Merge pull request #14012 from Azure/hunngu/ASIMPaloAltoGlobalProtect

[ASIM Parser] Add Palo Alto PanOS GlobalProtect parser for Authentication log

Author: hunngu-ms

.script/tests/KqlvalidationsTests/Kqlvalidations.Tests.csproj

@@ -5,7 +5,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Azure.Sentinel.KustoServices" Version="6.6.0" />
+    <PackageReference Include="Microsoft.Azure.Sentinel.KustoServices" Version="6.7.0" />
     <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="7.1.2" />
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.11.0" />
     <PackageReference Include="Newtonsoft.Json.Schema" Version="3.0.14" />

Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json

@@ -27,7 +27,7 @@
         "displayName": "Authentication ASIM parser",
         "category": "ASIM",
         "FunctionAlias": "ASimAuthentication",
-        "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuthenticationEmpty,    \n  ASimAuthenticationAADManagedIdentitySignInLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs'  in (DisabledParsers) )),\n  ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAADServicePrincipalSignInLogs   (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail'      in (DisabledParsers) )),\n  ASimAuthenticationBarracudaWAF  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n  ASimAuthenticationCiscoASA      (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n  ASimAuthenticationCiscoIOS  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoIOS' in (DisabledParsers) )),\n  ASimAuthenticationCiscoISE  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMeraki  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMerakiSyslog  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n  ASimAuthenticationFortinetFortigate  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationFortigate' in (DisabledParsers) )),\n  ASimAuthenticationM365Defender  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender'      in (DisabledParsers) )),\n  ASimAuthenticationMD4IoT  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT'  in (DisabledParsers) )),\n  ASimAuthenticationMicrosoftWindowsEvent     (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO'      in (DisabledParsers) )),\n  ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSystemLogs(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSystemLogs'      in (DisabledParsers) )),\n  ASimAuthenticationPostgreSQL  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL'  in (DisabledParsers) )),\n  ASimAuthenticationSigninLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n  ASimAuthenticationSshd  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n  ASimAuthenticationSu  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n  ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n  ASimAuthenticationSalesforceSC  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC'  in (DisabledParsers) )),\n  ASimAuthenticationVectraXDRAudit  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n  ASimAuthenticationSentinelOne  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n  ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n  ASimAuthenticationPaloAltoCortexDataLake  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n  ASimAuthenticationVMwareCarbonBlackCloud  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n  ASimAuthenticationVMwareVCenter  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareVCenter' in (DisabledParsers) ), pack=pack),\n  ASimAuthenticationCrowdStrikeFalconHost  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n  ASimAuthenticationIllumioSaaSCore  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )),\n  ASimAuthenticationNative  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )),\n  ASimAuthenticationPaloAltoPanOS  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack)\n",
+        "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuthenticationEmpty,    \n  ASimAuthenticationAADManagedIdentitySignInLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs'  in (DisabledParsers) )),\n  ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAADServicePrincipalSignInLogs   (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail'      in (DisabledParsers) )),\n  ASimAuthenticationBarracudaWAF  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n  ASimAuthenticationCiscoASA      (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n  ASimAuthenticationCiscoIOS  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoIOS' in (DisabledParsers) )),\n  ASimAuthenticationCiscoISE  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMeraki  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMerakiSyslog  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n  ASimAuthenticationFortinetFortigate  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationFortigate' in (DisabledParsers) )),\n  ASimAuthenticationM365Defender  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender'      in (DisabledParsers) )),\n  ASimAuthenticationMD4IoT  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT'  in (DisabledParsers) )),\n  ASimAuthenticationMicrosoftWindowsEvent     (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO'      in (DisabledParsers) )),\n  ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSystemLogs(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSystemLogs'      in (DisabledParsers) )),\n  ASimAuthenticationPostgreSQL  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL'  in (DisabledParsers) )),\n  ASimAuthenticationSigninLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n  ASimAuthenticationSshd  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n  ASimAuthenticationSu  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n  ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n  ASimAuthenticationSalesforceSC  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC'  in (DisabledParsers) )),\n  ASimAuthenticationVectraXDRAudit  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n  ASimAuthenticationSentinelOne  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n  ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n  ASimAuthenticationPaloAltoCortexDataLake  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n  ASimAuthenticationVMwareCarbonBlackCloud  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n  ASimAuthenticationVMwareVCenter  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareVCenter' in (DisabledParsers) ), pack=pack),\n  ASimAuthenticationCrowdStrikeFalconHost  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n  ASimAuthenticationIllumioSaaSCore  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )),\n  ASimAuthenticationNative  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )),\n  ASimAuthenticationPaloAltoPanOS  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack),\n  ASimAuthenticationPaloAltoGlobalProtect  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) ), pack=pack)\n",
         "version": 1,
         "functionParameters": "pack:bool=False"
       }

Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoGlobalProtect/ASimAuthenticationPaloAltoGlobalProtect.json

@@ -0,0 +1,36 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+      "apiVersion": "2020-08-01",
+      "name": "[concat(parameters('Workspace'), '/ASimAuthenticationPaloAltoGlobalProtect')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "properties": {
+        "etag": "*",
+        "displayName": "Authentication ASIM parser for Palo Alto PAN-OS GlobalProtect",
+        "category": "ASIM",
+        "FunctionAlias": "ASimAuthenticationPaloAltoGlobalProtect",
+        "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n    \"0\", \"Low\",\n    \"1\", \"Low\",\n    \"2\", \"Low\",\n    \"3\", \"Low\",\n    \"4\", \"Low\",\n    \"5\", \"Low\",\n    \"6\", \"Medium\",\n    \"7\", \"Medium\",\n    \"8\", \"Medium\",\n    \"9\", \"High\",\n    \"10\", \"High\",\n    \"Informational\", \"Informational\"\n];\nlet parser = (disabled: bool=false, pack: bool=false) {\n    CommonSecurityLog\n    | where not(disabled)\n        and DeviceVendor == \"Palo Alto Networks\"\n        and DeviceProduct == \"PAN-OS\"\n        and DeviceEventClassID == \"GLOBALPROTECT\"\n    | where AdditionalExtensions has_any (\"gateway-login\", \"gateway-logout\", \"gateway-auth\", \"portal-auth\", \"portal-prelogin\", \"gateway-connected\")\n    | parse-kv AdditionalExtensions as (\n        PanOSEventID: string,\n        PanOSStage: string,\n        PanOSLogTimeStamp: string,\n        PanOSAuthMethod: string,\n        PanOSTunnelType: string,\n        PanOSSourceUserName: string,\n        PanOSSourceRegion: string,\n        PanOSEndpointDeviceName: string,\n        PanOSPublicIPv4: string,\n        PanOSPublicIPv6: string,\n        PanOSPrivateIPv4: string,\n        PanOSPrivateIPv6: string,\n        PanOSHostID: string,\n        PanOSGlobalProtectClientVersion: string,\n        PanOSEndpointOSType: string,\n        PanOSEndpointOSVersion: string,\n        PanOSEventStatus: string,\n        PanOSGPGatewayLocation: string,\n        PanOSPortal: string,\n        PanOSLoginDuration: string,\n        PanOSConnectionError: string,\n        PanOSDescription: string,\n        PanOSDeviceSN: string,\n        PanOSVirtualSystem: string\n    ) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n    | extend EventType = case(\n          PanOSEventID =~ \"gateway-login\", \"Logon\",\n          PanOSEventID =~ \"gateway-logout\", \"Logoff\",\n          PanOSEventID =~ \"gateway-auth\", \"Logon\",\n          PanOSEventID =~ \"portal-auth\", \"Logon\",\n          PanOSEventID =~ \"portal-prelogin\", \"Logon\",\n          PanOSEventID =~ \"gateway-connected\", \"Logon\",\n          \"\"\n      )\n    | where isnotempty(EventType)\n    | extend LogonMethod = case(\n          PanOSAuthMethod =~ \"LDAP\", \"Username & Password\",\n          PanOSAuthMethod =~ \"RADIUS\", \"Username & Password\",\n          PanOSAuthMethod =~ \"SAML\", \"Other\",\n          PanOSAuthMethod =~ \"certificate\", \"PKI\",\n          PanOSAuthMethod =~ \"local-database\", \"Username & Password\",\n          PanOSAuthMethod =~ \"Kerberos\", \"Username & Password\",\n          PanOSAuthMethod =~ \"TACACS+\", \"Username & Password\",\n          PanOSAuthMethod =~ \"Cookie\", \"Other\",\n          \"\"\n      )\n    | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n    | invoke _ASIM_ResolveSrcFQDN('PanOSEndpointDeviceName')\n    | lookup EventSeverityLookup on LogSeverity\n    | extend EventSeverity = iif(isempty(EventSeverity), \"Informational\", EventSeverity)\n    | extend\n        EventResult = case(\n            PanOSEventStatus =~ \"success\", \"Success\",\n            PanOSEventStatus =~ \"failure\", \"Failure\",\n            isnotempty(PanOSConnectionError), \"Failure\",\n            \"Success\"\n        ),\n        EventResultDetails = case(\n            PanOSConnectionError has \"auth\", \"No such user or password\",\n            PanOSConnectionError has \"expired\", \"Session expired\",\n            PanOSConnectionError has \"timeout\", \"Session expired\",\n            PanOSConnectionError has \"cert\", \"Incorrect key\",\n            PanOSConnectionError has \"policy\", \"Logon violates policy\",\n            PanOSConnectionError has \"locked\", \"User locked\",\n            PanOSConnectionError has \"disabled\", \"User disabled\",\n            isnotempty(PanOSConnectionError), \"Other\",\n            \"\"\n        ),\n        TargetUsername = coalesce(SourceUserName, PanOSSourceUserName),\n        SrcIpAddr = coalesce(SourceIP, PanOSPublicIPv4, PanOSPublicIPv6),\n        EventStartTime = coalesce(todatetime(PanOSLogTimeStamp), TimeGenerated),\n        EventMessage = Message,\n        SrcDvcOs = coalesce(PanOSEndpointOSVersion, PanOSEndpointOSType),\n        TargetAppName = coalesce(PanOSPortal, \"GlobalProtect\"),\n        TargetAppType = \"Service\",\n        AdditionalFields = iff(\n            pack,\n            bag_pack(\n                \"PanOSPortal\", PanOSPortal,\n                \"PanOSGPGatewayLocation\", PanOSGPGatewayLocation,\n                \"PanOSTunnelType\", PanOSTunnelType,\n                \"PanOSGlobalProtectClientVersion\", PanOSGlobalProtectClientVersion,\n                \"PanOSLoginDuration\", PanOSLoginDuration,\n                \"PanOSHostID\", PanOSHostID,\n                \"PanOSSourceRegion\", PanOSSourceRegion,\n                \"PanOSVirtualSystem\", PanOSVirtualSystem,\n                \"PanOSDescription\", PanOSDescription,\n                \"PanOSPublicIPv4\", PanOSPublicIPv4,\n                \"PanOSPublicIPv6\", PanOSPublicIPv6,\n                \"PanOSPrivateIPv4\", PanOSPrivateIPv4,\n                \"PanOSPrivateIPv6\", PanOSPrivateIPv6,\n                \"PanOSDeviceSN\", PanOSDeviceSN,\n                \"PanOSStage\", PanOSStage\n            ),\n            dynamic([])\n        )\n    | project-rename\n        DvcIpAddr = Computer,\n        DvcId = DeviceExternalID,\n        EventOriginalSeverity = LogSeverity,\n        EventOriginalType = DeviceEventClassID,\n        EventOriginalUid = ExtID,\n        EventProductVersion = DeviceVersion,\n        EventOriginalSubType = PanOSEventID,\n        EventOriginalResultDetails = PanOSConnectionError,\n        LogonProtocol = PanOSTunnelType,\n        TargetIpAddr = DestinationIP,\n        EventUid = _ResourceId\n    | extend\n        Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n        EventEndTime = EventStartTime,\n        Dst = TargetIpAddr,\n        Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n        TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n        User = TargetUsername,\n        IpAddr = SrcIpAddr,\n        DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n        TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n        Application = TargetAppName,\n        DvcAction = iff(EventResult == \"Success\", \"Allowed\", \"Blocked\"),\n        TargetHostname = DvcHostname,\n        TargetDomain = DvcDomain,\n        TargetDomainType = DvcDomainType,\n        EventSubType = \"Remote\",\n        EventSchema = \"Authentication\",\n        EventSchemaVersion = \"0.1.4\",\n        EventProduct = \"PAN-OS\",\n        EventVendor = \"Palo Alto\",\n        Type = \"CommonSecurityLog\",\n        EventCount = int(1)\n    | project\n        TimeGenerated,\n        EventType,\n        EventResult,\n        EventResultDetails,\n        EventOriginalResultDetails,\n        EventMessage,\n        EventStartTime,\n        EventEndTime,\n        EventCount,\n        EventSeverity,\n        EventOriginalSeverity,\n        EventOriginalType,\n        EventOriginalSubType,\n        EventOriginalUid,\n        EventSubType,\n        EventProduct,\n        EventProductVersion,\n        EventVendor,\n        EventSchema,\n        EventSchemaVersion,\n        EventUid,\n        Dvc,\n        DvcIpAddr,\n        DvcId,\n        DvcIdType,\n        DvcHostname,\n        DvcDomain,\n        DvcFQDN,\n        DvcDomainType,\n        TargetUsername,\n        TargetUsernameType,\n        TargetUserType,\n        User,\n        TargetAppName,\n        TargetAppType,\n        TargetIpAddr,\n        Dst,\n        SrcIpAddr,\n        SrcHostname,\n        SrcDomain,\n        SrcFQDN,\n        SrcDomainType,\n        SrcDvcOs,\n        Src,\n        IpAddr,\n        LogonMethod,\n        LogonProtocol,\n        Application,\n        DvcAction,\n        TargetHostname,\n        TargetDomain,\n        TargetDomainType,\n        AdditionalFields,\n        Type\n};\nparser(disabled=disabled, pack=pack)\n",
+        "version": 1,
+        "functionParameters": "disabled:bool=False,pack:bool=False"
+      }
+    }
+  ]
+}