashType, [\\\"File Hash Value\\\"] = FileHashValue\\r\\n| project [\\\"Triage Indicator ID\\\"], [\\\"Threat Indicator Link\\\"], [\\\"Confidence Score\\\"], [\\\"Threat Type\\\"], Tags, [\\\"Host Name\\\"], URL, [\\\"File Hash Type\\\"], [\\\"File Hash Value\\\"], [\\\"Date [Local Time]\\\"]\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cofense Threat Indicators Data\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Threat Indicator Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Triage Indicator ID\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Triage Indicator ID\",\"sortOrder\":1}]},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"_If more than one workspace is selected, then the latest updated indicators will be in the above Cofense Threat Indicators Data Grid View._\",\"style\":\"info\"},\"name\":\"text - 7\"}]},\"name\":\"Indicators Ingestion\"}],\"fromTemplateId\":\"sentinel-CofenseTriageThreatIndicators\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
+                "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n    {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n    {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"/subscriptions/ec3e5f16-67b5-40aa-9289-23311c95451c\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"# [Cofense Triage Threat Indicators](https://cofense.com/product-services/cofense-triage/)\\n---\\n\\nCofense Triage is a phishing analysis and investigation platform. Cofense Triage ingests employee-reported suspicious emails and automatically analyzes emails to identify phishing threats. Cofense Triage’s API allows security teams to bidirectionally exchange threat indicators and ingest Cofense Triage threat indicators into Microsoft Sentinel. In addition, Microsoft Sentinel can write threat indicators into Cofense Triage.\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Workbook Overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelIndicatorsv2\\r\\n// Select cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelIndicatorsv2\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelIndicatorsv2\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n                        iff(isnotempty(Url), \\\"URL\\\",\\r\\n                        iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n                        iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n                         iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n                        \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelIndicatorsv2\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelIndicatorsv2\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n    and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n    and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":3,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelIndicatorsv2\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelIndicatorsv2\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelIndicatorsv2\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelIndicatorsv2\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelIndicatorsv2\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelIndicatorsv2\\r\\n| where SourceSystem startswith \\\"Cofense :\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))==1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n    DomainQuery\\r\\n    | union UrlQuery\\r\\n    | union FileHashQuery\\r\\n    | union IPQuery\\r\\n    | union EmailAddressQuery\\r\\n    | union EmailMessageQuery\\r\\n    | where array_length(todynamic(SourceSystemArray))!=1\\r\\n    | summarize sum(count_) by SourceSystemArray\\r\\n    | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n    ThreatIntelIndicatorsv2\\r\\n    | where SourceSystem startswith \\\"Cofense :\\\"\\r\\n    // latest data of cofense indicator to avoid duplicates\\r\\n    | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n    | where ExpirationDateTime > now() and Active == true\\r\\n    | summarize count() by SourceSystem\\r\\n    | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Cofense Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelIndicatorsv2\\r\\n| extend external_id = strcat(ExternalIndicatorId, \\\"-\\\", SourceSystem)\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| join Report_links_data_CL on $left.external_id == $right.external_id_s\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId, SourceSystem\\r\\n| extend [\\\"Threat Indicator Link\\\"] = strcat(\\\"https://reltest6.phishmecloud.com/threat_indicators/\\\", indicator_id_s)\\r\\n| project-rename URL = Url, [\\\"Date [Local Time]\\\"] = updated_at_t, [\\\"Triage Indicator ID\\\"] = indicator_id_s, [\\\"Confidence Score\\\"] = ConfidenceScore, [\\\"Threat Type\\\"] = ThreatType, [\\\"Host Name\\\"] = DomainName, [\\\"File Hash Type\\\"] = FileHashType, [\\\"File Hash Value\\\"] = FileHashValue\\r\\n| project [\\\"Triage Indicator ID\\\"], [\\\"Threat Indicator Link\\\"], [\\\"Confidence Score\\\"], [\\\"Threat Type\\\"], Tags, [\\\"Host Name\\\"], URL, [\\\"File Hash Type\\\"], [\\\"File Hash Value\\\"], [\\\"Date [Local Time]\\\"]\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cofense Threat Indicators Data\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Threat Indicator Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Triage Indicator ID\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Triage Indicator ID\",\"sortOrder\":1}]},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"_If more than one workspace is selected, then the latest updated indicators will be in the above Cofense Threat Indicators Data Grid View._\",\"style\":\"info\"},\"name\":\"text - 7\"}]},\"name\":\"Indicators Ingestion\"}],\"fromTemplateId\":\"sentinel-CofenseTriageThreatIndicators\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
                 "version": "1.0",
                 "sourceId": "[variables('workspaceResourceId')]",
                 "category": "sentinel"