From 164be07105054be8e733ce2b9c0601a55a5d7edb Mon Sep 17 00:00:00 2001 From: erjosito Date: Thu, 11 Jan 2024 07:53:24 +0000 Subject: [PATCH] [create-pull-request] automated change --- checklists/checklist.en.master.json | 2838 +++++++++-------- checklists/sap_checklist.en.json | 297 +- checklists/sap_checklist.es.json | 365 ++- checklists/sap_checklist.ja.json | 363 ++- checklists/sap_checklist.ko.json | 361 ++- checklists/sap_checklist.pt.json | 377 ++- checklists/sap_checklist.zh-Hant.json | 375 ++- .../macrofree/checklist.en.master.xlsx | Bin 312155 -> 316496 bytes spreadsheet/macrofree/sap_checklist.en.xlsx | Bin 34608 -> 37715 bytes spreadsheet/macrofree/sap_checklist.es.xlsx | Bin 35644 -> 38957 bytes spreadsheet/macrofree/sap_checklist.ja.xlsx | Bin 38395 -> 43105 bytes spreadsheet/macrofree/sap_checklist.ko.xlsx | Bin 37335 -> 41405 bytes spreadsheet/macrofree/sap_checklist.pt.xlsx | Bin 35701 -> 39137 bytes .../macrofree/sap_checklist.zh-Hant.xlsx | Bin 36771 -> 40497 bytes .../alz_checklist.en_network_counters.json | 488 +-- ...hecklist.en_network_counters_template.json | 2 +- .../alz_checklist.en_network_tabcounters.json | 1382 ++++---- ...klist.en_network_tabcounters_template.json | 2 +- .../alz_checklist.en_network_workbook.json | 496 +-- ...hecklist.en_network_workbook_template.json | 2 +- ...en_network_counters_workbook_template.json | 162 +- ...k_counters_workbook_template_template.json | 2 +- ...hecklist.en_network_workbook_template.json | 146 +- ...en_network_workbook_template_template.json | 2 +- 24 files changed, 4356 insertions(+), 3304 deletions(-) diff --git a/checklists/checklist.en.master.json b/checklists/checklist.en.master.json index c0e134dfc..a23643531 100644 --- a/checklists/checklist.en.master.json +++ b/checklists/checklist.en.master.json @@ -164,9 +164,9 @@ "service": "ACR", "services": [ "ACR", - "EventHubs", "PrivateLink", - "Entra" + "Entra", + "EventHubs" ], "severity": "High", "subcategory": "Identity and Access Control", @@ -183,8 +183,8 @@ "service": "ACR", "services": [ "ACR", - "Entra", - "AzurePolicy" + "AzurePolicy", + "Entra" ], "severity": "Medium", "subcategory": "Identity and Access Control", @@ -200,9 +200,9 @@ "link": "https://learn.microsoft.com/azure/container-registry/monitor-service", "service": "ACR", "services": [ - "Monitor", "ACR", - "Entra" + "Entra", + "Monitor" ], "severity": "Medium", "subcategory": "Logging and Monitoring", @@ -219,9 +219,9 @@ "service": "ACR", "services": [ "ACR", - "Firewall", "PrivateLink", - "VNet" + "VNet", + "Firewall" ], "severity": "Medium", "subcategory": "Network Security", @@ -318,8 +318,8 @@ "link": "https://learn.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", "services": [ "Storage", - "AVS", - "Backup" + "Backup", + "AVS" ], "severity": "Medium", "subcategory": "Backup", @@ -334,8 +334,8 @@ "id": "A02.01", "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", "services": [ - "AVS", - "Backup" + "Backup", + "AVS" ], "severity": "Medium", "subcategory": "Business Continuity", @@ -351,8 +351,8 @@ "link": "Best practice to deploy backup in the same region as your AVS deployment", "services": [ "ASR", - "AVS", - "Backup" + "Backup", + "AVS" ], "severity": "Medium", "subcategory": "Business Continuity", @@ -477,8 +477,8 @@ "id": "A03.06", "link": "This depends if you have multiple AVS Private Clouds. If so and they are in the same region then use AVS Interconnect. If they are in separate regions then use ExpressRoute Global Reach.", "services": [ - "ExpressRoute", "ASR", + "ExpressRoute", "AVS", "NVA" ], @@ -495,8 +495,8 @@ "id": "B01.01", "link": "https://learn.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud", "services": [ - "VWAN", - "AVS" + "AVS", + "VWAN" ], "severity": "Medium", "subcategory": "Direct (no vWAN, no H&S)", @@ -575,8 +575,8 @@ "id": "B03.01", "link": "https://learn.microsoft.com/azure/virtual-network/quick-create-portal", "services": [ - "VNet", - "AVS" + "AVS", + "VNet" ], "severity": "Medium", "subcategory": "Hub & Spoke", @@ -591,10 +591,10 @@ "id": "B03.02", "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings", "services": [ - "ExpressRoute", "VPN", - "VNet", - "AVS" + "ExpressRoute", + "AVS", + "VNet" ], "severity": "Medium", "subcategory": "Hub & Spoke", @@ -609,10 +609,10 @@ "id": "B03.03", "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings", "services": [ - "ExpressRoute", - "VPN", "VNet", - "AVS" + "ExpressRoute", + "AVS", + "VPN" ], "severity": "Medium", "subcategory": "Hub & Spoke", @@ -627,10 +627,10 @@ "id": "B03.04", "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings", "services": [ - "ExpressRoute", "VPN", - "VNet", - "AVS" + "ExpressRoute", + "AVS", + "VNet" ], "severity": "Medium", "subcategory": "Hub & Spoke", @@ -645,8 +645,8 @@ "id": "B04.01", "link": "https://learn.microsoft.com/azure/azure-vmware/enable-public-internet-access", "services": [ - "NVA", - "AVS" + "AVS", + "NVA" ], "severity": "Medium", "subcategory": "Internet", @@ -678,8 +678,8 @@ "link": "https://learn.microsoft.com/azure/bastion/tutorial-create-host-portal", "services": [ "Bastion", - "VNet", - "AVS" + "AVS", + "VNet" ], "severity": "Medium", "subcategory": "Jumpbox & Bastion", @@ -711,8 +711,8 @@ "id": "B06.01", "link": "https://learn.microsoft.com/azure/azure-vmware/configure-site-to-site-vpn-gateway", "services": [ - "VPN", - "AVS" + "AVS", + "VPN" ], "severity": "Medium", "subcategory": "VPN", @@ -727,8 +727,8 @@ "id": "B06.02", "link": "https://www.omnicalculator.com/other/data-transfer#:~:text=To%20calculate%20the%20data%20transfer%20speed%3A%201%20Download,measured%20time%20to%20find%20the%20data%20transfer%20speed.", "services": [ - "VPN", - "AVS" + "AVS", + "VPN" ], "severity": "Medium", "subcategory": "VPN", @@ -743,8 +743,8 @@ "id": "B06.03", "link": "https://learn.microsoft.com/azure/architecture/solution-ideas/articles/azure-vmware-solution-foundation-networking", "services": [ - "VPN", - "AVS" + "AVS", + "VPN" ], "severity": "Medium", "subcategory": "VPN", @@ -759,8 +759,8 @@ "id": "B07.01", "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-site-to-site-portal#openvwan", "services": [ - "VWAN", - "AVS" + "AVS", + "VWAN" ], "severity": "Medium", "subcategory": "vWAN hub", @@ -775,9 +775,9 @@ "id": "B07.02", "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-point-to-site-portal", "services": [ - "VWAN", + "AVS", "VPN", - "AVS" + "VWAN" ], "severity": "Medium", "subcategory": "vWAN hub", @@ -792,9 +792,9 @@ "id": "B07.03", "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-expressroute-portal", "services": [ - "VWAN", "Firewall", - "AVS" + "AVS", + "VWAN" ], "severity": "Medium", "subcategory": "vWAN hub", @@ -889,8 +889,8 @@ "id": "C02.02", "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity", "services": [ - "Entra", "RBAC", + "Entra", "AVS" ], "severity": "Medium", @@ -906,8 +906,8 @@ "id": "C02.03", "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-identity#view-the-vcenter-server-privileges", "services": [ - "Entra", "RBAC", + "Entra", "AVS" ], "severity": "Medium", @@ -923,8 +923,8 @@ "id": "C02.04", "link": "Best practice", "services": [ - "Entra", "RBAC", + "Entra", "AVS" ], "severity": "Medium", @@ -940,8 +940,8 @@ "id": "C03.01", "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", "services": [ - "Entra", "RBAC", + "Entra", "AVS" ], "severity": "Medium", @@ -957,8 +957,8 @@ "id": "C03.02", "link": "https://learn.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure", "services": [ - "Entra", "RBAC", + "Entra", "AVS" ], "severity": "Medium", @@ -1008,8 +1008,8 @@ "link": "https://learn.microsoft.com/azure/azure-arc/vmware-vsphere/overview", "services": [ "VM", - "Arc", - "AVS" + "AVS", + "Arc" ], "severity": "Medium", "subcategory": "Operations", @@ -1024,9 +1024,9 @@ "id": "D01.02", "link": "https://docs.microsoft.com/azure/governance/policy/overview", "services": [ - "Monitor", + "AzurePolicy", "AVS", - "AzurePolicy" + "Monitor" ], "severity": "Medium", "subcategory": "Operations", @@ -1087,8 +1087,8 @@ "id": "E01.01", "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "Alerts", @@ -1103,8 +1103,8 @@ "id": "E01.02", "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "Alerts", @@ -1119,8 +1119,8 @@ "id": "E01.03", "link": "https://www.virtualworkloads.com/2021/04/azure-vmware-solution-azure-service-health/", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "Alerts", @@ -1135,11 +1135,11 @@ "id": "E02.01", "link": "https://docs.microsoft.com/azure/azure-vmware/set-up-backup-server-for-azure-vmware-solution", "services": [ - "VM", - "Monitor", - "AVS", "Backup", - "AzurePolicy" + "Monitor", + "AzurePolicy", + "VM", + "AVS" ], "severity": "Medium", "subcategory": "Backup", @@ -1154,9 +1154,9 @@ "id": "E03.01", "link": "https://docs.microsoft.com/azure/azure-vmware/configure-alerts-for-azure-vmware-solution", "services": [ - "Monitor", + "AzurePolicy", "AVS", - "AzurePolicy" + "Monitor" ], "severity": "Medium", "subcategory": "Capacity", @@ -1171,10 +1171,10 @@ "id": "E04.01", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/govern", "services": [ - "Monitor", "Cost", + "Subscriptions", "AVS", - "Subscriptions" + "Monitor" ], "severity": "Medium", "subcategory": "Costs", @@ -1189,9 +1189,9 @@ "id": "E05.01", "link": "https://docs.microsoft.com/azure/azure-portal/azure-portal-dashboards", "services": [ - "Monitor", "NetworkWatcher", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "Dashboard", @@ -1206,9 +1206,9 @@ "id": "E06.01", "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs", "services": [ - "Monitor", "Storage", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "Logs & Metrics", @@ -1223,8 +1223,8 @@ "id": "E06.02", "link": "Is vROPS or vRealize Network Insight going to be used? ", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "Logs & Metrics", @@ -1256,11 +1256,11 @@ "id": "E07.01", "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal", "services": [ - "ExpressRoute", "Monitor", "VPN", - "AVS", - "NetworkWatcher" + "ExpressRoute", + "NetworkWatcher", + "AVS" ], "severity": "Medium", "subcategory": "Network", @@ -1275,9 +1275,9 @@ "id": "E07.02", "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal", "services": [ - "Monitor", + "ExpressRoute", "AVS", - "ExpressRoute" + "Monitor" ], "severity": "Medium", "subcategory": "Network", @@ -1292,8 +1292,8 @@ "id": "E07.03", "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-create-using-portal", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "Network", @@ -1308,8 +1308,8 @@ "id": "E08.01", "link": "Firewall logging and alerting rules are configured (Azure Firewall or 3rd party)", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "Security", @@ -1324,8 +1324,8 @@ "id": "E08.02", "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "Security", @@ -1340,8 +1340,8 @@ "id": "E09.01", "link": "https://docs.microsoft.com/azure/azure-vmware/configure-vmware-syslogs", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "VMWare", @@ -1403,9 +1403,9 @@ "id": "F01.03", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-network-topology-connectivity", "services": [ + "AVS", "ARS", - "NVA", - "AVS" + "NVA" ], "severity": "Medium", "subcategory": "Hub & Spoke", @@ -1420,8 +1420,8 @@ "id": "F01.04", "link": "https://learn.microsoft.com/azure/route-server/route-server-faq", "services": [ - "ARS", - "AVS" + "AVS", + "ARS" ], "severity": "Medium", "subcategory": "Hub & Spoke", @@ -1451,10 +1451,10 @@ "id": "F02.02", "link": "Research and choose optimal solution for each application", "services": [ - "FrontDoor", - "AVS", + "NVA", "AppGW", - "NVA" + "AVS", + "FrontDoor" ], "severity": "Medium", "subcategory": "Internet", @@ -1469,8 +1469,8 @@ "id": "F03.01", "link": "https://docs.microsoft.com/azure/route-server/route-server-faq#route-server-limits", "services": [ - "ARS", - "AVS" + "AVS", + "ARS" ], "severity": "Medium", "subcategory": "Routing", @@ -1485,15 +1485,15 @@ "id": "F04.01", "link": "https://docs.microsoft.com/azure/ddos-protection/manage-ddos-protection", "services": [ - "ExpressRoute", - "VM", + "LoadBalancer", + "DDoS", "VPN", - "FrontDoor", - "AVS", "VNet", "AppGW", - "DDoS", - "LoadBalancer" + "ExpressRoute", + "FrontDoor", + "VM", + "AVS" ], "severity": "Medium", "subcategory": "Security", @@ -1539,8 +1539,8 @@ "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", "services": [ "VWAN", - "Firewall", - "AVS" + "AVS", + "Firewall" ], "severity": "Medium", "subcategory": "Virtual WAN", @@ -1555,8 +1555,8 @@ "id": "F06.02", "link": "https://learn.microsoft.com/azure/firewall-manager/secure-cloud-network", "services": [ - "VWAN", - "AVS" + "AVS", + "VWAN" ], "severity": "Medium", "subcategory": "Virtual WAN", @@ -1571,8 +1571,8 @@ "id": "G01.01", "link": "https://docs.microsoft.com/azure/azure-vmware/configure-nsx-network-components-azure-portal", "services": [ - "AVS", - "Subscriptions" + "Subscriptions", + "AVS" ], "severity": "Medium", "subcategory": "Automated Scale", @@ -1588,8 +1588,8 @@ "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-platform-automation-and-devops#automated-scale", "services": [ "Storage", - "AVS", - "AzurePolicy" + "AzurePolicy", + "AVS" ], "severity": "Medium", "subcategory": "Automated Scale", @@ -1649,8 +1649,8 @@ "id": "G01.06", "link": "https://docs.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/eslz-management-and-monitoring", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "Automated Scale", @@ -1711,8 +1711,8 @@ "id": "H01.02", "link": "Internal policy or regulatory compliance", "services": [ - "AVS", - "AzurePolicy" + "AzurePolicy", + "AVS" ], "severity": "Medium", "subcategory": "Pre-deployment", @@ -1757,8 +1757,8 @@ "id": "H01.05", "link": "Done through the subscription/resource providers/ AVS register in the portal", "services": [ - "AVS", - "Subscriptions" + "Subscriptions", + "AVS" ], "severity": "Medium", "subcategory": "Pre-deployment", @@ -1773,8 +1773,8 @@ "id": "H01.06", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/azure-vmware/enterprise-scale-landing-zone", "services": [ - "AVS", - "Subscriptions" + "Subscriptions", + "AVS" ], "severity": "Medium", "subcategory": "Pre-deployment", @@ -1834,8 +1834,8 @@ "id": "H01.10", "link": "https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.2/installation/GUID-4B3860B8-1883-48CA-B2F3-7C2205D91D6D.html", "services": [ - "VNet", - "AVS" + "AVS", + "VNet" ], "severity": "Medium", "subcategory": "Pre-deployment", @@ -2006,8 +2006,8 @@ "id": "I03.01", "link": "https://learn.microsoft.com/azure/sentinel/overview", "services": [ - "AVS", - "Sentinel" + "Sentinel", + "AVS" ], "severity": "Medium", "subcategory": "Investigation", @@ -2038,8 +2038,8 @@ "id": "I04.02", "link": "https://docs.microsoft.com/azure/azure-vmware/azure-security-integration", "services": [ - "AVS", - "AzurePolicy" + "AzurePolicy", + "AVS" ], "severity": "Medium", "subcategory": "Security", @@ -2220,8 +2220,8 @@ "id": "J04.02", "link": "3rd-Party tools", "services": [ - "VM", "Storage", + "VM", "AVS" ], "severity": "Medium", @@ -2237,8 +2237,8 @@ "id": "J04.03", "link": "Contact VMware", "services": [ - "VM", "Storage", + "VM", "AVS" ], "severity": "Medium", @@ -2286,10 +2286,10 @@ "id": "J04.06", "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance", "services": [ - "VM", "Storage", - "AVS", - "AzurePolicy" + "AzurePolicy", + "VM", + "AVS" ], "severity": "Medium", "subcategory": "Storage", @@ -2304,8 +2304,8 @@ "id": "J04.07", "link": "https://learn.microsoft.com/azure/azure-vmware/configure-storage-policy", "services": [ - "VM", "Storage", + "VM", "AVS", "AzurePolicy" ], @@ -2323,8 +2323,8 @@ "link": "https://learn.microsoft.com/azure/azure-vmware/concepts-storage#storage-policies-and-fault-tolerance", "services": [ "Storage", - "AVS", - "AzurePolicy" + "AzurePolicy", + "AVS" ], "severity": "Medium", "subcategory": "Storage", @@ -2366,9 +2366,9 @@ "guid": "fbcb40ac-9480-4a6d-bcf4-8081252a6716", "link": "https://learn.microsoft.com/azure/architecture/web-apps/spring-apps/architectures/spring-apps-multi-region", "services": [ - "TrafficManager", "ASR", - "FrontDoor" + "FrontDoor", + "TrafficManager" ], "severity": "Medium", "subcategory": "Disaster Recovery", @@ -2562,11 +2562,11 @@ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", "services": [ "Subscriptions", - "WAF", "Firewall", - "Entra", + "DDoS", "VNet", - "DDoS" + "Entra", + "WAF" ], "severity": "Low", "subcategory": "DDoS", @@ -2592,8 +2592,8 @@ "id": "B03.01", "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "Medium", "subcategory": "Internet", @@ -2607,8 +2607,8 @@ "id": "B03.02", "link": "https://learn.microsoft.com/azure/openshift/howto-secure-openshift-with-front-door", "services": [ - "FrontDoor", - "PrivateLink" + "PrivateLink", + "FrontDoor" ], "severity": "Medium", "subcategory": "Internet", @@ -2623,8 +2623,8 @@ "link": "https://learn.microsoft.com/azure/openshift/howto-restrict-egress", "services": [ "Firewall", - "NVA", - "AzurePolicy" + "AzurePolicy", + "NVA" ], "severity": "Medium", "subcategory": "Internet", @@ -3019,8 +3019,8 @@ "link": "https://learn.microsoft.com/azure/azure-arc/kubernetes/tutorial-akv-secrets-provider", "services": [ "AKS", - "Arc", - "AKV" + "AKV", + "Arc" ], "severity": "Medium", "subcategory": "Secrets", @@ -3046,8 +3046,8 @@ "id": "E05.02", "link": "https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes#install-azure-policy-extension-for-azure-arc-enabled-kubernetes", "services": [ - "Monitor", - "AzurePolicy" + "AzurePolicy", + "Monitor" ], "severity": "Medium", "subcategory": "Workload", @@ -3126,11 +3126,11 @@ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies", "service": "Service Bus", "services": [ - "TrafficManager", + "ServiceBus", + "AzurePolicy", "RBAC", "Entra", - "ServiceBus", - "AzurePolicy" + "TrafficManager" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -3147,12 +3147,12 @@ "link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity", "service": "Service Bus", "services": [ - "AppSvc", + "AKV", "Storage", - "VM", + "AppSvc", + "ServiceBus", "Entra", - "AKV", - "ServiceBus" + "VM" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -3169,11 +3169,11 @@ "link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus", "service": "Service Bus", "services": [ + "Subscriptions", "Storage", - "RBAC", - "Entra", "ServiceBus", - "Subscriptions" + "RBAC", + "Entra" ], "severity": "High", "subcategory": "Identity and Access Management", @@ -3190,9 +3190,9 @@ "link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference", "service": "Service Bus", "services": [ - "Monitor", "ServiceBus", - "VNet" + "VNet", + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -3209,8 +3209,8 @@ "link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service", "service": "Service Bus", "services": [ - "ServiceBus", "PrivateLink", + "ServiceBus", "VNet" ], "severity": "Medium", @@ -3370,8 +3370,8 @@ "link": "https://learn.microsoft.com/azure/app-service/operating-system-functionality#file-access", "service": "App Services", "services": [ - "TrafficManager", - "AppSvc" + "AppSvc", + "TrafficManager" ], "severity": "Medium", "subcategory": "Data Protection", @@ -3471,9 +3471,9 @@ "link": "https://learn.microsoft.com/azure/app-service/troubleshoot-diagnostic-logs", "service": "App Services", "services": [ - "Monitor", "AppSvc", - "Entra" + "Entra", + "Monitor" ], "severity": "Medium", "subcategory": "Logging and Monitoring", @@ -3489,9 +3489,9 @@ "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", "service": "App Services", "services": [ - "Monitor", "AppSvc", - "Entra" + "Entra", + "Monitor" ], "severity": "Medium", "subcategory": "Logging and Monitoring", @@ -3507,10 +3507,10 @@ "link": "https://learn.microsoft.com/azure/app-service/overview-vnet-integration", "service": "App Services", "services": [ - "Monitor", "Firewall", "NVA", - "VNet" + "VNet", + "Monitor" ], "severity": "Medium", "subcategory": "Network Security", @@ -3526,11 +3526,11 @@ "link": "https://learn.microsoft.com/azure/app-service/networking/nat-gateway-integration", "service": "App Services", "services": [ - "NVA", - "Storage", - "PrivateLink", "Firewall", - "VNet" + "Storage", + "VNet", + "NVA", + "PrivateLink" ], "severity": "Low", "subcategory": "Network Security", @@ -3546,8 +3546,8 @@ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", "service": "App Services", "services": [ - "AppSvc", - "PrivateLink" + "PrivateLink", + "AppSvc" ], "severity": "High", "subcategory": "Network Security", @@ -3563,11 +3563,11 @@ "link": "https://learn.microsoft.com/azure/app-service/networking/app-gateway-with-service-endpoints", "service": "App Services", "services": [ + "Monitor", "AppSvc", + "AppGW", "WAF", - "Monitor", - "FrontDoor", - "AppGW" + "FrontDoor" ], "severity": "High", "subcategory": "Network Security", @@ -3583,8 +3583,8 @@ "link": "https://learn.microsoft.com/azure/app-service/networking-features#access-restrictions", "service": "App Services", "services": [ - "WAF", - "PrivateLink" + "PrivateLink", + "WAF" ], "severity": "High", "subcategory": "Network Security", @@ -3619,8 +3619,8 @@ "link": "https://learn.microsoft.com/azure/app-service/configure-ssl-bindings#enforce-https", "service": "App Services", "services": [ - "WAF", - "AppSvc" + "AppSvc", + "WAF" ], "severity": "High", "subcategory": "Network Security", @@ -3685,11 +3685,11 @@ "service": "App Services", "services": [ "EventHubs", - "NVA", - "WAF", + "DDoS", "VNet", + "NVA", "AppGW", - "DDoS" + "WAF" ], "severity": "Medium", "subcategory": "Network Security", @@ -3706,8 +3706,8 @@ "service": "App Services", "services": [ "ACR", - "VNet", - "PrivateLink" + "PrivateLink", + "VNet" ], "severity": "Medium", "subcategory": "Network Security", @@ -3764,8 +3764,8 @@ "id": "A01.01", "link": "https://learn.microsoft.com/sql/dma/dma-sku-recommend-sql-db?view=sql-server-ver16", "services": [ - "VM", - "SQL" + "SQL", + "VM" ], "severity": "High", "subcategory": "VM Size", @@ -3780,8 +3780,8 @@ "id": "A01.02", "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-vm-size?view=azuresql#memory-optimized", "services": [ - "VM", - "SQL" + "SQL", + "VM" ], "severity": "Medium", "subcategory": "VM Size", @@ -3796,8 +3796,8 @@ "id": "A02.01", "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance#counters-to-measure-application-performance-requirements", "services": [ - "VM", "SQL", + "VM", "Storage" ], "severity": "Medium", @@ -3845,8 +3845,8 @@ "id": "A02.04", "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", "services": [ - "SQL", "Cost", + "SQL", "Storage" ], "severity": "High", @@ -3862,8 +3862,8 @@ "id": "A02.05", "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", "services": [ - "VM", "SQL", + "VM", "Storage" ], "severity": "Medium", @@ -3879,8 +3879,8 @@ "id": "A02.06", "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", "services": [ - "VM", "SQL", + "VM", "Storage" ], "severity": "High", @@ -3897,8 +3897,8 @@ "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", "services": [ "SQL", - "Storage", - "AzurePolicy" + "AzurePolicy", + "Storage" ], "severity": "High", "subcategory": "Storage", @@ -3913,8 +3913,8 @@ "id": "A02.08", "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql#storage", "services": [ - "VM", "SQL", + "VM", "Storage" ], "severity": "High", @@ -3946,8 +3946,8 @@ "id": "A03.01", "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#azure-only-disaster-recovery-solutions", "services": [ - "VM", - "SQL" + "SQL", + "VM" ], "severity": "Medium", "subcategory": "HADR", @@ -3962,8 +3962,8 @@ "id": "A03.02", "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/business-continuity-high-availability-disaster-recovery-hadr-overview?view=azuresql#high-availability-nodes-in-an-availability-set", "services": [ - "VM", - "SQL" + "SQL", + "VM" ], "severity": "High", "subcategory": "HADR", @@ -3978,10 +3978,10 @@ "id": "A03.03", "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-azure-portal-configure?view=azuresql&tabs=azure-cli", "services": [ - "VM", "SQL", - "VNet", - "LoadBalancer" + "LoadBalancer", + "VM", + "VNet" ], "severity": "Medium", "subcategory": "HADR", @@ -4027,10 +4027,10 @@ "id": "A03.06", "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/availability-group-vnn-azure-load-balancer-configure?view=azuresql-vm&tabs=ilb", "services": [ - "VM", "SQL", - "VNet", - "LoadBalancer" + "LoadBalancer", + "VM", + "VNet" ], "severity": "High", "subcategory": "HADR", @@ -4092,8 +4092,8 @@ "id": "A04.04", "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/performance-guidelines-best-practices-checklist?view=azuresql-vm#sql-server-features", "services": [ - "VM", "SQL", + "VM", "Storage" ], "severity": "Low", @@ -4109,8 +4109,8 @@ "id": "A04.05", "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/server-memory-server-configuration-options#use-", "services": [ - "VM", - "SQL" + "SQL", + "VM" ], "severity": "High", "subcategory": "SQL Server", @@ -4125,8 +4125,8 @@ "id": "A04.06", "link": "https://learn.microsoft.com/sql/database-engine/configure-windows/enable-the-lock-pages-in-memory-option-windows", "services": [ - "VM", - "SQL" + "SQL", + "VM" ], "severity": "High", "subcategory": "SQL Server", @@ -4141,8 +4141,8 @@ "id": "A04.07", "link": "https://learn.microsoft.com/sql/relational-databases/performance/monitoring-performance-by-using-the-query-store", "services": [ - "VM", - "SQL" + "SQL", + "VM" ], "severity": "Low", "subcategory": "SQL Server", @@ -4157,8 +4157,8 @@ "id": "A04.08", "link": "https://learn.microsoft.com/sql/relational-databases/databases/tempdb-database#optimizing-tempdb-performance-in-sql-server", "services": [ - "VM", - "SQL" + "SQL", + "VM" ], "severity": "High", "subcategory": "SQL Server", @@ -4173,8 +4173,8 @@ "id": "A04.09", "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization", "services": [ - "VM", - "SQL" + "SQL", + "VM" ], "severity": "High", "subcategory": "SQL Server", @@ -4189,8 +4189,8 @@ "id": "A04.10", "link": "https://docs.microsoft.com/azure/governance/management-groups/how-to/protect-resource-hierarchy#setting---require-authorization", "services": [ - "VM", - "SQL" + "SQL", + "VM" ], "severity": "Medium", "subcategory": "SQL Server", @@ -4205,9 +4205,9 @@ "id": "A05.01", "link": "https://learn.microsoft.com/azure/virtual-machines/constrained-vcpu", "services": [ - "VM", - "SQL", "Cost", + "SQL", + "VM", "Storage" ], "severity": "Low", @@ -4224,8 +4224,8 @@ "id": "A05.02", "link": "https://azure.microsoft.com/en-ca/pricing/hybrid-benefit/", "services": [ - "SQL", - "Cost" + "Cost", + "SQL" ], "severity": "Low", "subcategory": "Cost Optimization", @@ -4240,8 +4240,8 @@ "id": "A06.01", "link": "https://learn.microsoft.com/azure/azure-sql/virtual-machines/windows/sql-agent-extension-automatic-registration-all-vms?view=azuresql-vm&tabs=azure-cli", "services": [ - "VM", - "SQL" + "SQL", + "VM" ], "severity": "Medium", "subcategory": "Azure", @@ -4257,8 +4257,8 @@ "id": "A06.02", "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", "services": [ - "VM", - "SQL" + "SQL", + "VM" ], "severity": "High", "subcategory": "Azure", @@ -4273,8 +4273,8 @@ "id": "A06.03", "link": "https://learn.microsoft.com/azure/defender-for-cloud/secure-score-security-controls", "services": [ - "VM", "SQL", + "VM", "Defender" ], "severity": "High", @@ -4550,8 +4550,8 @@ "id": "B04.03", "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/tde-certificate-migrate?view=azuresql-mi&tabs=azure-powershell", "services": [ - "VM", - "SQL" + "SQL", + "VM" ], "severity": "Medium", "subcategory": "Deployment", @@ -4628,8 +4628,8 @@ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/auto-failover-group-configure-sql-mi?view=azuresql&tabs=azure-portal#test-failover", "services": [ "SQL", - "EventHubs", - "LoadBalancer" + "LoadBalancer", + "EventHubs" ], "severity": "High", "subcategory": "Post Migration", @@ -4662,9 +4662,9 @@ "link": "https://learn.microsoft.com/azure/architecture/example-scenario/data/sql-managed-instance-cmk", "services": [ "SQL", + "AzurePolicy", "Backup", - "AKV", - "AzurePolicy" + "AKV" ], "severity": "Low", "subcategory": "Post Migration", @@ -4697,9 +4697,9 @@ "link": "https://learn.microsoft.com/azure/azure-sql/database/long-term-retention-overview?view=azuresql-mi", "services": [ "SQL", + "Backup", "ARS", - "Storage", - "Backup" + "Storage" ], "severity": "Low", "subcategory": "Post Migration", @@ -4715,8 +4715,8 @@ "id": "B06.07", "link": "https://azure.microsoft.com/en-gb/pricing/hybrid-benefit/#overview", "services": [ - "SQL", - "Cost" + "Cost", + "SQL" ], "severity": "Low", "subcategory": "Post Migration", @@ -4744,158 +4744,304 @@ { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Landing Zone Review", - "guid": "aff6691b-4935-4ada-9222-3ece81b12318", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", + "guid": "80dc0591-cf65-4de8-b130-9cccd579266b", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "services": [ - "ASR" + "ASR", + "VM", + "Entra" ], "severity": "Medium", "subcategory": " ", - "text": "Do not combine ASCS and Database cluster on to single/same VM" + "text": "Azure doesn't currently support combining ASCS and db HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs." }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Landing Zone Review", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal", + "guid": "cca275fa-a1ab-4fe9-b55d-04c3c4919cb1", + "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response", "services": [ "ASR", "LoadBalancer" ], "severity": "Medium", "subcategory": " ", - "text": "Make sure the Floating IP is enabled on the Load balancer" + "text": "Use a Standard Load Balancer SKU in front of ASCS and DB clusters" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Landing Zone Review", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/security-center/", + "guid": "b3d1325a-e124-4ba3-9df6-85eddce9bd3b", + "link": "https://www.microsoft.com/itshowcase/implementing-a-zero-trust-security-model-at-microsoft", "services": [ - "VM", - "RBAC", + "Storage", "ASR", - "Entra" + "VM" ], "severity": "Medium", "subcategory": " ", - "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets" + "text": "Both VMs in the HA pair should be deployed in an availability set, or Availability Zones should be the same size and have the same storage configuration" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Landing Zone Review", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/security-center/", + "guid": "b0cdb3b5-5eb2-4ec1-9eea-a3592829e2ed", + "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response", "services": [ - "SAP", - "ACR", "ASR" ], "severity": "Medium", "subcategory": " ", - "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions" + "text": "Native database replication technology should be used to synchronize the database in a HA pair." }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Landing Zone Review", - "guid": "80dc0591-cf65-4de8-b130-9cccd579266b", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", + "guid": "b2173676-aff6-4691-a493-5ada42223ece", + "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response", "services": [ - "VM", "ASR", - "Entra" + "SAP" ], "severity": "Medium", "subcategory": " ", - "text": "Azure doesn't currently support combining ASCS and db HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs." + "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Landing Zone Review", - "guid": "cca275fa-a1ab-4fe9-b55d-04c3c4919cb1", - "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response", + "guid": "81b12318-1a54-4174-8583-3fb4ae3c2df7", "services": [ "ASR", - "LoadBalancer" + "VNet" ], "severity": "Medium", "subcategory": " ", - "text": "Use a Standard Load Balancer SKU in front of ASCS and DB clusters" + "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's Vnet" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Landing Zone Review", - "guid": "b3d1325a-e124-4ba3-9df6-85eddce9bd3b", - "link": "https://www.microsoft.com/itshowcase/implementing-a-zero-trust-security-model-at-microsoft", + "guid": "43165c3a-cbe0-45bb-b209-d490da477784", "services": [ - "VM", "ASR", - "Storage" + "VM", + "Entra" ], "severity": "Medium", "subcategory": " ", - "text": "Both VMs in the HA pair should be deployed in an availability set, or Availability Zones should be the same size and have the same storage configuration" + "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more)." }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Landing Zone Review", - "guid": "b0cdb3b5-5eb2-4ec1-9eea-a3592829e2ed", - "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response", + "guid": "24d11678-5d2f-4a56-a56a-d48408fe7273", "services": [ "ASR" ], "severity": "Medium", "subcategory": " ", - "text": "Native database replication technology should be used to synchronize the database in a HA pair." + "text": "Native database replication should be used to synchronize data to the DR site, rather than Azure Site Recovery" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Landing Zone Review", - "guid": "b2173676-aff6-4691-a493-5ada42223ece", - "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-architecture-scenario", + "services": [ + "ASR", + "SAP" + ], + "severity": "High", + "subcategory": "High availability", + "text": "Consider the availability of SAP software against single points of failure. This includes single points of failure within applications such as DBMSs utilized in SAP NetWeaver and SAP S/4HANA architectures, SAP ABAP and ASCS + SCS. Also, other tools such as SAP Web Dispatcher.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations" + }, + { + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Landing Zone Review", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "services": [ + "ASR", + "SAP" + ], + "severity": "High", + "subcategory": "High availability", + "text": "For SAP and SAP databases, consider implementing automatic failover clusters. In Windows, Windows Server Failover Clustering supports failover. In Linux, Linux Pacemaker or third-party tools like SIOS Protection Suite and Veritas InfoScale support failover.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations" + }, + { + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Landing Zone Review", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "services": [ + "Storage", + "ASR", + "VM" + ], + "severity": "High", + "subcategory": "High availability", + "text": "Azure doesn't support architectures in which the primary and secondary VMs share storage for DBMS data. For the DBMS layer, the common architecture pattern is to replicate databases at the same time and with different storage stacks than the ones that the primary and secondary VMs use.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations" + }, + { + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Landing Zone Review", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "services": [ + "Storage", + "ASR", + "SAP" + ], + "severity": "High", + "subcategory": "High availability", + "text": "The DBMS data and transaction/redo log files are stored in Azure supported block storage or Azure NetApp Files. Azure Files or Azure Premium Files isn't supported as storage for DBMS data and/or redo log files with SAP workload.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads" + }, + { + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Landing Zone Review", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "services": [ + "ASR", + "SAP" + ], + "severity": "High", + "subcategory": "High availability", + "text": "You can use Azure shared disks in Windows for ASCS + SCS components and specific high-availability scenarios. Set up your failover clusters separately for SAP application layer components and the DBMS layer. Azure doesn't currently support high-availability architectures that combine SAP application layer components and the DBMS layer into one failover cluster.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations" + }, + { + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Landing Zone Review", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", "services": [ + "ASR", "SAP", - "ASR" + "LoadBalancer" ], - "severity": "Medium", - "subcategory": " ", - "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally" + "severity": "High", + "subcategory": "High availability", + "text": "Most failover clusters for SAP application layer components (ASCS) and the DBMS layer require a virtual IP address for a failover cluster. Azure Load Balancer should handle the virtual IP address for all other cases. One design principle is to use one load balancer per cluster configuration. We recommend that you use the standard version of the load balancer (Standard Load Balancer SKU).", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Landing Zone Review", - "guid": "81b12318-1a54-4174-8583-3fb4ae3c2df7", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", "services": [ "ASR", - "VNet" + "LoadBalancer" ], - "severity": "Medium", - "subcategory": " ", - "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's Vnet" + "severity": "High", + "subcategory": "High availability", + "text": "Make sure the Floating IP is enabled on the Load balancer", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Landing Zone Review", - "guid": "43165c3a-cbe0-45bb-b209-d490da477784", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "services": [ + "ASR" + ], + "severity": "High", + "subcategory": "High availability", + "text": "Before you deploy your high-availability infrastructure, and depending on the region you choose, determine whether to deploy with an Azure availability set or an availability zone.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Landing Zone Review", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", "services": [ + "ASR", "VM", + "Entra", + "SAP" + ], + "severity": "High", + "subcategory": "High availability", + "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components." + }, + { + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Landing Zone Review", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "services": [ + "RBAC", "ASR", + "VM", "Entra" ], - "severity": "Medium", - "subcategory": " ", - "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more)." + "severity": "High", + "subcategory": "High availability", + "text": "Do not mix servers of different roles in the same availability set. Keep central services VMs, database VMs, application VMs in their own availability sets", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" }, { "category": "Business Continuity and Disaster Recovery", "checklist": "Azure Landing Zone Review", - "guid": "24d11678-5d2f-4a56-a56a-d48408fe7273", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", "services": [ "ASR" ], "severity": "Medium", - "subcategory": " ", - "text": "Native database replication should be used to synchronize data to the DR site, rather than Azure Site Recovery" + "subcategory": "High availability", + "text": "You can't deploy Azure availability sets within an Azure availability zone unless you use proximity placement groups.", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios" + }, + { + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Landing Zone Review", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "services": [ + "ASR", + "VM" + ], + "severity": "High", + "subcategory": "High availability", + "text": "When you create availability sets, use the maximum number of fault domains and update domains available. For example, if you deploy more than two VMs in one availability set, use the maximum number of fault domains (three) and enough update domains to limit the effect of potential physical hardware failures, network outages, or power interruptions, in addition to Azure planned maintenance. The default number of fault domains is two, and you can't change it online later.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Landing Zone Review", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "services": [ + "ASR", + "Entra", + "SAP" + ], + "severity": "High", + "subcategory": "High availability", + "text": "When you use Azure proximity placement groups in an availability set deployment, all three SAP components (central services, application server, and database) should be in the same proximity placement group." + }, + { + "category": "Business Continuity and Disaster Recovery", + "checklist": "Azure Landing Zone Review", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "services": [ + "ACR", + "ASR", + "SAP" + ], + "severity": "High", + "subcategory": "High availability", + "text": "Use one proximity placement group per SAP SID. Groups don't span across Availability Zones or Azure regions" }, { "category": "Compute", @@ -4929,8 +5075,8 @@ "guid": "45911475-e39e-4530-accc-d979366bcda2", "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -4943,8 +5089,8 @@ "guid": "750ab1ab-039d-495d-94c7-c8929cb107d5", "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/scenario-azure-first-sap-identity-integration", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -4956,8 +5102,8 @@ "guid": "325ae525-ba34-4d46-a5e2-213ace7bb122", "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -4969,8 +5115,8 @@ "checklist": "Azure Landing Zone Review", "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -4983,8 +5129,8 @@ "guid": "f29676ef-0c9c-4c4d-ab21-a55504c0c829", "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -5025,8 +5171,8 @@ "guid": "16785d6f-a96c-496a-b885-18f482734c88", "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial#configure-sap-netweaver-for-oauth", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -5038,8 +5184,8 @@ "guid": "a747c350-8d4c-449c-93af-393dbca77c48", "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/saphana-tutorial", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -5051,8 +5197,8 @@ "guid": "c7bae5bf-daf9-4761-9c56-f92891890aa4", "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration#connectivity-with-sap-rise", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -5064,8 +5210,8 @@ "guid": "e4e48226-ce54-44b6-bb6b-bfa15bd8f753", "link": "https://github.com/azuredevcollege/SAP/blob/master/sap-oauth-saml-flow/README.md", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -5077,8 +5223,8 @@ "guid": "59921095-4980-4fc1-a5b6-524a5a560c79", "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -5090,8 +5236,8 @@ "guid": "a709c664-317e-41e4-9e34-67d9016a86f4", "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -5103,8 +5249,8 @@ "guid": "01f11b7f-38df-4251-9c76-4dec19abd3e8", "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-successfactors-inbound-provisioning-cloud-only-tutorial", "services": [ - "SAP", - "Entra" + "Entra", + "SAP" ], "severity": "Medium", "subcategory": "Identity", @@ -5116,9 +5262,9 @@ "guid": "6ba28021-4591-4147-9e39-e5309cccd979", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups", "services": [ - "SAP", + "AzurePolicy", "Subscriptions", - "AzurePolicy" + "SAP" ], "severity": "Medium", "subcategory": "Subscriptions", @@ -5131,8 +5277,8 @@ "guid": "366bcda2-750a-4b1a-a039-d95d54c7c892", "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", "services": [ - "SAP", - "Subscriptions" + "Subscriptions", + "SAP" ], "severity": "High", "subcategory": "Subscriptions", @@ -5210,8 +5356,8 @@ "guid": "4e138115-2318-41aa-9174-26943ff8ae7d", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", "services": [ - "TrafficManager", "Cost", + "TrafficManager", "Subscriptions" ], "severity": "Medium", @@ -5225,8 +5371,8 @@ "guid": "2f7c95f0-6e15-44e3-aa35-92829e6e2061", "link": "https://learn.microsoft.com/azure/backup/sap-hana-database-about", "services": [ - "Monitor", - "Backup" + "Backup", + "Monitor" ], "severity": "High", "subcategory": "BCDR", @@ -5239,8 +5385,8 @@ "guid": "302a2fbf-3745-4a5f-a365-c9d1a16ca22c", "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", "services": [ - "VM", "Storage", + "VM", "Entra", "Monitor" ], @@ -5267,8 +5413,8 @@ "guid": "c3c7abc0-716c-4486-893c-40e181d65539", "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", "services": [ - "Monitor", - "Entra" + "Entra", + "Monitor" ], "severity": "Medium", "subcategory": "Management", @@ -5281,8 +5427,8 @@ "guid": "a491dfc4-9353-4213-9217-eef0949f9467", "link": "https://azure.microsoft.com/pricing/offers/dev-test/", "services": [ - "Monitor", - "Cost" + "Cost", + "Monitor" ], "severity": "Low", "subcategory": "Management", @@ -5294,8 +5440,8 @@ "guid": "b7056168-6199-4732-a514-cdbb2d5c9c54", "link": "https://learn.microsoft.com/azure/lighthouse/overview", "services": [ - "SAP", "Entra", + "SAP", "Monitor" ], "severity": "Medium", @@ -5336,8 +5482,8 @@ "guid": "14591147-5e39-4e53-89cc-cd979366bcda", "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", "services": [ - "SAP", "SQL", + "SAP", "Monitor" ], "severity": "Medium", @@ -5351,9 +5497,9 @@ "guid": "2750ab1a-b039-4d95-b54c-7c8929cb107d", "link": "https://learn.microsoft.com/azure/sap/workloads/vm-extension-for-sap", "services": [ - "SAP", "VM", "Entra", + "SAP", "Monitor" ], "severity": "High", @@ -5367,8 +5513,8 @@ "guid": "5325ae52-5ba3-44d4-985e-2213ace7bb12", "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "services": [ - "Monitor", - "AzurePolicy" + "AzurePolicy", + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -5381,8 +5527,8 @@ "guid": "523181aa-4174-4269-93ff-8ae7d7d47431", "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", "services": [ - "SAP", "NetworkWatcher", + "SAP", "Monitor" ], "severity": "Medium", @@ -5396,8 +5542,8 @@ "guid": "d89fd98d-23e4-4b40-a92e-32db9365522c", "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-monitor-and-troubleshoot", "services": [ - "SAP", "ASR", + "SAP", "Monitor" ], "severity": "High", @@ -5411,8 +5557,8 @@ "guid": "73686af4-6791-4f89-95ad-a43324e13811", "link": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/QualityCheck", "services": [ - "SAP", "VM", + "SAP", "Monitor" ], "severity": "Medium", @@ -5425,9 +5571,9 @@ "guid": "616785d6-fa96-4c96-ad88-518f482734c8", "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", "services": [ + "Subscriptions", "SAP", - "Monitor", - "Subscriptions" + "Monitor" ], "severity": "High", "subcategory": "Monitoring", @@ -5440,9 +5586,9 @@ "guid": "410adcba-db46-424f-a6c4-05ecde75c52e", "link": "https://learn.microsoft.com/azure/advisor/advisor-how-to-improve-reliability", "services": [ - "Monitor", + "Storage", "ASR", - "Storage" + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -5455,8 +5601,8 @@ "guid": "86ba2802-1459-4114-95e3-9e5309cccd97", "link": "https://learn.microsoft.com/azure/sentinel/sap/deployment-overview", "services": [ - "SAP", "Sentinel", + "SAP", "Monitor" ], "severity": "Medium", @@ -5470,8 +5616,8 @@ "guid": "579266bc-ca27-45fa-a1ab-fe9d55d04c3c", "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/enable-tag-inheritance", "services": [ - "Monitor", - "Cost" + "Cost", + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -5497,8 +5643,8 @@ "guid": "07e5ed53-3d96-43d8-87ea-631b77da5aba", "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide-storage", "services": [ - "SAP", "ASR", + "SAP", "Monitor" ], "severity": "Medium", @@ -5512,8 +5658,8 @@ "guid": "abb6af9c-982c-4cf1-83fb-329fafd1ee56", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-management-and-monitoring", "services": [ - "SAP", "Storage", + "SAP", "Monitor" ], "severity": "Medium", @@ -5539,8 +5685,8 @@ "guid": "fdafb1f5-3eee-4354-a8c9-deb8127ebc2e", "link": "https://learn.microsoft.com/azure/virtual-machines/workloads/oracle/configure-oracle-asm", "services": [ - "SAP", "Storage", + "SAP", "Monitor" ], "severity": "Medium", @@ -5554,8 +5700,8 @@ "guid": "33c5d5bf-daf3-4f0d-bd50-6010fdcec22e", "link": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/announcement-sap-on-azure-oracle-performance-efficiency-scripts/ba-p/3725178", "services": [ - "SAP", "SQL", + "SAP", "Monitor" ], "severity": "Medium", @@ -5569,9 +5715,9 @@ "guid": "5ba34d46-85e2-4213-ace7-bb122f7c95f0", "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", "services": [ - "WAF", "AppGW", - "AzurePolicy" + "AzurePolicy", + "WAF" ], "severity": "Medium", "subcategory": "App delivery", @@ -5584,9 +5730,9 @@ "guid": "fa9d30bc-1b82-4e4b-bfdf-6b017938b9e6", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", "services": [ - "SAP", "DNS", - "VM" + "VM", + "SAP" ], "severity": "Medium", "subcategory": "DNS", @@ -5599,8 +5745,8 @@ "guid": "a2858f78-105b-4f52-b7a9-5b0f4439743b", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", "services": [ - "SAP", "DNS", + "SAP", "VNet" ], "severity": "Medium", @@ -5614,8 +5760,8 @@ "guid": "a3592829-e6e2-4061-9368-6af46791f893", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", "services": [ - "SAP", "ACR", + "SAP", "VNet" ], "severity": "Medium", @@ -5643,8 +5789,8 @@ "guid": "7d4bc7d2-c34a-452e-8f1d-6ae3c8eafcc3", "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", "services": [ - "SAP", "ACR", + "SAP", "VWAN" ], "severity": "Medium", @@ -5658,8 +5804,8 @@ "guid": "0cedb1f6-ae6c-492b-8b17-8061f50b16d3", "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", "services": [ - "NVA", - "VNet" + "VNet", + "NVA" ], "severity": "Medium", "subcategory": "Hybrid", @@ -5688,9 +5834,9 @@ "guid": "82734c88-6ba2-4802-8459-11475e39e530", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing", "services": [ - "SAP", + "VNet", "VM", - "VNet" + "SAP" ], "severity": "High", "subcategory": "IP plan", @@ -5757,9 +5903,9 @@ "guid": "91a65e40-be90-45b3-9f73-f3edbf8dc324", "link": "https://learn.microsoft.com/azure/sap/workloads/expose-sap-process-orchestration-on-azure", "services": [ + "AppGW", "SAP", - "WAF", - "AppGW" + "WAF" ], "severity": "Medium", "subcategory": "Internet", @@ -5772,10 +5918,10 @@ "guid": "5e39e530-9ccc-4d97-a366-bcda2750ab1a", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "services": [ - "WAF", "ACR", "FrontDoor", - "AzurePolicy" + "AzurePolicy", + "WAF" ], "severity": "Medium", "subcategory": "Internet", @@ -5788,10 +5934,10 @@ "guid": "b039d95d-54c7-4c89-89cb-107d5325ae52", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", "services": [ - "WAF", - "FrontDoor", "AppGW", - "AzurePolicy" + "WAF", + "AzurePolicy", + "FrontDoor" ], "severity": "Medium", "subcategory": "Internet", @@ -5804,9 +5950,9 @@ "guid": "5ada4332-4e13-4811-9231-81aa41742694", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "services": [ - "WAF", "AppGW", - "LoadBalancer" + "LoadBalancer", + "WAF" ], "severity": "Medium", "subcategory": "Internet", @@ -5819,8 +5965,8 @@ "guid": "e73de7d5-6f36-4217-a526-e1a621ecddde", "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", "services": [ - "SAP", "ACR", + "SAP", "VWAN" ], "severity": "Medium", @@ -5834,11 +5980,11 @@ "guid": "3c536a3e-1b6b-4e87-95ca-15edb47251c0", "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", "services": [ - "Storage", - "PrivateLink", + "Backup", "ACR", + "Storage", "VNet", - "Backup" + "PrivateLink" ], "severity": "Medium", "subcategory": "Internet", @@ -5851,8 +5997,8 @@ "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", "services": [ - "SAP", - "VM" + "VM", + "SAP" ], "severity": "High", "subcategory": "Segmentation", @@ -5933,8 +6079,8 @@ "guid": "b65c878b-4b14-4f4e-92d8-d873936493f2", "link": "https://me.sap.com/notes/2015553", "services": [ - "SAP", "Cost", + "SAP", "VNet" ], "severity": "High", @@ -5948,8 +6094,8 @@ "guid": "85e2213a-ce7b-4b12-8f7c-95f06e154e3a", "link": "https://learn.microsoft.com/azure/virtual-network/accelerated-networking-overview?tabs=redhat", "services": [ - "SAP", - "VM" + "VM", + "SAP" ], "severity": "High", "subcategory": "Segmentation", @@ -5985,77 +6131,85 @@ { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", "services": [ - "SAP", - "RBAC", - "Subscriptions" + "VM" ], - "severity": "High", + "severity": "Medium", "subcategory": "Governance", - "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes" + "text": "If you run Windows and Linux VMs in Azure, on-premises, or in other cloud environments, you can use the Update management center in Azure Automation to manage operating system updates, including security patches.", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview" }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", "services": [ - "SAP", - "NVA", - "PrivateLink" + "SAP" ], "severity": "Medium", "subcategory": "Governance", - "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources" + "text": "Routinely review the SAP security OSS notes because SAP releases highly critical security patches, or hot fixes, that require immediate action to protect your SAP systems.", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html" }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", "services": [ - "SAP", "SQL", - "Storage", - "Backup" + "SAP" ], - "severity": "Medium", + "severity": "Low", "subcategory": "Governance", - "text": "For SAP database server encryption, use the SAP HANA native encryption technology. If you're using Azure SQL Database, use Transparent Data Encryption (TDE) offered by the DBMS provider to secure your data and log files, and ensure the backups are also encrypted." + "text": "For SAP on SQL Server, you can disable the SQL Server system administrator account because the SAP systems on SQL Server don't use the account. Ensure that another user with system administrator rights can access the server before disabling the original system administrator account." }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", "services": [ - "Storage" + "SQL" ], - "severity": "Medium", + "severity": "High", "subcategory": "Governance", - "text": "Azure Storage encryption is enabled by default" + "text": "Disable xp_cmdshell. The SQL Server feature xp_cmdshell enables a SQL Server internal operating system command shell. It's a potential risk in security audits.", + "training": "https://me.sap.com/notes/3019299/E" }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "services": [], - "severity": "Medium", - "subcategory": "Governance", - "text": " " + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "services": [ + "Backup", + "AKV", + "Storage", + "SQL", + "SAP" + ], + "severity": "High", + "subcategory": "Secrets", + "text": "Encrypting SAP HANA database servers on Azrue uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security" }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "services": [], + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", + "services": [ + "Storage", + "AKV" + ], "severity": "Medium", - "subcategory": "Governance", - "text": " " + "subcategory": "Secrets", + "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations" }, { "category": "Security, Governance and Compliance", @@ -6067,151 +6221,251 @@ ], "severity": "High", "subcategory": "Secrets", - "text": "Use Azure Key Vault to store your secrets and credentials" + "text": "Use Azure Key Vault to store your secrets and credentials", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", "services": [ + "RBAC", + "AzurePolicy", + "Subscriptions", "AKV" ], "severity": "Medium", "subcategory": "Secrets", - "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes" + "text": "It is recommended to LOCK the Azure Resources post successful deployment to safeguard against unauthorized changes. You can also enforce LOCK constraints and rules on your per-subscription basis using customized Azure policies(Custome role).", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations" }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", "services": [ - "AKV", - "AzurePolicy" + "AzurePolicy", + "AKV" ], "severity": "Medium", "subcategory": "Secrets", - "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects." + "text": "Provision Azure Key Vault with the soft delete and purge policies enabled to allow retention protection for deleted objects.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", "services": [ "RBAC", - "AKV", - "AzurePolicy" + "AzurePolicy", + "AKV" ], - "severity": "Medium", + "severity": "High", "subcategory": "Secrets", - "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed" + "text": "Based on existing requirements, regulatory and compliance controls (internal/external) - Determine what Azure Policies and Azure RBAC role are needed", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations" }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", "services": [ - "SAP", - "Defender", + "Storage", "AKV", - "AzurePolicy" + "Defender", + "SAP" ], - "severity": "Medium", + "severity": "High", "subcategory": "Secrets", - "text": "When you enable Microsoft Defender for Cloud Standard for SAP, make sure to exclude the SAP database servers from any policy that installs endpoint protection." + "text": "When enabling Microsoft Defender for Endpoint on SAP environment, recommend excluding data and log files on DBMS servers instead of targeting all servers. Follow your DBMS vendor's recommendations when excluding target files.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268" }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", "services": [ - "SAP", "RBAC", - "AKV" + "AKV", + "Defender", + "SAP" ], - "severity": "Medium", + "severity": "High", "subcategory": "Secrets", - "text": "Delegate an SAP admin custom role with just-in-time access." + "text": "Delegate an SAP admin custom role with just-in-time access of Microsoft Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations" }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", "services": [ - "SAP", - "AKV" + "AKV", + "SAP" ], - "severity": "Medium", + "severity": "Low", "subcategory": "Secrets", - "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS" + "text": "encrypt data in transit by integrating the third-party security product with secure network communications (SNC) for DIAG (SAP GUI), RFC, and SPNEGO for HTTPS", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit" }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", - "guid": "55d04c3c-4919-4cb1-a3d1-325ae124ba34", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", "services": [ - "SAP", - "Entra", "AKV" ], "severity": "Medium", "subcategory": "Secrets", - "text": "Azure Active Directory (Azure AD) with SAML 2.0 can also provide SSO to a range of SAP applications and platforms like SAP NetWeaver, SAP HANA, and the SAP Cloud Platform" + "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", - "guid": "df685edd-ce9b-4d3b-a0cd-b3b55eb2ec14", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", "services": [ - "SAP", "AKV" ], - "severity": "Medium", + "severity": "High", "subcategory": "Secrets", - "text": "Make sure you harden the operating system to eradicate vulnerabilities that could lead to attacks on the SAP database." + "text": "Use an Azure Key Vault per application per environment per region.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", "services": [ + "SAP", "AKV" ], - "severity": "Medium", + "severity": "High", "subcategory": "Secrets", - "text": "Default to Microsoft-managed keys for principal encryption functionality and use customer-managed keys when required." + "text": "To control and manage disk encryption keys and secrets for non-HANA Windows and non-Windows operating systems, use Azure Key Vault. SAP HANA isn't supported with Azure Key Vault, so you must use alternate methods like SAP ABAP or SSH keys.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations" }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "services": [ "AKV" ], "severity": "Medium", "subcategory": "Secrets", - "text": "Use an Azure Key Vault per application per environment per region." + "text": " " }, { "category": "Security, Governance and Compliance", "checklist": "Azure Landing Zone Review", - "guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", "services": [ - "AKV" + "RBAC", + "Subscriptions", + "SAP" + ], + "severity": "High", + "subcategory": "Security", + "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations" + }, + { + "category": "Security, Governance and Compliance", + "checklist": "Azure Landing Zone Review", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "services": [ + "PrivateLink", + "SAP", + "NVA" + ], + "severity": "High", + "subcategory": "Security", + "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal" + }, + { + "category": "Security, Governance and Compliance", + "checklist": "Azure Landing Zone Review", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "services": [ + "Storage", + "VM" + ], + "severity": "Low", + "subcategory": "Security", + "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/" + }, + { + "category": "Security, Governance and Compliance", + "checklist": "Azure Landing Zone Review", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "services": [ + "Defender" + ], + "severity": "Low", + "subcategory": "Security", + "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations" + }, + { + "category": "Security, Governance and Compliance", + "checklist": "Azure Landing Zone Review", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "services": [ + "SAP", + "VNet" + ], + "severity": "High", + "subcategory": "Security", + "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations" + }, + { + "category": "Security, Governance and Compliance", + "checklist": "Azure Landing Zone Review", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "services": [ + "SAP", + "WAF" + ], + "severity": "Low", + "subcategory": "Security", + "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations" + }, + { + "category": "Security, Governance and Compliance", + "checklist": "Azure Landing Zone Review", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", + "services": [ + "SAP", + "AKV", + "Monitor" ], "severity": "Medium", - "subcategory": "Secrets", - "text": " " + "subcategory": "Security", + "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations" }, { "category": "Storage", @@ -6233,10 +6487,10 @@ "id": "A01.01", "link": "https://azure.microsoft.com/support/legal/sla/virtual-desktop/v1_0/", "services": [ - "VM", - "AVD", "ASR", - "Subscriptions" + "VM", + "Subscriptions", + "AVD" ], "severity": "High", "subcategory": "Compute", @@ -6251,10 +6505,10 @@ "id": "A01.02", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr", "services": [ - "VM", - "AVD", + "Storage", "ASR", - "Storage" + "VM", + "AVD" ], "severity": "Medium", "subcategory": "Compute", @@ -6269,8 +6523,8 @@ "id": "A01.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "services": [ - "AVD", - "ASR" + "ASR", + "AVD" ], "severity": "Low", "subcategory": "Compute", @@ -6286,8 +6540,8 @@ "link": "https://techcommunity.microsoft.com/t5/azure-virtual-desktop-blog/announcing-general-availability-of-support-for-azure/ba-p/3636262", "services": [ "ACR", - "AVD", - "ASR" + "ASR", + "AVD" ], "severity": "High", "subcategory": "Compute", @@ -6302,10 +6556,10 @@ "id": "A01.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "services": [ - "VM", - "AVD", "ASR", - "Backup" + "VM", + "Backup", + "AVD" ], "severity": "Medium", "subcategory": "Compute", @@ -6320,11 +6574,11 @@ "id": "A01.06", "link": "https://learn.microsoft.com/azure/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery", "services": [ - "Cost", - "VM", + "Backup", "AVD", "ASR", - "Backup" + "Cost", + "VM" ], "severity": "Medium", "subcategory": "Compute", @@ -6339,11 +6593,11 @@ "id": "A02.01", "link": "https://learn.microsoft.com/azure/virtual-machines/azure-compute-gallery", "services": [ - "Storage", - "VM", "AVD", "ACR", - "ASR" + "Storage", + "ASR", + "VM" ], "severity": "Low", "subcategory": "Dependencies", @@ -6358,8 +6612,8 @@ "id": "A02.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "services": [ - "AVD", - "ASR" + "ASR", + "AVD" ], "severity": "Medium", "subcategory": "Dependencies", @@ -6374,9 +6628,9 @@ "id": "A03.01", "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt", "services": [ + "Storage", "ASR", - "AVD", - "Storage" + "AVD" ], "severity": "Medium", "subcategory": "Storage", @@ -6391,10 +6645,10 @@ "id": "A03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "services": [ - "Storage", + "Backup", "AVD", + "Storage", "ASR", - "Backup", "AzurePolicy" ], "severity": "Medium", @@ -6410,9 +6664,9 @@ "id": "A03.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/disaster-recovery", "services": [ + "Storage", "ASR", - "AVD", - "Storage" + "AVD" ], "severity": "Medium", "subcategory": "Storage", @@ -6427,10 +6681,10 @@ "id": "A03.04", "link": "https://docs.microsoft.com/azure/backup/backup-afs", "services": [ - "AVD", + "Storage", "ASR", "Backup", - "Storage" + "AVD" ], "severity": "Medium", "subcategory": "Storage", @@ -6445,9 +6699,9 @@ "id": "A03.05", "link": "https://learn.microsoft.com/azure/storage/files/files-redundancy#zone-redundant-storage", "services": [ + "Storage", "ASR", - "AVD", - "Storage" + "AVD" ], "severity": "High", "subcategory": "Storage", @@ -6462,11 +6716,11 @@ "id": "A03.06", "link": "https://learn.microsoft.com/azure/azure-netapp-files/cross-region-replication-create-peering", "services": [ - "Storage", + "Backup", "AVD", "ACR", - "ASR", - "Backup" + "Storage", + "ASR" ], "severity": "Medium", "subcategory": "Storage", @@ -6526,9 +6780,9 @@ "id": "B01.04", "link": "https://learn.microsoft.com/azure/virtual-machines/shared-image-galleries", "services": [ + "Storage", "VM", - "AVD", - "Storage" + "AVD" ], "severity": "Low", "subcategory": "Golden Images", @@ -6588,8 +6842,8 @@ "id": "B01.08", "link": "https://github.com/The-Virtual-Desktop-Team/Virtual-Desktop-Optimization-Tool", "services": [ - "AVD", - "RBAC" + "RBAC", + "AVD" ], "severity": "Low", "subcategory": "Golden Images", @@ -6604,8 +6858,8 @@ "id": "B01.09", "link": "https://learn.microsoft.com/azure/virtual-desktop/install-office-on-wvd-master-image#install-onedrive-in-per-machine-mode", "services": [ - "AVD", - "Storage" + "Storage", + "AVD" ], "severity": "Low", "subcategory": "Golden Images", @@ -6650,9 +6904,9 @@ "id": "B02.01", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "services": [ - "AVD", + "Cost", "Storage", - "Cost" + "AVD" ], "severity": "Medium", "subcategory": "MSIX & AppAttach", @@ -6682,10 +6936,10 @@ "id": "B02.03", "link": "https://docs.microsoft.com/azure/virtual-desktop/app-attach-file-share", "services": [ - "VM", - "AVD", "Storage", - "RBAC" + "RBAC", + "VM", + "AVD" ], "severity": "Medium", "subcategory": "MSIX & AppAttach", @@ -6854,8 +7108,8 @@ "id": "C01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/terminology?WT.mc_id=Portal-fx#application-groups", "services": [ - "AVD", - "Storage" + "Storage", + "AVD" ], "severity": "High", "subcategory": "Capacity Planning", @@ -6871,8 +7125,8 @@ "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-virtual-desktop-service-limits", "services": [ "ACR", - "AVD", - "Entra" + "Entra", + "AVD" ], "severity": "Medium", "subcategory": "Capacity Planning", @@ -6902,9 +7156,9 @@ "id": "C01.09", "link": "https://learn.microsoft.com/azure/virtual-desktop/configure-host-pool-personal-desktop-assignment-type?tabs=azure#reassign-a-personal-desktop", "services": [ + "Storage", "VM", - "AVD", - "Storage" + "AVD" ], "severity": "Low", "subcategory": "Capacity Planning", @@ -6935,8 +7189,8 @@ "id": "C01.11", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop#considerations", "services": [ - "AVD", - "Storage" + "Storage", + "AVD" ], "severity": "High", "subcategory": "Capacity Planning", @@ -6997,10 +7251,10 @@ "id": "C02.02", "link": "https://learn.microsoft.com/azure/architecture/example-scenario/wvd/windows-virtual-desktop?toc=%2Fazure%2Fvirtual-desktop%2Ftoc.json&bc=%2Fazure%2Fvirtual-desktop%2Fbreadcrumb%2Ftoc.json", "services": [ + "Storage", "ExpressRoute", "VPN", - "AVD", - "Storage" + "AVD" ], "severity": "Medium", "subcategory": "Clients & Users", @@ -7090,9 +7344,9 @@ "id": "C03.03", "link": "https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits", "services": [ + "Storage", "VM", - "AVD", - "Storage" + "AVD" ], "severity": "Low", "subcategory": "General", @@ -7107,9 +7361,9 @@ "id": "D01.01", "link": "https://docs.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", "services": [ - "AVD", "VNet", "Entra", + "AVD", "Storage" ], "severity": "Medium", @@ -7125,8 +7379,8 @@ "id": "D01.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/create-host-pools-azure-marketplace", "services": [ - "AVD", - "Entra" + "Entra", + "AVD" ], "severity": "Medium", "subcategory": "Active Directory", @@ -7141,8 +7395,8 @@ "id": "D01.03", "link": "https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-hierarchy", "services": [ - "AVD", - "Entra" + "Entra", + "AVD" ], "severity": "Medium", "subcategory": "Active Directory", @@ -7157,8 +7411,8 @@ "id": "D01.04", "link": "https://learn.microsoft.com/fslogix/how-to-use-group-policy-templates", "services": [ - "AVD", - "Entra" + "Entra", + "AVD" ], "severity": "Medium", "subcategory": "Active Directory", @@ -7174,8 +7428,8 @@ "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#session-hosts", "services": [ "VM", - "AVD", - "Entra" + "Entra", + "AVD" ], "severity": "Medium", "subcategory": "Active Directory", @@ -7190,8 +7444,8 @@ "id": "D01.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/manage-app-groups", "services": [ - "AVD", - "Entra" + "Entra", + "AVD" ], "severity": "Medium", "subcategory": "Active Directory", @@ -7206,10 +7460,10 @@ "id": "D01.07", "link": "https://docs.microsoft.com/azure/storage/files/storage-files-identity-ad-ds-enable", "services": [ - "AVD", "Storage", + "AzurePolicy", "Entra", - "AzurePolicy" + "AVD" ], "severity": "High", "subcategory": "Active Directory", @@ -7224,8 +7478,8 @@ "id": "D01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", "services": [ - "AVD", - "Entra" + "Entra", + "AVD" ], "severity": "High", "subcategory": "Active Directory", @@ -7240,9 +7494,9 @@ "id": "D02.01", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable", "services": [ - "AVD", "Storage", - "Entra" + "Entra", + "AVD" ], "severity": "Medium", "subcategory": "Microsoft Entra ID", @@ -7257,10 +7511,10 @@ "id": "D03.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#identity", "services": [ - "AVD", "VNet", "Entra", - "Subscriptions" + "Subscriptions", + "AVD" ], "severity": "High", "subcategory": "Requirements", @@ -7275,8 +7529,8 @@ "id": "D03.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication", "services": [ - "AVD", - "Entra" + "Entra", + "AVD" ], "severity": "High", "subcategory": "Requirements", @@ -7291,8 +7545,8 @@ "id": "D03.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", "services": [ - "AVD", - "Entra" + "Entra", + "AVD" ], "severity": "Medium", "subcategory": "Requirements", @@ -7307,8 +7561,8 @@ "id": "D03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/authentication#single-sign-on-sso", "services": [ - "AVD", - "Entra" + "Entra", + "AVD" ], "severity": "Medium", "subcategory": "Requirements", @@ -7324,8 +7578,8 @@ "link": "https://learn.microsoft.com/azure/virtual-desktop/prerequisites?tabs=portal#supported-identity-scenarios", "services": [ "VM", - "AVD", - "Entra" + "Entra", + "AVD" ], "severity": "High", "subcategory": "Requirements", @@ -7340,8 +7594,8 @@ "id": "D03.06", "link": "https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions", "services": [ - "AVD", - "Entra" + "Entra", + "AVD" ], "severity": "Low", "subcategory": "Requirements", @@ -7356,9 +7610,9 @@ "id": "E01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/administrative-template", "services": [ - "Monitor", + "Entra", "AVD", - "Entra" + "Monitor" ], "severity": "Low", "subcategory": "Management", @@ -7373,9 +7627,9 @@ "id": "E01.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/management", "services": [ - "Monitor", + "VM", "AVD", - "VM" + "Monitor" ], "severity": "Low", "subcategory": "Management", @@ -7390,8 +7644,8 @@ "id": "E01.03", "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop", "services": [ - "Monitor", - "AVD" + "AVD", + "Monitor" ], "severity": "Medium", "subcategory": "Management", @@ -7406,10 +7660,10 @@ "id": "E01.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/autoscale-scenarios", "services": [ - "Monitor", - "AVD", + "Cost", "VM", - "Cost" + "AVD", + "Monitor" ], "severity": "Medium", "subcategory": "Management", @@ -7424,9 +7678,9 @@ "id": "E01.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect", "services": [ + "Cost", "VM", "AVD", - "Cost", "Monitor" ], "severity": "Low", @@ -7442,11 +7696,11 @@ "id": "E01.06", "link": "https://learn.microsoft.com/azure/virtual-desktop/start-virtual-machine-connect-faq#are-vms-automatically-deallocated-when-a-user-stops-using-them", "services": [ - "Cost", - "VM", "AVD", "Monitor", - "AzurePolicy" + "AzurePolicy", + "Cost", + "VM" ], "severity": "Low", "subcategory": "Management", @@ -7461,13 +7715,13 @@ "id": "E01.07", "link": "https://learn.microsoft.com/azure/virtual-desktop/tag-virtual-desktop-resources", "services": [ - "VWAN", - "ExpressRoute", - "Storage", - "Cost", "AVD", "Monitor", + "Storage", "VPN", + "VWAN", + "ExpressRoute", + "Cost", "DNS" ], "severity": "Low", @@ -7483,10 +7737,10 @@ "id": "E01.08", "link": "https://learn.microsoft.com/azure/virtual-desktop/azure-advisor-recommendations", "services": [ - "Monitor", - "AVD", "Cost", - "Entra" + "Entra", + "AVD", + "Monitor" ], "severity": "Low", "subcategory": "Management", @@ -7501,8 +7755,8 @@ "id": "E01.09", "link": "https://learn.microsoft.com/mem/intune/fundamentals/azure-virtual-desktop-multi-session", "services": [ - "Monitor", - "AVD" + "AVD", + "Monitor" ], "severity": "Medium", "subcategory": "Management", @@ -7517,8 +7771,8 @@ "id": "E01.10", "link": "https://learn.microsoft.com/azure/virtual-desktop/scheduled-agent-updates", "services": [ - "Monitor", - "AVD" + "AVD", + "Monitor" ], "severity": "Low", "subcategory": "Management", @@ -7533,9 +7787,9 @@ "id": "E01.11", "link": "https://docs.microsoft.com/azure/virtual-desktop/create-validation-host-pool", "services": [ - "Monitor", + "VM", "AVD", - "VM" + "Monitor" ], "severity": "Medium", "subcategory": "Management", @@ -7550,9 +7804,9 @@ "id": "E01.12", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-platform-automation-and-devops", "services": [ - "Monitor", + "VM", "AVD", - "VM" + "Monitor" ], "severity": "Medium", "subcategory": "Management", @@ -7584,8 +7838,8 @@ "id": "E02.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/insights", "services": [ - "Monitor", - "AVD" + "AVD", + "Monitor" ], "severity": "High", "subcategory": "Monitoring", @@ -7617,9 +7871,9 @@ "id": "E02.03", "link": "https://docs.microsoft.com/azure/storage/files/storage-files-monitoring?tabs=azure-portal", "services": [ - "Monitor", + "Storage", "AVD", - "Storage" + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -7634,8 +7888,8 @@ "id": "E02.04", "link": "https://docs.microsoft.com/azure/virtual-desktop/set-up-service-alerts", "services": [ - "Monitor", - "AVD" + "AVD", + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -7668,9 +7922,9 @@ "id": "F01.02", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/wvd/eslz-network-topology-and-connectivity", "services": [ - "VWAN", + "VNet", "AVD", - "VNet" + "VWAN" ], "severity": "Medium", "subcategory": "Networking", @@ -7701,10 +7955,10 @@ "id": "F01.04", "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", "services": [ - "AVD", - "NVA", + "VNet", "Firewall", - "VNet" + "AVD", + "NVA" ], "severity": "Medium", "subcategory": "Networking", @@ -7734,8 +7988,8 @@ "id": "F01.06", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device?view=o365-worldwide", "services": [ - "AVD", - "Defender" + "Defender", + "AVD" ], "severity": "Medium", "subcategory": "Networking", @@ -7750,9 +8004,9 @@ "id": "F01.07", "link": "https://docs.microsoft.com/azure/firewall/protect-windows-virtual-desktop", "services": [ - "AVD", "VNet", "Firewall", + "AVD", "NVA" ], "severity": "Low", @@ -7800,11 +8054,11 @@ "id": "F01.10", "link": "https://learn.microsoft.com/azure/storage/files/storage-files-networking-endpoints", "services": [ + "AVD", "Storage", + "VNet", "Cost", - "PrivateLink", - "AVD", - "VNet" + "PrivateLink" ], "severity": "Medium", "subcategory": "Networking", @@ -7850,8 +8104,8 @@ "id": "G02.01", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus", "services": [ - "AVD", - "Defender" + "Defender", + "AVD" ], "severity": "High", "subcategory": "Host Configuration", @@ -7866,10 +8120,10 @@ "id": "G02.02", "link": "https://learn.microsoft.com/azure/virtual-machines/disk-encryption-overview", "services": [ - "VM", - "AVD", "Storage", - "AKV" + "AKV", + "VM", + "AVD" ], "severity": "Low", "subcategory": "Host Configuration", @@ -7962,8 +8216,8 @@ "id": "G03.02", "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview", "services": [ - "AVD", - "Defender" + "Defender", + "AVD" ], "severity": "Medium", "subcategory": "Management", @@ -7993,12 +8247,12 @@ "id": "G03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#enable-microsoft-defender-for-cloud", "services": [ - "Storage", - "VM", + "Subscriptions", + "AKV", "AVD", + "Storage", "Defender", - "AKV", - "Subscriptions" + "VM" ], "severity": "Medium", "subcategory": "Management", @@ -8013,9 +8267,9 @@ "id": "G03.05", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#collect-audit-logs", "services": [ - "Monitor", + "Entra", "AVD", - "Entra" + "Monitor" ], "severity": "Medium", "subcategory": "Management", @@ -8030,9 +8284,9 @@ "id": "G03.06", "link": "https://docs.microsoft.com/azure/virtual-desktop/rbac", "services": [ - "AVD", + "RBAC", "Entra", - "RBAC" + "AVD" ], "severity": "Low", "subcategory": "Management", @@ -8047,8 +8301,8 @@ "id": "G03.07", "link": "https://learn.microsoft.com/azure/virtual-desktop/security-guide#windows-defender-application-control", "services": [ - "AVD", - "Defender" + "Defender", + "AVD" ], "severity": "Medium", "subcategory": "Management", @@ -8063,8 +8317,8 @@ "id": "G04.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/set-up-mfa", "services": [ - "AVD", - "Entra" + "Entra", + "AVD" ], "severity": "Medium", "subcategory": "Microsoft Entra ID", @@ -8094,8 +8348,8 @@ "id": "H01.01", "link": "https://learn.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files#best-practices-for-azure-virtual-desktop", "services": [ - "AVD", - "Storage" + "Storage", + "AVD" ], "severity": "Medium", "subcategory": "Azure Files", @@ -8111,8 +8365,8 @@ "link": "https://learn.microsoft.com/azure/storage/files/storage-files-smb-multichannel-performance", "services": [ "ACR", - "AVD", "Storage", + "AVD", "Cost" ], "severity": "Low", @@ -8128,8 +8382,8 @@ "id": "H02.01", "link": "https://azure.microsoft.com/global-infrastructure/services/", "services": [ - "AVD", - "Storage" + "Storage", + "AVD" ], "severity": "Medium", "subcategory": "Azure NetApp Files", @@ -8144,8 +8398,8 @@ "id": "H02.02", "link": "https://learn.microsoft.com/azure/virtual-desktop/create-fslogix-profile-container", "services": [ - "AVD", - "Storage" + "Storage", + "AVD" ], "severity": "Medium", "subcategory": "Azure NetApp Files", @@ -8160,9 +8414,9 @@ "id": "H02.03", "link": "https://docs.microsoft.com/azure/azure-netapp-files/create-active-directory-connections", "services": [ - "AVD", "Storage", - "VNet" + "VNet", + "AVD" ], "severity": "High", "subcategory": "Azure NetApp Files", @@ -8177,8 +8431,8 @@ "id": "H03.01", "link": "https://docs.microsoft.com/azure/virtual-machines/disks-types", "services": [ - "AVD", - "Storage" + "Storage", + "AVD" ], "severity": "Medium", "subcategory": "Capacity Planning", @@ -8193,9 +8447,9 @@ "id": "H03.02", "link": "https://docs.microsoft.com/azure/virtual-desktop/store-fslogix-profile", "services": [ + "Storage", "VM", - "AVD", - "Storage" + "AVD" ], "severity": "High", "subcategory": "Capacity Planning", @@ -8210,8 +8464,8 @@ "id": "H03.03", "link": "https://learn.microsoft.com/azure/virtual-desktop/store-fslogix-profile", "services": [ - "AVD", - "Storage" + "Storage", + "AVD" ], "severity": "High", "subcategory": "Capacity Planning", @@ -8226,8 +8480,8 @@ "id": "H03.04", "link": "https://learn.microsoft.com/azure/virtual-desktop/faq#what-s-the-largest-profile-size-fslogix-can-handle-", "services": [ - "AVD", - "Storage" + "Storage", + "AVD" ], "severity": "High", "subcategory": "Capacity Planning", @@ -8242,9 +8496,9 @@ "id": "H03.05", "link": "https://docs.microsoft.com/azure/virtual-desktop/fslogix-containers-azure-files", "services": [ - "AVD", + "Cost", "Storage", - "Cost" + "AVD" ], "severity": "High", "subcategory": "Capacity Planning", @@ -8259,9 +8513,9 @@ "id": "H04.01", "link": "https://learn.microsoft.com/fslogix/concepts-container-types#when-to-use-profile-and-odfc-containers", "services": [ + "Storage", "ASR", - "AVD", - "Storage" + "AVD" ], "severity": "High", "subcategory": "FSLogix", @@ -8276,8 +8530,8 @@ "id": "H04.02", "link": "https://learn.microsoft.com/fslogix/overview-prerequisites#configure-antivirus-file-and-folder-exclusions", "services": [ - "AVD", - "Storage" + "Storage", + "AVD" ], "severity": "Medium", "subcategory": "FSLogix", @@ -8292,8 +8546,8 @@ "id": "H04.03", "link": "https://docs.microsoft.com/fslogix/profile-container-configuration-reference", "services": [ - "AVD", - "Storage" + "Storage", + "AVD" ], "severity": "High", "subcategory": "FSLogix", @@ -8309,9 +8563,9 @@ "link": "https://learn.microsoft.com/fslogix/concepts-configuration-examples", "services": [ "ACR", - "AVD", "Storage", - "AKV" + "AKV", + "AVD" ], "severity": "High", "subcategory": "FSLogix", @@ -8326,8 +8580,8 @@ "id": "H04.05", "link": "https://learn.microsoft.com/fslogix/concepts-multi-concurrent-connections", "services": [ - "AVD", - "Storage" + "Storage", + "AVD" ], "severity": "High", "subcategory": "FSLogix", @@ -8342,9 +8596,9 @@ "id": "H04.06", "link": "https://docs.microsoft.com/fslogix/cloud-cache-configuration-reference", "services": [ + "Storage", "VM", - "AVD", - "Storage" + "AVD" ], "severity": "Low", "subcategory": "FSLogix", @@ -8359,8 +8613,8 @@ "id": "H04.07", "link": "https://docs.microsoft.com/fslogix/manage-profile-content-cncpt#redirectionsxml", "services": [ - "AVD", - "Storage" + "Storage", + "AVD" ], "severity": "Medium", "subcategory": "FSLogix", @@ -8569,8 +8823,8 @@ "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/mca-section-invoice", "services": [ "Cost", - "Entra", - "Storage" + "Storage", + "Entra" ], "severity": "Low", "subcategory": "Microsoft Customer Agreement", @@ -8663,8 +8917,8 @@ "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", "service": "Entra", "services": [ - "Monitor", - "Entra" + "Entra", + "Monitor" ], "severity": "Medium", "subcategory": "Identity", @@ -8699,8 +8953,8 @@ "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/overview", "service": "Entra", "services": [ - "Entra", - "AzurePolicy" + "AzurePolicy", + "Entra" ], "severity": "Low", "subcategory": "Identity", @@ -8815,8 +9069,8 @@ "id": "B03.11", "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain#vm-recommendations", "services": [ - "VM", "ACR", + "VM", "Entra" ], "severity": "Medium", @@ -8896,8 +9150,8 @@ "id": "B04.01", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#managed-identities", "services": [ - "VNet", - "Entra" + "Entra", + "VNet" ], "severity": "Medium", "subcategory": "Landing zones", @@ -8912,11 +9166,11 @@ "id": "B04.02", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones#rbac-recommendations", "services": [ + "AKV", + "ACR", "Storage", "RBAC", - "ACR", - "Entra", - "AKV" + "Entra" ], "severity": "Medium", "subcategory": "Landing zones", @@ -8990,8 +9244,8 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations", "services": [ "RBAC", - "Subscriptions", - "AzurePolicy" + "AzurePolicy", + "Subscriptions" ], "severity": "Medium", "subcategory": "Subscriptions", @@ -9006,10 +9260,10 @@ "id": "C02.04", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/resource-org-management-groups#management-group-recommendations", "services": [ - "ExpressRoute", "DNS", - "VWAN", - "Subscriptions" + "ExpressRoute", + "Subscriptions", + "VWAN" ], "severity": "Medium", "subcategory": "Subscriptions", @@ -9069,10 +9323,10 @@ "id": "C02.08", "link": "https://learn.microsoft.com/azure/governance/management-groups/overview", "services": [ - "Subscriptions", - "RBAC", "Cost", - "AzurePolicy" + "RBAC", + "AzurePolicy", + "Subscriptions" ], "severity": "High", "subcategory": "Subscriptions", @@ -9101,9 +9355,9 @@ "id": "C02.10", "link": "https://learn.microsoft.com/azure/cost-management-billing/reservations/save-compute-costs-reservations", "services": [ + "Cost", "VM", "Subscriptions", - "Cost", "AzurePolicy" ], "severity": "High", @@ -9120,8 +9374,8 @@ "id": "C02.11", "link": "https://learn.microsoft.com/azure/architecture/framework/scalability/design-capacity", "services": [ - "Monitor", - "Subscriptions" + "Subscriptions", + "Monitor" ], "severity": "High", "subcategory": "Subscriptions", @@ -9243,8 +9497,8 @@ "id": "D01.01", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-app-delivery", "services": [ - "FrontDoor", - "AppGW" + "AppGW", + "FrontDoor" ], "severity": "Medium", "subcategory": "App delivery", @@ -9337,13 +9591,13 @@ "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/expressroute", "service": "VNet", "services": [ - "ExpressRoute", - "NVA", "Firewall", + "VNet", + "NVA", "VPN", - "DNS", "Entra", - "VNet" + "ExpressRoute", + "DNS" ], "severity": "High", "subcategory": "Hub and spoke", @@ -9391,8 +9645,8 @@ "link": "https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1", "service": "ARS", "services": [ - "ARS", - "VNet" + "VNet", + "ARS" ], "severity": "Low", "subcategory": "Hub and spoke", @@ -9544,8 +9798,8 @@ "link": "https://learn.microsoft.com/azure/expressroute/plan-manage-cost", "service": "ExpressRoute", "services": [ - "ExpressRoute", - "Cost" + "Cost", + "ExpressRoute" ], "severity": "High", "subcategory": "Hybrid", @@ -9562,8 +9816,8 @@ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local", "service": "ExpressRoute", "services": [ - "ExpressRoute", - "Cost" + "Cost", + "ExpressRoute" ], "severity": "High", "subcategory": "Hybrid", @@ -9661,8 +9915,8 @@ "link": "https://learn.microsoft.com/azure/expressroute/expressroute-erdirect-about", "service": "ExpressRoute", "services": [ - "ExpressRoute", - "Cost" + "Cost", + "ExpressRoute" ], "severity": "High", "subcategory": "Hybrid", @@ -9711,9 +9965,9 @@ "link": "https://learn.microsoft.com/azure/expressroute/how-to-configure-connection-monitor", "service": "ExpressRoute", "services": [ - "Monitor", "ACR", - "NetworkWatcher" + "NetworkWatcher", + "Monitor" ], "severity": "Medium", "subcategory": "Hybrid", @@ -9780,8 +10034,8 @@ "link": "https://learn.microsoft.com/azure/expressroute/designing-for-high-availability-with-expressroute#active-active-connections", "service": "ExpressRoute", "services": [ - "ExpressRoute", - "ACR" + "ACR", + "ExpressRoute" ], "severity": "High", "subcategory": "Hybrid", @@ -9918,8 +10172,8 @@ "link": "https://learn.microsoft.com/azure/dns/private-dns-autoregistration", "service": "DNS", "services": [ - "VM", "DNS", + "VM", "VNet" ], "severity": "High", @@ -9952,8 +10206,8 @@ "link": "https://learn.microsoft.com/azure/bastion/bastion-faq#subnet", "service": "Bastion", "services": [ - "VNet", - "Bastion" + "Bastion", + "VNet" ], "severity": "Medium", "subcategory": "Internet", @@ -9986,9 +10240,9 @@ "service": "Firewall", "services": [ "ACR", - "Firewall", + "RBAC", "AzurePolicy", - "RBAC" + "Firewall" ], "severity": "Medium", "subcategory": "Internet", @@ -10020,10 +10274,10 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", "service": "WAF", "services": [ - "WAF", "ACR", "FrontDoor", - "AzurePolicy" + "AzurePolicy", + "WAF" ], "severity": "Medium", "subcategory": "Internet", @@ -10039,10 +10293,10 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "service": "WAF", "services": [ - "WAF", - "FrontDoor", "AppGW", - "AzurePolicy" + "WAF", + "AzurePolicy", + "FrontDoor" ], "severity": "Low", "subcategory": "Internet", @@ -10059,8 +10313,8 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "service": "WAF", "services": [ - "WAF", - "VNet" + "VNet", + "WAF" ], "severity": "High", "subcategory": "Internet", @@ -10077,8 +10331,8 @@ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-reference-architectures", "service": "VNet", "services": [ - "VNet", - "DDoS" + "DDoS", + "VNet" ], "severity": "High", "subcategory": "Internet", @@ -10165,11 +10419,11 @@ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", "service": "Firewall", "services": [ - "VWAN", - "NVA", - "Storage", "Firewall", - "VNet" + "Storage", + "VNet", + "VWAN", + "NVA" ], "severity": "High", "subcategory": "Internet", @@ -10230,8 +10484,8 @@ "link": "https://learn.microsoft.com/azure/app-service/networking-features", "service": "ExpressRoute", "services": [ - "ExpressRoute", - "PrivateLink" + "PrivateLink", + "ExpressRoute" ], "severity": "Medium", "subcategory": "PaaS", @@ -10264,10 +10518,10 @@ "link": "https://learn.microsoft.com/azure/app-service/networking-features", "service": "Firewall", "services": [ + "PrivateLink", "DNS", - "NVA", "Firewall", - "PrivateLink" + "NVA" ], "severity": "Medium", "subcategory": "PaaS", @@ -10285,8 +10539,8 @@ "link": "https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size", "service": "Firewall", "services": [ - "Firewall", - "VNet" + "VNet", + "Firewall" ], "severity": "High", "subcategory": "Segmentation", @@ -10385,9 +10639,9 @@ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", "service": "NSG", "services": [ - "NVA", "Entra", - "VNet" + "VNet", + "NVA" ], "severity": "Medium", "subcategory": "Segmentation", @@ -10403,8 +10657,8 @@ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", "service": "NSG", "services": [ - "VNet", - "NetworkWatcher" + "NetworkWatcher", + "VNet" ], "severity": "Medium", "subcategory": "Segmentation", @@ -10436,8 +10690,8 @@ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", "service": "VWAN", "services": [ - "VWAN", - "ACR" + "ACR", + "VWAN" ], "severity": "Medium", "subcategory": "Virtual WAN", @@ -10452,8 +10706,8 @@ "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", "service": "VWAN", "services": [ - "VWAN", - "ACR" + "ACR", + "VWAN" ], "severity": "Low", "subcategory": "Virtual WAN", @@ -10627,8 +10881,8 @@ "link": "https://learn.microsoft.com/azure/governance/policy/overview", "service": "Policy", "services": [ - "Subscriptions", - "AzurePolicy" + "AzurePolicy", + "Subscriptions" ], "severity": "Medium", "subcategory": "Governance", @@ -10658,8 +10912,8 @@ "link": "https://learn.microsoft.com/security/benchmark/azure/mcsb-asset-management#am-2-use-only-approved-services", "service": "Policy", "services": [ - "Subscriptions", - "AzurePolicy" + "AzurePolicy", + "Subscriptions" ], "severity": "Low", "subcategory": "Governance", @@ -10690,10 +10944,10 @@ "link": "https://learn.microsoft.com/azure/governance/policy/overview#azure-rbac-permissions-in-azure-policy", "service": "Policy", "services": [ - "Subscriptions", "RBAC", + "AzurePolicy", "Entra", - "AzurePolicy" + "Subscriptions" ], "severity": "Medium", "subcategory": "Governance", @@ -10708,8 +10962,8 @@ "link": "https://learn.microsoft.com/azure/governance/policy/overview", "service": "Policy", "services": [ - "Subscriptions", - "AzurePolicy" + "AzurePolicy", + "Subscriptions" ], "severity": "Medium", "subcategory": "Governance", @@ -10784,8 +11038,8 @@ "link": "https://learn.microsoft.com/azure/automation/automation-solution-vm-management-config", "service": "VM", "services": [ - "VM", "Cost", + "VM", "TrafficManager" ], "severity": "Low", @@ -10815,9 +11069,9 @@ "id": "E02.02", "link": "https://learn.microsoft.com/azure/cost-management-billing/costs/tutorial-acm-create-budgets?bc=%2Fazure%2Fcloud-adoption-framework%2F_bread%2Ftoc.json&toc=%2Fazure%2Fcloud-adoption-framework%2Ftoc.json", "services": [ - "Monitor", "Cost", - "TrafficManager" + "TrafficManager", + "Monitor" ], "severity": "Medium", "subcategory": "Optimize your cloud investment", @@ -10833,9 +11087,9 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-diagnostic-settings-to-save-your-wafs-logs", "service": "WAF", "services": [ + "AppGW", "WAF", - "FrontDoor", - "AppGW" + "FrontDoor" ], "severity": "High", "subcategory": "App delivery", @@ -10850,10 +11104,10 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", "service": "WAF", "services": [ - "WAF", - "FrontDoor", "Sentinel", - "AppGW" + "AppGW", + "WAF", + "FrontDoor" ], "severity": "Medium", "subcategory": "App delivery", @@ -10895,10 +11149,10 @@ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "service": "Monitor", "services": [ - "Monitor", "RBAC", + "AzurePolicy", "Entra", - "AzurePolicy" + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -10927,8 +11181,8 @@ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#how-retention-and-archiving-work", "service": "Monitor", "services": [ - "Monitor", - "ARS" + "ARS", + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -10944,8 +11198,8 @@ "link": "https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/govern/policy-compliance/regulatory-compliance", "service": "Policy", "services": [ - "Monitor", - "AzurePolicy" + "AzurePolicy", + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -10962,8 +11216,8 @@ "service": "VM", "services": [ "VM", - "Monitor", - "AzurePolicy" + "AzurePolicy", + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -11011,8 +11265,8 @@ "link": "https://learn.microsoft.com/azure/network-watcher/network-watcher-monitoring-overview", "service": "Network Watcher", "services": [ - "Monitor", - "NetworkWatcher" + "NetworkWatcher", + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -11042,9 +11296,9 @@ "id": "F03.10", "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ - "Monitor", "RBAC", - "AzurePolicy" + "AzurePolicy", + "Monitor" ], "severity": "Low", "subcategory": "Monitoring", @@ -11101,9 +11355,9 @@ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "service": "Monitor", "services": [ - "Monitor", "RBAC", - "Entra" + "Entra", + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -11132,8 +11386,8 @@ "id": "F03.16", "link": "https://learn.microsoft.com/azure/azure-monitor/agents/diagnostics-extension-overview", "services": [ - "Monitor", - "Storage" + "Storage", + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -11210,8 +11464,8 @@ "service": "VM", "services": [ "VM", - "Monitor", - "AzurePolicy" + "AzurePolicy", + "Monitor" ], "severity": "Medium", "subcategory": "Operational compliance", @@ -11226,9 +11480,9 @@ "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", "service": "VM", "services": [ - "VM", "ACR", - "ASR" + "ASR", + "VM" ], "severity": "Medium", "subcategory": "Protect and Recover", @@ -11377,8 +11631,8 @@ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "service": "Key Vault", "services": [ - "AKV", - "AzurePolicy" + "AzurePolicy", + "AKV" ], "severity": "Medium", "subcategory": "Encryption and keys", @@ -11441,8 +11695,8 @@ "service": "Key Vault", "services": [ "PrivateLink", - "VNet", - "AKV" + "AKV", + "VNet" ], "severity": "Medium", "subcategory": "Encryption and keys", @@ -11457,9 +11711,9 @@ "link": "https://learn.microsoft.com/azure/key-vault/general/monitor-key-vault", "service": "Key Vault", "services": [ - "Monitor", "Entra", - "AKV" + "AKV", + "Monitor" ], "severity": "Medium", "subcategory": "Encryption and keys", @@ -11474,8 +11728,8 @@ "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "service": "Key Vault", "services": [ - "AKV", - "AzurePolicy" + "AzurePolicy", + "AKV" ], "severity": "Medium", "subcategory": "Encryption and keys", @@ -11565,9 +11819,9 @@ "id": "G03.02", "link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal", "services": [ - "Monitor", + "Storage", "ARS", - "Storage" + "Monitor" ], "severity": "Medium", "subcategory": "Operations", @@ -11647,8 +11901,8 @@ "link": "https://learn.microsoft.com/azure/security-center/", "service": "VM", "services": [ - "Monitor", - "Defender" + "Defender", + "Monitor" ], "severity": "Medium", "subcategory": "Operations", @@ -11663,8 +11917,8 @@ "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "service": "Monitor", "services": [ - "Monitor", - "Entra" + "Entra", + "Monitor" ], "severity": "Medium", "subcategory": "Operations", @@ -12189,8 +12443,8 @@ "id": "D01.03", "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/approaches/cost-management-allocation", "services": [ - "Monitor", - "Cost" + "Cost", + "Monitor" ], "severity": "Medium", "subcategory": "Cost Optimization", @@ -12374,10 +12628,10 @@ "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-shared-access-signature#shared-access-authorization-policies", "services": [ "EventHubs", - "TrafficManager", + "AzurePolicy", "RBAC", "Entra", - "AzurePolicy" + "TrafficManager" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -12393,11 +12647,11 @@ "id": "A02.02", "link": "https://learn.microsoft.com/azure/event-hubs/authenticate-managed-identity?tabs=latest", "services": [ + "AKV", "EventHubs", "Storage", - "VM", "Entra", - "AKV" + "VM" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -12413,9 +12667,9 @@ "id": "A02.03", "link": "https://learn.microsoft.com/azure/event-hubs/authorize-access-azure-active-directory#azure-built-in-roles-for-azure-event-hubs", "services": [ - "EventHubs", + "RBAC", "Entra", - "RBAC" + "EventHubs" ], "severity": "High", "subcategory": "Identity and Access Management", @@ -12432,8 +12686,8 @@ "link": "https://learn.microsoft.com/azure/event-hubs/monitor-event-hubs-reference", "services": [ "Monitor", - "EventHubs", - "VNet" + "VNet", + "EventHubs" ], "severity": "Medium", "subcategory": "Monitoring", @@ -12449,9 +12703,9 @@ "id": "A04.01", "link": "https://learn.microsoft.com/azure/event-hubs/private-link-service", "services": [ - "EventHubs", "PrivateLink", - "VNet" + "VNet", + "EventHubs" ], "severity": "Medium", "subcategory": "Networking", @@ -12482,8 +12736,8 @@ "link": "https://learn.microsoft.com/azure/api-management/api-management-error-handling-policies", "service": "APIM", "services": [ - "APIM", - "AzurePolicy" + "AzurePolicy", + "APIM" ], "severity": "Medium", "subcategory": "Development best practices", @@ -12497,8 +12751,8 @@ "link": "https://learn.microsoft.com/azure/api-management/set-edit-policies?tabs=form#use-base-element-to-set-policy-evaluation-order", "service": "APIM", "services": [ - "APIM", - "AzurePolicy" + "AzurePolicy", + "APIM" ], "severity": "Medium", "subcategory": "Development best practices", @@ -12513,8 +12767,8 @@ "service": "APIM", "services": [ "ACR", - "APIM", - "AzurePolicy" + "AzurePolicy", + "APIM" ], "severity": "Medium", "subcategory": "Development best practices", @@ -12542,8 +12796,8 @@ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor#resource-logs", "service": "APIM", "services": [ - "Monitor", - "APIM" + "APIM", + "Monitor" ], "severity": "High", "subcategory": "Monitoring", @@ -12557,8 +12811,8 @@ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-app-insights", "service": "APIM", "services": [ - "Monitor", - "APIM" + "APIM", + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -12572,8 +12826,8 @@ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-use-azure-monitor", "service": "APIM", "services": [ - "Monitor", - "APIM" + "APIM", + "Monitor" ], "severity": "High", "subcategory": "Monitoring", @@ -12587,9 +12841,9 @@ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#certificate-management-in-azure-key-vault", "service": "APIM", "services": [ - "APIM", + "AKV", "Entra", - "AKV" + "APIM" ], "severity": "High", "subcategory": "Data protection", @@ -12603,8 +12857,8 @@ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-ad-authentication-required-for-data-plane-access", "service": "APIM", "services": [ - "APIM", - "Entra" + "Entra", + "APIM" ], "severity": "High", "subcategory": "Identity", @@ -12618,8 +12872,8 @@ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-aad", "service": "APIM", "services": [ - "APIM", - "Entra" + "Entra", + "APIM" ], "severity": "Medium", "subcategory": "Identity", @@ -12633,8 +12887,8 @@ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-create-groups", "service": "APIM", "services": [ - "APIM", - "Entra" + "Entra", + "APIM" ], "severity": "Medium", "subcategory": "Privileged access", @@ -12662,8 +12916,8 @@ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-properties?tabs=azure-portal", "service": "APIM", "services": [ - "APIM", - "AzurePolicy" + "AzurePolicy", + "APIM" ], "severity": "Medium", "subcategory": "Best practices", @@ -12677,8 +12931,8 @@ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-deploy-multi-region", "service": "APIM", "services": [ - "APIM", - "ASR" + "ASR", + "APIM" ], "severity": "Medium", "subcategory": "Business continuity and disaster recovery", @@ -12692,8 +12946,8 @@ "link": "https://learn.microsoft.com/azure/api-management/high-availability", "service": "APIM", "services": [ - "APIM", - "ASR" + "ASR", + "APIM" ], "severity": "Medium", "subcategory": "Business continuity and disaster recovery", @@ -12707,9 +12961,9 @@ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#service-native-backup-capability", "service": "APIM", "services": [ - "APIM", "ASR", - "Backup" + "Backup", + "APIM" ], "severity": "High", "subcategory": "Business continuity and disaster recovery", @@ -12722,8 +12976,8 @@ "guid": "f96ddac5-77ec-4fa9-8833-4327f052059e", "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-cache-external", "services": [ - "APIM", - "AzurePolicy" + "AzurePolicy", + "APIM" ], "severity": "Medium", "subcategory": "Performance and scalability", @@ -12737,9 +12991,9 @@ "link": "https://learn.microsoft.com/azure/api-management/api-management-howto-log-event-hubs", "service": "APIM", "services": [ - "EventHubs", + "AzurePolicy", "APIM", - "AzurePolicy" + "EventHubs" ], "severity": "Low", "subcategory": "Performance and scalability", @@ -12753,8 +13007,8 @@ "link": "https://learn.microsoft.com/azure/api-management/api-management-sample-flexible-throttling", "service": "APIM", "services": [ - "APIM", - "AzurePolicy" + "AzurePolicy", + "APIM" ], "severity": "Medium", "subcategory": "Performance and scalability", @@ -12797,9 +13051,9 @@ "link": "https://learn.microsoft.com/azure/api-management/front-door-api-management", "service": "APIM", "services": [ - "APIM", "FrontDoor", - "Entra" + "Entra", + "APIM" ], "severity": "Medium", "subcategory": "Connectivity", @@ -12813,8 +13067,8 @@ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#virtual-network-integration", "service": "APIM", "services": [ - "APIM", - "VNet" + "VNet", + "APIM" ], "severity": "Medium", "subcategory": "Security", @@ -12828,10 +13082,10 @@ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#network-security-group-support", "service": "APIM", "services": [ - "Monitor", - "APIM", "VNet", - "Entra" + "Entra", + "APIM", + "Monitor" ], "severity": "Medium", "subcategory": "Security", @@ -12845,10 +13099,10 @@ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#azure-private-link", "service": "APIM", "services": [ - "APIM", + "PrivateLink", "VNet", "Entra", - "PrivateLink" + "APIM" ], "severity": "Medium", "subcategory": "Security", @@ -12890,8 +13144,8 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/app-platform/api-management/platform-automation-and-devops#design-recommendations", "service": "APIM", "services": [ - "APIM", - "Entra" + "Entra", + "APIM" ], "severity": "Medium", "subcategory": "Best practices", @@ -12905,8 +13159,8 @@ "link": "https://learn.microsoft.com/azure/api-management/visual-studio-code-tutorial", "service": "APIM", "services": [ - "APIM", - "Entra" + "Entra", + "APIM" ], "severity": "Medium", "subcategory": "Best practices", @@ -13004,8 +13258,8 @@ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#im-8-restrict-the-exposure-of-credential-and-secrets", "service": "APIM", "services": [ - "APIM", - "AKV" + "AKV", + "APIM" ], "severity": "High", "subcategory": "Data protection", @@ -13019,8 +13273,8 @@ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#managed-identities", "service": "APIM", "services": [ - "APIM", - "Entra" + "Entra", + "APIM" ], "severity": "Medium", "subcategory": "Identities", @@ -13034,10 +13288,10 @@ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/api-management-security-baseline?toc=%2Fazure%2Fapi-management%2F&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#ns-6-deploy-web-application-firewall", "service": "APIM", "services": [ - "WAF", - "APIM", + "AppGW", "Entra", - "AppGW" + "APIM", + "WAF" ], "severity": "High", "subcategory": "Network", @@ -13108,9 +13362,9 @@ "guid": "e0d5973c-d4ce-432c-8881-37f6f7c4c0d4", "link": "https://learn.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk", "services": [ + "Storage", "VM", - "SQL", - "Storage" + "SQL" ], "severity": "Medium", "subcategory": "Virtual Machines", @@ -13124,9 +13378,9 @@ "guid": "e514548d-2447-4ec6-9138-b8200f1ce16e", "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", "services": [ - "VM", "ACR", - "Storage" + "Storage", + "VM" ], "severity": "Medium", "subcategory": "Virtual Machines", @@ -13154,8 +13408,8 @@ "guid": "6ba2c021-4991-414a-9d3c-e574dccbd979", "link": "https://learn.microsoft.com/azure/virtual-machines/availability", "services": [ - "VM", - "ASR" + "ASR", + "VM" ], "severity": "High", "subcategory": "Virtual Machines", @@ -13169,8 +13423,8 @@ "guid": "2a6bcca2-b5fe-4a1e-af3d-d95d48c7c891", "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", "services": [ - "VM", "ASR", + "VM", "AVS" ], "severity": "High", @@ -13199,8 +13453,8 @@ "guid": "e6e2065b-3a76-4af4-a691-e8939ada4666", "link": "https://learn.microsoft.com/azure/quotas/per-vm-quota-requests", "services": [ - "VM", - "ASR" + "ASR", + "VM" ], "severity": "Medium", "subcategory": "Virtual Machines", @@ -13425,8 +13679,8 @@ "guid": "8df03a82-2cd4-463c-abbc-8ac299ebc92a", "link": "https://learn.microsoft.com/azure/networking/disaster-recovery-dns-traffic-manager", "services": [ - "TrafficManager", "DNS", + "TrafficManager", "ASR", "Monitor" ], @@ -13501,10 +13755,10 @@ "guid": "ead53cc7-de2e-48aa-ab35-71549ab9153d", "link": "https://learn.microsoft.com/azure/expressroute/use-s2s-vpn-as-backup-for-expressroute-privatepeering", "services": [ - "ExpressRoute", - "VPN", "Cost", - "Backup" + "ExpressRoute", + "Backup", + "VPN" ], "severity": "Low", "subcategory": "ExpressRoute", @@ -13547,8 +13801,8 @@ "guid": "dccbd979-2a6b-4cca-8b5f-ea1ebf3dd95d", "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-custom-probe-overview#design-guidance", "services": [ - "Monitor", - "LoadBalancer" + "LoadBalancer", + "Monitor" ], "severity": "Low", "subcategory": "Load Balancers", @@ -13576,8 +13830,8 @@ "guid": "927139b8-2110-42db-b6ea-f11e6f843e53", "link": "https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-highlyavailable", "services": [ - "VPN", - "ACR" + "ACR", + "VPN" ], "severity": "Medium", "subcategory": "VPN Gateways", @@ -13605,9 +13859,9 @@ "id": "A01.01", "service": "AVS", "services": [ + "Subscriptions", "Entra", - "AVS", - "Subscriptions" + "AVS" ], "severity": "High", "subcategory": "Identity", @@ -13696,8 +13950,8 @@ "id": "A01.07", "service": "AVS", "services": [ - "Entra", "RBAC", + "Entra", "AVS" ], "severity": "Medium", @@ -13712,8 +13966,8 @@ "id": "A01.08", "service": "AVS", "services": [ - "Entra", "RBAC", + "Entra", "AVS" ], "severity": "Medium", @@ -13728,8 +13982,8 @@ "id": "A01.09", "service": "AVS", "services": [ - "Entra", "RBAC", + "Entra", "AVS" ], "severity": "High", @@ -13744,8 +13998,8 @@ "id": "A01.10", "service": "AVS", "services": [ - "Entra", "RBAC", + "Entra", "AVS" ], "severity": "High", @@ -13775,11 +14029,11 @@ "id": "B02.01", "service": "AVS", "services": [ - "ExpressRoute", "Monitor", "VPN", - "AVS", - "NetworkWatcher" + "ExpressRoute", + "NetworkWatcher", + "AVS" ], "severity": "High", "subcategory": "Monitoring", @@ -13793,11 +14047,11 @@ "id": "B02.02", "service": "AVS", "services": [ + "Monitor", "ExpressRoute", + "NetworkWatcher", "VM", - "Monitor", - "AVS", - "NetworkWatcher" + "AVS" ], "severity": "Medium", "subcategory": "Monitoring", @@ -13828,8 +14082,8 @@ "id": "B03.01", "service": "AVS", "services": [ - "ARS", - "AVS" + "AVS", + "ARS" ], "severity": "High", "subcategory": "Routing", @@ -13843,8 +14097,8 @@ "id": "C01.01", "service": "AVS", "services": [ - "Entra", "RBAC", + "Entra", "AVS" ], "severity": "High", @@ -13859,8 +14113,8 @@ "id": "C01.02", "service": "AVS", "services": [ - "Entra", "RBAC", + "Entra", "AVS" ], "severity": "High", @@ -13905,8 +14159,8 @@ "id": "C01.05", "service": "AVS", "services": [ - "Entra", "RBAC", + "Entra", "AVS" ], "severity": "Medium", @@ -13937,8 +14191,8 @@ "service": "AVS", "services": [ "VM", - "AVS", - "Entra" + "Entra", + "AVS" ], "severity": "High", "subcategory": "Security (identity)", @@ -13966,9 +14220,9 @@ "id": "C02.02", "service": "AVS", "services": [ - "Firewall", + "AppGW", "AVS", - "AppGW" + "Firewall" ], "severity": "High", "subcategory": "Security (network)", @@ -13996,8 +14250,8 @@ "id": "C02.04", "service": "AVS", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "Security (network)", @@ -14011,11 +14265,11 @@ "id": "C02.05", "service": "AVS", "services": [ - "ExpressRoute", + "DDoS", "VPN", - "AVS", "VNet", - "DDoS" + "ExpressRoute", + "AVS" ], "severity": "Medium", "subcategory": "Security (network)", @@ -14058,8 +14312,8 @@ "id": "C03.02", "service": "AVS", "services": [ - "Arc", - "AVS" + "AVS", + "Arc" ], "severity": "Medium", "subcategory": "Security (guest/VM)", @@ -14132,8 +14386,8 @@ "service": "AVS", "services": [ "Storage", - "AVS", - "AzurePolicy" + "AzurePolicy", + "AVS" ], "severity": "High", "subcategory": "Governance (platform)", @@ -14176,8 +14430,8 @@ "id": "C04.05", "service": "AVS", "services": [ - "AVS", - "AzurePolicy" + "AzurePolicy", + "AVS" ], "severity": "Medium", "subcategory": "Governance (platform)", @@ -14249,8 +14503,8 @@ "id": "C05.01", "service": "AVS", "services": [ - "VM", "Defender", + "VM", "AVS" ], "severity": "Medium", @@ -14266,8 +14520,8 @@ "service": "AVS", "services": [ "VM", - "Arc", - "AVS" + "AVS", + "Arc" ], "severity": "Medium", "subcategory": "Governance (guest/VM)", @@ -14312,8 +14566,8 @@ "service": "AVS", "services": [ "VM", - "AVS", "Backup", + "AVS", "AzurePolicy" ], "severity": "Medium", @@ -14328,9 +14582,9 @@ "id": "C06.01", "service": "AVS", "services": [ - "Monitor", "Defender", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "Compliance", @@ -14401,8 +14655,8 @@ "id": "D01.01", "service": "AVS", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "High", "subcategory": "Monitoring", @@ -14416,8 +14670,8 @@ "id": "D01.02", "service": "AVS", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "High", "subcategory": "Monitoring", @@ -14431,8 +14685,8 @@ "id": "D01.03", "service": "AVS", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "High", "subcategory": "Monitoring", @@ -14446,8 +14700,8 @@ "id": "D01.04", "service": "AVS", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "High", "subcategory": "Monitoring", @@ -14461,9 +14715,9 @@ "id": "D01.05", "service": "AVS", "services": [ - "Monitor", "Storage", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -14477,8 +14731,8 @@ "id": "D01.06", "service": "AVS", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "Low", "subcategory": "Monitoring", @@ -14492,8 +14746,8 @@ "id": "D02.01", "service": "AVS", "services": [ - "VM", "Storage", + "VM", "AVS", "AzurePolicy" ], @@ -14524,8 +14778,8 @@ "service": "AVS", "services": [ "Storage", - "AVS", - "Backup" + "Backup", + "AVS" ], "severity": "Medium", "subcategory": "Operations", @@ -14539,8 +14793,8 @@ "id": "D02.04", "service": "AVS", "services": [ - "Arc", - "AVS" + "AVS", + "Arc" ], "severity": "Medium", "subcategory": "Operations", @@ -14554,8 +14808,8 @@ "id": "D02.05", "service": "AVS", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "Operations", @@ -14583,9 +14837,9 @@ "id": "D02.07", "service": "AVS", "services": [ - "Monitor", + "AzurePolicy", "AVS", - "AzurePolicy" + "Monitor" ], "severity": "Medium", "subcategory": "Operations", @@ -14614,8 +14868,8 @@ "id": "E01.01", "service": "AVS", "services": [ - "AVS", - "Backup" + "Backup", + "AVS" ], "severity": "Medium", "subcategory": "Backup", @@ -14704,10 +14958,10 @@ "id": "E02.06", "service": "AVS", "services": [ - "ExpressRoute", "ASR", - "NVA", - "AVS" + "ExpressRoute", + "AVS", + "NVA" ], "severity": "Medium", "subcategory": "Disaster Recovery", @@ -14721,8 +14975,8 @@ "id": "E03.01", "service": "AVS", "services": [ - "AVS", - "Backup" + "Backup", + "AVS" ], "severity": "Medium", "subcategory": "Business Continuity", @@ -14736,8 +14990,8 @@ "id": "E03.02", "service": "AVS", "services": [ - "AVS", - "Backup" + "Backup", + "AVS" ], "severity": "Medium", "subcategory": "Business Continuity", @@ -14751,8 +15005,8 @@ "id": "E03.03", "service": "AVS", "services": [ - "AVS", - "Backup" + "Backup", + "AVS" ], "severity": "Medium", "subcategory": "Business Continuity", @@ -14836,8 +15090,8 @@ "id": "F02.03", "service": "AVS", "services": [ - "AVS", - "AzurePolicy" + "AzurePolicy", + "AVS" ], "severity": "Low", "subcategory": "Automated Deployment", @@ -14910,8 +15164,8 @@ "id": "F04.01", "service": "AVS", "services": [ - "AVS", - "Subscriptions" + "Subscriptions", + "AVS" ], "severity": "Medium", "subcategory": "Automated Scale", @@ -14926,8 +15180,8 @@ "service": "AVS", "services": [ "Storage", - "AVS", - "AzurePolicy" + "AzurePolicy", + "AVS" ], "severity": "Medium", "subcategory": "Automated Scale", @@ -14983,8 +15237,8 @@ "id": "F04.06", "service": "AVS", "services": [ - "Monitor", - "AVS" + "AVS", + "Monitor" ], "severity": "Medium", "subcategory": "Automated Scale", @@ -15031,8 +15285,8 @@ "id": "G02.01", "service": "AVS", "services": [ - "VPN", - "AVS" + "AVS", + "VPN" ], "severity": "Medium", "subcategory": "Networking", @@ -15075,8 +15329,8 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", "service": "AVS", "services": [ - "VM", "Storage", + "VM", "AVS" ], "severity": "Medium", @@ -15092,8 +15346,8 @@ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", "service": "AVS", "services": [ - "ExpressRoute", "Storage", + "ExpressRoute", "AVS" ], "severity": "Medium", @@ -15109,8 +15363,8 @@ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-the-same-domain-name-on-front-door-and-your-origin", "service": "AVS", "services": [ - "ExpressRoute", "Storage", + "ExpressRoute", "AVS" ], "severity": "Medium", @@ -16003,8 +16257,8 @@ "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/sql-database-security-baseline#br-1-ensure-regular-automated-backups", "services": [ "SQL", - "Storage", - "Backup" + "Backup", + "Storage" ], "severity": "Medium", "subcategory": "Backup", @@ -16020,8 +16274,8 @@ "link": "https://learn.microsoft.com/azure/azure-sql/database/automated-backups-overview?tabs=single-database&view=azuresql#backup-storage-redundancy", "services": [ "SQL", - "Storage", - "Backup" + "Backup", + "Storage" ], "severity": "Low", "subcategory": "Backup", @@ -16082,8 +16336,8 @@ "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure", "services": [ "SQL", - "EventHubs", - "Defender" + "Defender", + "EventHubs" ], "severity": "High", "subcategory": "Advanced Threat Protection", @@ -16098,9 +16352,9 @@ "id": "E02.01", "link": "https://learn.microsoft.com/azure/azure-sql/database/azure-defender-for-sql?view=azuresql#enable-microsoft-defender-for-sql ", "services": [ + "Subscriptions", "SQL", - "Defender", - "Subscriptions" + "Defender" ], "severity": "High", "subcategory": "Defender for Azure SQL", @@ -16115,9 +16369,9 @@ "id": "E02.02", "link": "https://learn.microsoft.com/azure/azure-sql/database/threat-detection-configure", "services": [ - "Monitor", "SQL", - "Defender" + "Defender", + "Monitor" ], "severity": "High", "subcategory": "Defender for Azure SQL", @@ -16132,9 +16386,9 @@ "id": "E03.01", "link": "https://learn.microsoft.com/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview", "services": [ - "Monitor", "SQL", - "Defender" + "Defender", + "Monitor" ], "severity": "High", "subcategory": "Vulnerability Assessment", @@ -16181,8 +16435,8 @@ "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#control-access-of-application-users-to-sensitive-data-through-encryption", "services": [ "SQL", - "Storage", - "AKV" + "AKV", + "Storage" ], "severity": "Low", "subcategory": "Column Encryption", @@ -16198,8 +16452,8 @@ "link": "https://learn.microsoft.com/azure/azure-sql/database/transparent-data-encryption-byok-create-server", "services": [ "SQL", - "Storage", - "Backup" + "Backup", + "Storage" ], "severity": "High", "subcategory": "Transparent Data Encryption", @@ -16261,9 +16515,9 @@ "id": "G01.02", "link": "https://learn.microsoft.com/azure/azure-sql/database/security-best-practice?view=azuresql#central-management-for-identities", "services": [ - "Monitor", "SQL", - "Entra" + "Entra", + "Monitor" ], "severity": "Medium", "subcategory": "Azure Active Directory", @@ -16294,11 +16548,11 @@ "id": "G02.01", "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview", "services": [ + "AKV", + "ACR", "SQL", "RBAC", - "ACR", - "Entra", - "AKV" + "Entra" ], "severity": "Low", "subcategory": "Managed Identities", @@ -16346,8 +16600,8 @@ "link": "https://learn.microsoft.com/sql/relational-databases/security/ledger/ledger-digest-management", "services": [ "SQL", - "Storage", - "AzurePolicy" + "AzurePolicy", + "Storage" ], "severity": "Medium", "subcategory": "Database Digest", @@ -16409,8 +16663,8 @@ "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview", "services": [ "SQL", - "Storage", - "AzurePolicy" + "AzurePolicy", + "Storage" ], "severity": "Medium", "subcategory": "Auditing", @@ -16425,12 +16679,12 @@ "id": "I01.02", "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview", "services": [ + "Backup", "EventHubs", + "Monitor", "Storage", "SQL", - "Monitor", - "Entra", - "Backup" + "Entra" ], "severity": "Low", "subcategory": "Auditing", @@ -16445,11 +16699,11 @@ "id": "I01.03", "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", "services": [ + "Subscriptions", "EventHubs", - "Storage", - "SQL", "Monitor", - "Subscriptions" + "Storage", + "SQL" ], "severity": "Medium", "subcategory": "Auditing", @@ -16464,8 +16718,8 @@ "id": "I02.01", "link": "https://learn.microsoft.com/azure/azure-sql/database/auditing-overview", "services": [ - "Monitor", - "SQL" + "SQL", + "Monitor" ], "severity": "Medium", "subcategory": "SIEM/SOAR", @@ -16480,8 +16734,8 @@ "id": "I02.02", "link": "https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log", "services": [ - "Monitor", - "SQL" + "SQL", + "Monitor" ], "severity": "Medium", "subcategory": "SIEM/SOAR", @@ -16512,8 +16766,8 @@ "id": "J01.01", "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview", "services": [ - "SQL", - "PrivateLink" + "PrivateLink", + "SQL" ], "severity": "High", "subcategory": "Connectivity", @@ -16528,8 +16782,8 @@ "id": "J01.02", "link": "https://learn.microsoft.com/azure/azure-sql/database/connectivity-architecture", "services": [ - "SQL", "PrivateLink", + "SQL", "AzurePolicy" ], "severity": "Low", @@ -16562,8 +16816,8 @@ "link": "https://learn.microsoft.com/sql/relational-databases/system-stored-procedures/sp-invoke-external-rest-endpoint-transact-sql", "services": [ "SQL", - "EventHubs", - "APIM" + "APIM", + "EventHubs" ], "severity": "Medium", "subcategory": "Outbound Control", @@ -16594,11 +16848,11 @@ "id": "J03.01", "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server", "services": [ - "PrivateLink", - "SQL", - "Firewall", "Monitor", - "VNet" + "Firewall", + "VNet", + "SQL", + "PrivateLink" ], "severity": "Medium", "subcategory": "Private Access", @@ -16613,8 +16867,8 @@ "id": "J03.02", "link": "https://learn.microsoft.com/azure/azure-sql/database/private-endpoint-overview?view=azuresql#disable-public-access-to-your-logical-server", "services": [ - "SQL", "PrivateLink", + "SQL", "VNet" ], "severity": "High", @@ -16630,9 +16884,9 @@ "id": "J03.03", "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview#network-security-of-private-endpoints", "services": [ + "PrivateLink", "SQL", - "VNet", - "PrivateLink" + "VNet" ], "severity": "Medium", "subcategory": "Private Access", @@ -16647,8 +16901,8 @@ "id": "J03.04", "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/connectivity-architecture-overview", "services": [ - "ExpressRoute", "SQL", + "ExpressRoute", "VNet" ], "severity": "Medium", @@ -16665,8 +16919,8 @@ "link": "https://learn.microsoft.com/azure/azure-sql/database/network-access-controls-overview?view=azuresql#ip-vs-virtual-network-firewall-rules", "services": [ "SQL", - "VNet", - "AzurePolicy" + "AzurePolicy", + "VNet" ], "severity": "High", "subcategory": "Public Access", @@ -16714,8 +16968,8 @@ "link": "https://learn.microsoft.com/azure/azure-sql/managed-instance/public-endpoint-overview", "services": [ "SQL", - "VNet", - "AzurePolicy" + "AzurePolicy", + "VNet" ], "severity": "High", "subcategory": "Public Access", @@ -16791,8 +17045,8 @@ "id": "A01.01", "link": "https://learn.microsoft.com/azure/architecture/guide/multitenant/considerations/tenancy-models", "services": [ - "Monitor", - "Cost" + "Cost", + "Monitor" ], "subcategory": "Azure Monitor - enforce data collection rules", "text": "Data collection rules in Azure Monitor -https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-rule-overview", @@ -16847,8 +17101,8 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ "Cost", - "Backup", - "Storage" + "Storage", + "Backup" ], "subcategory": "delete/archive", "text": "delete or archive unused resources (old backups, logs, storage accounts, etc...)", @@ -16861,10 +17115,10 @@ "id": "A03.04", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ - "ASR", "Cost", - "Backup", - "Storage" + "Storage", + "ASR", + "Backup" ], "subcategory": "delete/archive", "text": "consider a good balance between site recovery storage and backup for non mission critical applications", @@ -16877,8 +17131,8 @@ "id": "A04.01", "link": "https://learn.microsoft.com/azure/cost-management-billing/manage/direct-ea-administration#manage-notification-contacts", "services": [ - "Monitor", - "Cost" + "Cost", + "Monitor" ], "subcategory": "Log Analytics retention for workspaces", "text": "check spending and savings opportunities among the 40 different log analytics workspaces- use different retention and data collection for nonprod workspaces-create daily cap for awareness and tier sizing - If you do set a daily cap, in addition to creating an alert when the cap is reached,ensure that you also create an alert rule to be notified when some percentage has been reached (90% for example). - consider workspace transformation if possible - https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-transformations#workspace-transformation-dcr ", @@ -16936,10 +17190,10 @@ "id": "A08.01", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-enterprise-agreement#design-considerations", "services": [ - "VM", "Cost", - "Backup", - "Storage" + "Storage", + "VM", + "Backup" ], "subcategory": "stopped/deallocated VMs: check disks", "text": "check that the disks are really needed, if not: delete. If they are needed, find lower storage tiers or use backup -", @@ -17008,9 +17262,9 @@ "id": "B03.01", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/azure-billing-microsoft-customer-agreement#design-recommendations", "services": [ - "VM", "Cost", - "Storage" + "Storage", + "VM" ], "subcategory": "db optimization", "text": "optimizing the DB queries will increase performance and allow better right-sizing of storage and VMs", @@ -17050,8 +17304,8 @@ "id": "C01.02", "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ - "VM", - "Cost" + "Cost", + "VM" ], "subcategory": "Advisor", "text": "make sure advisor is configured for VM right sizing ", @@ -17077,8 +17331,8 @@ "id": "C02.02", "link": "https://learn.microsoft.com/azure/governance/policy/overview", "services": [ - "Monitor", - "Cost" + "Cost", + "Monitor" ], "subcategory": "Automation", "text": "set up cost alerts for applications that have variable costs (ideally for all of them)", @@ -17210,8 +17464,8 @@ "id": "C06.01", "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor", "services": [ - "ACR", - "Cost" + "Cost", + "ACR" ], "subcategory": "free services", "text": "Take advantage of Azure free services: Azure offers a number of free services, such as DevOps, Azure Container Registry, and Azure Logic Apps, that can help you save costs on development and operations. ", @@ -17264,9 +17518,9 @@ "id": "D02.01", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/manage/centralize-operations", "services": [ - "VM", - "SQL", "Cost", + "SQL", + "VM", "AzurePolicy" ], "subcategory": "check AHUB is applied to all Windows VMs, RHEL and SQL", @@ -17294,8 +17548,8 @@ "id": "D04.01", "link": "https://learn.microsoft.com/azure/active-directory/roles/security-planning#identify-microsoft-accounts-in-administrative-roles-that-need-to-be-switched-to-work-or-school-accounts", "services": [ - "AppSvc", - "Cost" + "Cost", + "AppSvc" ], "subcategory": "Functions", "text": "saving plans will provide 17% on select app service plans", @@ -17308,8 +17562,8 @@ "id": "D05.01", "link": "https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal", "services": [ - "VM", - "Cost" + "Cost", + "VM" ], "subcategory": "planning", "text": "consolidate reserved VM families with flexibility option (no more than 4-5 families)", @@ -17323,9 +17577,9 @@ "id": "D06.01", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access#prerequisites-for-a-landing-zone---design-recommendations", "services": [ + "Cost", "VM", - "ARS", - "Cost" + "ARS" ], "subcategory": "reservations/savings plans", "text": "Utilize Azure Reserved Instances: This feature allows you to reserve VMs for a period of 1 or 3 years, providing significant cost savings compared to PAYG prices.", @@ -17378,8 +17632,8 @@ "id": "D08.01", "link": "https://learn.microsoft.com/azure/architecture/reference-architectures/identity/adds-extend-domain", "services": [ - "VM", - "Cost" + "Cost", + "VM" ], "subcategory": "reserve VMs with normalized and rationalized sizes", "text": "after the right-sizing optimization", @@ -17392,8 +17646,8 @@ "id": "D09.01", "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy", "services": [ - "SQL", "Cost", + "SQL", "AzurePolicy" ], "subcategory": "SQL Database AHUB", @@ -17407,9 +17661,9 @@ "id": "D10.01", "link": "https://learn.microsoft.com/azure/active-directory/roles/best-practices", "services": [ - "VM", + "Cost", "SQL", - "Cost" + "VM" ], "subcategory": "SQL Database Reservations", "text": "the VM + licence part discount (ahub+3YRI) is around 70% discount", @@ -17477,8 +17731,8 @@ "id": "E02.01", "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#send-logs-to-microsoft-sentinel", "services": [ - "VM", - "Cost" + "Cost", + "VM" ], "subcategory": "Autoscale", "text": "consider using a VMSS to match demand rather than flat sizing", @@ -17491,8 +17745,8 @@ "id": "E02.02", "link": "https://learn.microsoft.com/azure/reliability/cross-region-replication-azure", "services": [ - "AKS", - "Cost" + "Cost", + "AKS" ], "subcategory": "Autoscale", "text": "use AKS autoscaler to match your clusters usage (make sure the pods requirements match the scaler)", @@ -17559,8 +17813,8 @@ "id": "E04.01", "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "services": [ - "VM", "Cost", + "VM", "LoadBalancer" ], "subcategory": "databricks", @@ -17684,9 +17938,9 @@ "id": "E06.02", "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment", "services": [ + "Cost", "FrontDoor", - "EventHubs", - "Cost" + "EventHubs" ], "subcategory": "Networking", "text": "Frontdoor - Turn off the default homepageIn the application settings of your App, set AzureWebJobsDisableHomepage to true. This will return a 204 (No Content) to the PoP so only header data is returned.", @@ -17699,9 +17953,9 @@ "id": "E06.03", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-setup-guide/monitoring-reporting?tabs=AzureMonitor", "services": [ - "FrontDoor", + "Cost", "AppSvc", - "Cost" + "FrontDoor" ], "subcategory": "Networking", "text": "Frontdoor -Route to something that returns nothingEither set up a Function, Function Proxy, or add a route in your WebApp that returns 200 (OK) and sends no or minimal content. The advantage of this is you will be able to log out when it is called.", @@ -17796,9 +18050,9 @@ "id": "E09.05", "link": "https://learn.microsoft.com/azure/site-recovery/site-recovery-overview", "services": [ - "ASR", "Cost", - "Storage" + "Storage", + "ASR" ], "subcategory": "Storage", "text": "for ASR, consider using Standard SSD disks if the RPO/RTO and replication throughput allow it", @@ -17839,9 +18093,9 @@ "id": "E11.01", "link": "https://learn.microsoft.com/azure/reliability/availability-zones-overview", "services": [ - "Monitor", + "Cost", "EventHubs", - "Cost" + "Monitor" ], "subcategory": "Synapse", "text": "Create budgets to manage costs and create alerts that automatically notify stakeholders of spending anomalies and overspending risks.", @@ -17868,8 +18122,8 @@ "id": "E11.03", "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", "services": [ - "SQL", - "Cost" + "Cost", + "SQL" ], "subcategory": "Synapse", "text": "Control costs for a dedicated SQL pool by pausing the resource when it is not in use.", @@ -17922,8 +18176,8 @@ "id": "E12.01", "link": "https://learn.microsoft.com/azure/application-gateway/overview-v2", "services": [ - "VM", - "Cost" + "Cost", + "VM" ], "subcategory": "VM", "text": "Use SPOT VMs for interruptible jobs: These are VMs that can be bid on and purchased at a discounted price, providing a cost-effective solution for non-critical workloads.", @@ -17937,8 +18191,8 @@ "id": "E12.02", "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-overview", "services": [ - "VM", - "Cost" + "Cost", + "VM" ], "subcategory": "VM", "text": "right-sizing all VMs", @@ -17951,8 +18205,8 @@ "id": "E12.03", "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", "services": [ - "VM", - "Cost" + "Cost", + "VM" ], "subcategory": "VM", "text": "swap VM sized with normalized and most recent sizes", @@ -17966,8 +18220,8 @@ "id": "E12.04", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "services": [ - "VM", "Cost", + "VM", "Monitor" ], "subcategory": "VM", @@ -17982,8 +18236,8 @@ "id": "E12.05", "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "services": [ - "VM", - "Cost" + "Cost", + "VM" ], "subcategory": "VM", "text": "containerizing an application can improve VM density and save money on scaling it", @@ -18076,8 +18330,8 @@ "link": "https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet", "service": "App Gateway", "services": [ - "VNet", - "AppGW" + "AppGW", + "VNet" ], "severity": "Medium", "subcategory": "App Gateway", @@ -18094,12 +18348,12 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "service": "App Gateway", "services": [ - "NVA", - "WAF", - "Entra", + "Subscriptions", "VNet", + "NVA", "AppGW", - "Subscriptions" + "Entra", + "WAF" ], "severity": "Medium", "subcategory": "App Gateway", @@ -18164,9 +18418,9 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "service": "Front Door", "services": [ - "WAF", "FrontDoor", - "AzurePolicy" + "AzurePolicy", + "WAF" ], "severity": "Medium", "subcategory": "Front Door", @@ -18182,10 +18436,10 @@ "link": "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview", "service": "Front Door", "services": [ - "WAF", - "FrontDoor", "AppGW", - "AzurePolicy" + "WAF", + "AzurePolicy", + "FrontDoor" ], "severity": "Medium", "subcategory": "App delivery", @@ -18218,8 +18472,8 @@ "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy#how-application-proxy-works", "service": "Entra", "services": [ - "AVD", - "Entra" + "Entra", + "AVD" ], "severity": "Low", "subcategory": "App delivery", @@ -18253,9 +18507,9 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings", "service": "Front Door", "services": [ - "WAF", + "Storage", "FrontDoor", - "Storage" + "WAF" ], "severity": "High", "subcategory": "Front Door", @@ -18271,8 +18525,8 @@ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#avoid-combining-traffic-manager-and-front-door", "service": "Front Door", "services": [ - "TrafficManager", - "FrontDoor" + "FrontDoor", + "TrafficManager" ], "severity": "High", "subcategory": "Front Door", @@ -18369,8 +18623,8 @@ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates", "service": "Front Door", "services": [ - "FrontDoor", "Cost", + "FrontDoor", "AKV" ], "severity": "High", @@ -18386,8 +18640,8 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#define-your-waf-configuration-as-code", "service": "Front Door", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "Medium", "subcategory": "Front Door", @@ -18434,8 +18688,8 @@ "link": "https://learn.microsoft.com/azure/frontdoor/best-practices#enable-the-waf", "service": "Front Door", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "High", "subcategory": "Front Door", @@ -18451,8 +18705,8 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#tune-your-waf", "service": "Front Door", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "High", "subcategory": "Front Door", @@ -18468,8 +18722,8 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-prevention-mode", "service": "Front Door", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "High", "subcategory": "Front Door", @@ -18485,8 +18739,8 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-default-rule-sets", "service": "Front Door", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "High", "subcategory": "Front Door", @@ -18502,8 +18756,8 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#enable-bot-management-rules", "service": "Front Door", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "High", "subcategory": "Front Door", @@ -18518,8 +18772,8 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-the-latest-ruleset-versions", "service": "Front Door", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "Medium", "subcategory": "Front Door", @@ -18534,8 +18788,8 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#add-rate-limiting", "service": "Front Door", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "Medium", "subcategory": "Front Door", @@ -18550,8 +18804,8 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#use-a-high-threshold-for-rate-limits", "service": "Front Door", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "Medium", "subcategory": "Front Door", @@ -18566,8 +18820,8 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#geo-filter-traffic", "service": "Front Door", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "Low", "subcategory": "Front Door", @@ -18582,8 +18836,8 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-best-practices#specify-the-unknown-zz-location", "service": "Front Door", "services": [ - "WAF", - "FrontDoor" + "FrontDoor", + "WAF" ], "severity": "Medium", "subcategory": "Front Door", @@ -18615,8 +18869,8 @@ "link": "https://learn.microsoft.com/azure/storage/common/storage-private-endpoints", "service": "Azure Storage", "services": [ - "Storage", - "PrivateLink" + "PrivateLink", + "Storage" ], "severity": "High", "subcategory": "Networking", @@ -18632,8 +18886,8 @@ "link": "https://learn.microsoft.com/azure/virtual-machines/migration-classic-resource-manager-overview#migration-of-storage-accounts", "service": "Azure Storage", "services": [ - "RBAC", "Storage", + "RBAC", "Subscriptions" ], "severity": "Medium", @@ -18748,8 +19002,8 @@ "service": "Azure Storage", "services": [ "Storage", - "Subscriptions", - "AzurePolicy" + "AzurePolicy", + "Subscriptions" ], "severity": "High", "subcategory": "Data Availability, Compliance", @@ -18829,8 +19083,8 @@ "id": "A11.02", "service": "Azure Storage", "services": [ - "RBAC", "Storage", + "RBAC", "Entra" ], "severity": "Medium", @@ -18864,10 +19118,10 @@ "link": "https://learn.microsoft.com/rest/api/storageservices/authorize-with-shared-key", "service": "Azure Storage", "services": [ - "Monitor", "Storage", "Entra", - "AKV" + "AKV", + "Monitor" ], "severity": "High", "subcategory": "Identity and Access Management", @@ -18883,10 +19137,10 @@ "link": "https://learn.microsoft.com/azure/storage/blobs/blob-storage-monitoring-scenarios#audit-account-activity", "service": "Azure Storage", "services": [ - "Monitor", "Storage", + "AzurePolicy", "AKV", - "AzurePolicy" + "Monitor" ], "severity": "High", "subcategory": "Monitoring", @@ -18903,9 +19157,9 @@ "service": "Azure Storage", "services": [ "Storage", + "AzurePolicy", "Entra", - "AKV", - "AzurePolicy" + "AKV" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -18922,8 +19176,8 @@ "service": "Azure Storage", "services": [ "Storage", - "Entra", - "AzurePolicy" + "AzurePolicy", + "Entra" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -18940,9 +19194,9 @@ "service": "Azure Storage", "services": [ "Storage", + "AzurePolicy", "Entra", - "AKV", - "AzurePolicy" + "AKV" ], "severity": "Medium", "subcategory": "Identity and Access Management", @@ -18992,8 +19246,8 @@ "service": "Azure Storage", "services": [ "Storage", - "Entra", - "AzurePolicy" + "AzurePolicy", + "Entra" ], "severity": "High", "subcategory": "Identity and Access Management", @@ -19059,8 +19313,8 @@ "link": "https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support#sftp-permission-model", "service": "Azure Storage", "services": [ - "RBAC", "Storage", + "RBAC", "Entra" ], "severity": "High", @@ -19268,10 +19522,10 @@ "id": "02.02.01", "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-multi-region", "services": [ - "TrafficManager", "AKS", "FrontDoor", - "LoadBalancer" + "LoadBalancer", + "TrafficManager" ], "severity": "Medium", "subcategory": "High Availability", @@ -19321,8 +19575,8 @@ "link": "https://learn.microsoft.com/azure/aks/operator-best-practices-scheduler", "service": "AKS", "services": [ - "AKS", - "Cost" + "Cost", + "AKS" ], "severity": "Low", "simple": -1, @@ -19340,8 +19594,8 @@ "link": "https://learn.microsoft.com/azure/container-registry/container-registry-geo-replication", "service": "ACR", "services": [ - "AKS", - "ACR" + "ACR", + "AKS" ], "severity": "High", "subcategory": "High Availability", @@ -19372,8 +19626,8 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/aks/eslz-cost-governance-with-kubecost", "service": "AKS", "services": [ - "AKS", - "Cost" + "Cost", + "AKS" ], "severity": "Low", "subcategory": "Cost", @@ -19389,8 +19643,8 @@ "link": "https://learn.microsoft.com/azure/aks/scale-down-mode", "service": "AKS", "services": [ - "AKS", - "Cost" + "Cost", + "AKS" ], "severity": "Low", "subcategory": "Cost", @@ -19406,8 +19660,8 @@ "link": "https://learn.microsoft.com/azure/aks/gpu-multi-instance", "service": "AKS", "services": [ - "AKS", - "Cost" + "Cost", + "AKS" ], "severity": "Medium", "subcategory": "Cost", @@ -19423,8 +19677,8 @@ "link": "https://learn.microsoft.com/azure/aks/start-stop-nodepools", "service": "AKS", "services": [ - "AKS", - "Cost" + "Cost", + "AKS" ], "severity": "Low", "subcategory": "Cost", @@ -19495,8 +19749,8 @@ "security": 1, "service": "AKS", "services": [ - "AKS", - "ACR" + "ACR", + "AKS" ], "severity": "Medium", "simple": -1, @@ -19889,8 +20143,8 @@ "security": 1, "service": "AKS", "services": [ - "AKS", "ACR", + "AKS", "AppGW" ], "severity": "Medium", @@ -19980,10 +20234,10 @@ "security": 1, "service": "AKS", "services": [ + "PrivateLink", "AKS", - "Cost", "VNet", - "PrivateLink" + "Cost" ], "severity": "Medium", "simple": -1, @@ -20299,8 +20553,8 @@ "security": 2, "service": "AKS", "services": [ - "WAF", - "AKS" + "AKS", + "WAF" ], "severity": "High", "simple": -1, @@ -20320,8 +20574,8 @@ "service": "AKS", "services": [ "AKS", - "VNet", - "DDoS" + "DDoS", + "VNet" ], "severity": "Medium", "subcategory": "Security", @@ -20372,8 +20626,8 @@ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-metric-alerts", "service": "AKS", "services": [ - "Monitor", - "AKS" + "AKS", + "Monitor" ], "severity": "High", "simple": -1, @@ -20604,8 +20858,8 @@ "link": "https://learn.microsoft.com/azure/aks/monitor-aks", "service": "AKS", "services": [ - "Monitor", - "AKS" + "AKS", + "Monitor" ], "severity": "Low", "subcategory": "Compliance", @@ -20637,8 +20891,8 @@ "link": "https://learn.microsoft.com/azure/aks/spot-node-pool", "service": "AKS", "services": [ - "AKS", - "Cost" + "Cost", + "AKS" ], "severity": "Low", "simple": -1, @@ -20656,8 +20910,8 @@ "scale": 1, "service": "AKS", "services": [ - "AKS", - "Cost" + "Cost", + "AKS" ], "severity": "Low", "simple": -1, @@ -20674,8 +20928,8 @@ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", "service": "AKS", "services": [ - "Monitor", - "AKS" + "AKS", + "Monitor" ], "severity": "High", "simple": -1, @@ -20693,8 +20947,8 @@ "link": "https://learn.microsoft.com/azure/azure-monitor/insights/container-insights-overview", "service": "AKS", "services": [ - "Monitor", - "AKS" + "AKS", + "Monitor" ], "severity": "High", "simple": -1, @@ -20711,8 +20965,8 @@ "link": "https://learn.microsoft.com/azure/azure-monitor/containers/container-insights-analyze", "service": "AKS", "services": [ - "Monitor", - "AKS" + "AKS", + "Monitor" ], "severity": "Medium", "simple": -1, @@ -20729,8 +20983,8 @@ "link": "https://learn.microsoft.com/azure/aks/configure-azure-cni", "service": "AKS", "services": [ - "Monitor", - "AKS" + "AKS", + "Monitor" ], "severity": "Medium", "simple": -1, @@ -20748,10 +21002,10 @@ "link": "https://learn.microsoft.com/azure/virtual-machines/premium-storage-performance", "service": "AKS", "services": [ - "EventHubs", - "Storage", "AKS", "Monitor", + "EventHubs", + "Storage", "ServiceBus" ], "severity": "Medium", @@ -20769,10 +21023,10 @@ "link": "https://learn.microsoft.com/azure/aks/load-balancer-standard", "service": "AKS", "services": [ - "Monitor", "AKS", "NVA", - "LoadBalancer" + "LoadBalancer", + "Monitor" ], "severity": "Medium", "simple": -1, @@ -20789,8 +21043,8 @@ "link": "https://learn.microsoft.com/azure/aks/aks-resource-health", "service": "AKS", "services": [ - "Monitor", - "AKS" + "AKS", + "Monitor" ], "severity": "Medium", "subcategory": "Monitoring", @@ -21523,8 +21777,8 @@ "id": "05.01.01", "link": "https://learn.microsoft.com/azure/backup/back-up-azure-stack-hyperconverged-infrastructure-virtual-machines", "services": [ - "VM", "ASR", + "VM", "Backup" ], "severity": "High", @@ -21809,8 +22063,8 @@ "id": "A01.02", "link": "https://learn.microsoft.com/azure/security-center/enable-azure-defender", "services": [ - "Monitor", - "Defender" + "Defender", + "Monitor" ], "severity": "High", "subcategory": "Pricing & Settings", @@ -21852,8 +22106,8 @@ "id": "A01.05", "link": "https://learn.microsoft.com/azure/security-center/security-center-enable-data-collection", "services": [ - "Defender", - "AzurePolicy" + "AzurePolicy", + "Defender" ], "severity": "Medium", "subcategory": "Pricing & Settings", @@ -21867,8 +22121,8 @@ "id": "A01.06", "link": "https://learn.microsoft.com/azure/security-center/security-center-provide-security-contact-details", "services": [ - "Defender", - "AzurePolicy" + "AzurePolicy", + "Defender" ], "severity": "Low", "subcategory": "Pricing & Settings", @@ -21910,8 +22164,8 @@ "id": "A01.09", "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal", "services": [ - "EventHubs", - "Defender" + "Defender", + "EventHubs" ], "severity": "High", "subcategory": "Pricing & Settings", @@ -21925,9 +22179,9 @@ "id": "A01.10", "link": "https://learn.microsoft.com/azure/security-center/continuous-export?tabs=azure-portal", "services": [ - "Monitor", + "Sentinel", "Defender", - "Sentinel" + "Monitor" ], "severity": "Medium", "subcategory": "Pricing & Settings", @@ -21969,9 +22223,9 @@ "id": "A01.13", "link": "https://learn.microsoft.com/azure/active-directory/app-proxy/application-proxy-integrate-with-microsoft-cloud-application-security", "services": [ - "Monitor", + "Entra", "Defender", - "Entra" + "Monitor" ], "severity": "Low", "subcategory": "Pricing & Settings", @@ -22014,8 +22268,8 @@ "id": "A03.01", "link": "https://learn.microsoft.com/azure/defender-for-cloud/tutorial-security-incident", "services": [ - "Monitor", - "Defender" + "Defender", + "Monitor" ], "severity": "Medium", "subcategory": "Security Alerts", @@ -22103,8 +22357,8 @@ "id": "A09.01", "link": "https://techcommunity.microsoft.com/t5/azure-network-security/azure-firewall-manager-is-now-integrated-with-azure-security/ba-p/2228679", "services": [ - "Firewall", - "Defender" + "Defender", + "Firewall" ], "severity": "Medium", "subcategory": "Firewall Manager", @@ -22119,9 +22373,9 @@ "id": "A09.02", "link": "https://learn.microsoft.com/azure/security/fundamentals/network-best-practices", "services": [ - "Firewall", + "Defender", "VNet", - "Defender" + "Firewall" ], "severity": "Medium", "subcategory": "Firewall Manager", @@ -22135,9 +22389,9 @@ "id": "A09.03", "link": "https://azure.microsoft.com/blog/how-azure-security-center-detects-ddos-attack-using-cyber-threat-intelligence/", "services": [ - "Firewall", + "DDoS", "Defender", - "DDoS" + "Firewall" ], "severity": "Medium", "subcategory": "Firewall Manager", @@ -22182,9 +22436,9 @@ "id": "B01.02", "link": "https://learn.microsoft.com/azure/virtual-network/ip-services/public-ip-addresses", "services": [ + "Firewall", "VM", - "EventHubs", - "Firewall" + "EventHubs" ], "severity": "High", "subcategory": "Public IPs", @@ -22273,8 +22527,8 @@ "id": "B02.05", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-nsg-manage-log", "services": [ - "VNet", - "Sentinel" + "Sentinel", + "VNet" ], "severity": "Medium", "subcategory": "NSG", @@ -22303,8 +22557,8 @@ "id": "B03.02", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", "services": [ - "Firewall", - "VNet" + "VNet", + "Firewall" ], "severity": "High", "subcategory": "UDR", @@ -22405,8 +22659,8 @@ "id": "B04.06", "link": "https://learn.microsoft.com/azure/private-link/private-endpoint-overview", "services": [ - "VNet", - "PrivateLink" + "PrivateLink", + "VNet" ], "severity": "High", "subcategory": "Virtual Networks", @@ -22420,8 +22674,8 @@ "id": "B04.07", "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network", "services": [ - "Monitor", - "VNet" + "VNet", + "Monitor" ], "severity": "High", "subcategory": "Virtual Networks", @@ -22436,8 +22690,8 @@ "link": "https://learn.microsoft.com/azure/virtual-network/kubernetes-network-policies", "services": [ "AKS", - "VNet", - "AzurePolicy" + "AzurePolicy", + "VNet" ], "severity": "High", "subcategory": "Virtual Networks", @@ -22451,8 +22705,8 @@ "id": "B04.09", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-scenario-udr-gw-nva", "services": [ - "NVA", - "VNet" + "VNet", + "NVA" ], "severity": "High", "subcategory": "Virtual Networks", @@ -22466,9 +22720,9 @@ "id": "B04.10", "link": "https://learn.microsoft.com/azure/virtual-network/monitor-virtual-network", "services": [ - "Monitor", + "Sentinel", "VNet", - "Sentinel" + "Monitor" ], "severity": "High", "subcategory": "Virtual Networks", @@ -22497,8 +22751,8 @@ "id": "B06.01", "link": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about", "services": [ - "VWAN", - "RBAC" + "RBAC", + "VWAN" ], "severity": "High", "subcategory": "Virtual WAN", @@ -22542,9 +22796,9 @@ "id": "B07.02", "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip", "services": [ - "WAF", + "AppGW", "EventHubs", - "AppGW" + "WAF" ], "severity": "High", "subcategory": "Application Gateway", @@ -22558,9 +22812,9 @@ "id": "B07.03", "link": "https://learn.microsoft.com/azure/application-gateway/configuration-front-end-ip", "services": [ - "WAF", + "AppGW", "EventHubs", - "AppGW" + "WAF" ], "severity": "High", "subcategory": "Application Gateway", @@ -22603,9 +22857,9 @@ "id": "B08.02", "link": "https://learn.microsoft.com/security/benchmark/azure/baselines/front-door-security-baseline?toc=/azure/frontdoor/TOC.json", "services": [ - "WAF", "FrontDoor", - "AzurePolicy" + "AzurePolicy", + "WAF" ], "severity": "High", "subcategory": "FrontDoor", @@ -22648,8 +22902,8 @@ "id": "B08.05", "link": "https://learn.microsoft.com/azure/frontdoor/front-door-diagnostics", "services": [ - "FrontDoor", - "Sentinel" + "Sentinel", + "FrontDoor" ], "severity": "High", "subcategory": "FrontDoor", @@ -22790,8 +23044,8 @@ "id": "C02.04", "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#managed-accounts-for-admins", "services": [ - "Entra", - "AzurePolicy" + "AzurePolicy", + "Entra" ], "severity": "High", "subcategory": "Privileged administration", @@ -22819,8 +23073,8 @@ "id": "C02.06", "link": "https://learn.microsoft.com/azure/architecture/framework/security/design-admins#admin-workstation-security", "services": [ - "Monitor", - "Entra" + "Entra", + "Monitor" ], "severity": "Medium", "subcategory": "Privileged administration", @@ -22961,8 +23215,8 @@ "id": "C06.01", "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr", "services": [ - "Entra", - "AzurePolicy" + "AzurePolicy", + "Entra" ], "severity": "High", "subcategory": "Password Reset", @@ -23046,9 +23300,9 @@ "id": "C08.01", "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-monitoring", "services": [ - "Monitor", + "Sentinel", "Entra", - "Sentinel" + "Monitor" ], "severity": "High", "subcategory": "Diagnostic Settings", @@ -23090,8 +23344,8 @@ "id": "C10.01", "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policy-common", "services": [ - "Entra", - "AzurePolicy" + "AzurePolicy", + "Entra" ], "severity": "High", "subcategory": "Conditional Access Policies", @@ -23105,8 +23359,8 @@ "id": "C10.02", "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/location-condition", "services": [ - "Entra", - "AzurePolicy" + "AzurePolicy", + "Entra" ], "severity": "Medium", "subcategory": "Conditional Access Policies", @@ -23120,8 +23374,8 @@ "id": "C10.03", "link": "https://learn.microsoft.com/azure/active-directory/authentication/tutorial-enable-azure-mfa", "services": [ - "Entra", - "AzurePolicy" + "AzurePolicy", + "Entra" ], "severity": "High", "subcategory": "Conditional Access Policies", @@ -23135,8 +23389,8 @@ "id": "C10.04", "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-admin-mfa", "services": [ - "Entra", - "AzurePolicy" + "AzurePolicy", + "Entra" ], "severity": "Medium", "subcategory": "Conditional Access Policies", @@ -23150,8 +23404,8 @@ "id": "C10.05", "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-azure-management", "services": [ - "Entra", - "AzurePolicy" + "AzurePolicy", + "Entra" ], "severity": "High", "subcategory": "Conditional Access Policies", @@ -23165,8 +23419,8 @@ "id": "C10.06", "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy", "services": [ - "Entra", - "AzurePolicy" + "AzurePolicy", + "Entra" ], "severity": "High", "subcategory": "Conditional Access Policies", @@ -23180,8 +23434,8 @@ "id": "C10.07", "link": "https://learn.microsoft.com/azure/active-directory/conditional-access/require-managed-devices", "services": [ - "Entra", - "AzurePolicy" + "AzurePolicy", + "Entra" ], "severity": "High", "subcategory": "Conditional Access Policies", @@ -23196,8 +23450,8 @@ "id": "C11.01", "link": "https://devblogs.microsoft.com/premier-developer/azure-active-directory-automating-guest-user-management/", "services": [ - "Entra", - "AzurePolicy" + "AzurePolicy", + "Entra" ], "severity": "Medium", "subcategory": "Guest users", @@ -23225,8 +23479,8 @@ "id": "C13.01", "link": "https://learn.microsoft.com/azure/active-directory/roles/security-emergency-access", "services": [ - "Entra", - "AzurePolicy" + "AzurePolicy", + "Entra" ], "severity": "Medium", "subcategory": "Break Glass Accounts", @@ -23297,8 +23551,8 @@ "id": "D02.02", "link": "https://learn.microsoft.com/azure/backup/backup-azure-vms-first-look-arm", "services": [ - "VM", - "ASR" + "ASR", + "VM" ], "severity": "Medium", "subcategory": "High Availability ", @@ -23557,8 +23811,8 @@ "id": "E01.01", "link": "https://learn.microsoft.com/azure/sentinel/quickstart-onboard", "services": [ - "Monitor", - "Sentinel" + "Sentinel", + "Monitor" ], "severity": "High", "subcategory": "Architecture ", @@ -23586,9 +23840,9 @@ "id": "E01.03", "link": "https://learn.microsoft.com/azure/sentinel/multiple-workspace-view", "services": [ - "Monitor", "ACR", - "Sentinel" + "Sentinel", + "Monitor" ], "severity": "Medium", "subcategory": "Architecture ", @@ -23644,8 +23898,8 @@ "id": "E05.01", "link": "https://learn.microsoft.com/azure/sentinel/connect-azure-active-directory", "services": [ - "Entra", - "Sentinel" + "Sentinel", + "Entra" ], "severity": "High", "subcategory": "Data Connectors", @@ -23659,8 +23913,8 @@ "id": "E05.02", "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-active-directory-identity-protection", "services": [ - "Entra", - "Sentinel" + "Sentinel", + "Entra" ], "severity": "High", "subcategory": "Data Connectors", @@ -23688,8 +23942,8 @@ "id": "E05.04", "link": "https://learn.microsoft.com/azure/sentinel/connect-defender-for-cloud", "services": [ - "Defender", - "Sentinel" + "Sentinel", + "Defender" ], "severity": "High", "subcategory": "Data Connectors", @@ -23703,8 +23957,8 @@ "id": "E05.05", "link": "https://learn.microsoft.com/azure/sentinel/data-connectors-reference#azure-firewall", "services": [ - "Firewall", - "Sentinel" + "Sentinel", + "Firewall" ], "severity": "High", "subcategory": "Data Connectors", @@ -23873,8 +24127,8 @@ "id": "F03.01", "link": "https://learn.microsoft.com/azure/firewall/firewall-diagnostics", "services": [ - "Monitor", - "Firewall" + "Firewall", + "Monitor" ], "severity": "Medium", "subcategory": "Diagnostic Settings", @@ -23888,8 +24142,8 @@ "id": "F04.01", "link": "https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview", "services": [ - "Firewall", - "VNet" + "VNet", + "Firewall" ], "severity": "High", "subcategory": "Firewall Manager", @@ -23904,8 +24158,8 @@ "link": "https://techcommunity.microsoft.com/t5/azure-network-security/role-based-access-control-for-azure-firewall/ba-p/2245598", "services": [ "RBAC", - "Firewall", - "AzurePolicy" + "AzurePolicy", + "Firewall" ], "severity": "High", "subcategory": "Firewall Manager", @@ -23919,8 +24173,8 @@ "id": "F04.03", "link": "https://learn.microsoft.com/azure/firewall-manager/policy-overview", "services": [ - "Firewall", - "AzurePolicy" + "AzurePolicy", + "Firewall" ], "severity": "High", "subcategory": "Firewall Manager", @@ -23934,8 +24188,8 @@ "id": "F04.04", "link": "https://learn.microsoft.com/azure/firewall/rule-processing", "services": [ - "Firewall", - "AzurePolicy" + "AzurePolicy", + "Firewall" ], "severity": "High", "subcategory": "Firewall Manager", @@ -23949,8 +24203,8 @@ "id": "F04.05", "link": "https://learn.microsoft.com/azure/firewall/rule-processing", "services": [ - "Firewall", - "AzurePolicy" + "AzurePolicy", + "Firewall" ], "severity": "High", "subcategory": "Firewall Manager", @@ -23964,8 +24218,8 @@ "id": "F04.06", "link": "https://learn.microsoft.com/azure/firewall/rule-processing", "services": [ - "Firewall", - "AzurePolicy" + "AzurePolicy", + "Firewall" ], "severity": "High", "subcategory": "Firewall Manager", @@ -23979,8 +24233,8 @@ "id": "F04.07", "link": "https://learn.microsoft.com/azure/firewall/features", "services": [ - "Firewall", - "AzurePolicy" + "AzurePolicy", + "Firewall" ], "severity": "High", "subcategory": "Firewall Manager", @@ -24079,8 +24333,8 @@ "id": "F05.01", "link": "https://learn.microsoft.com/azure/security/fundamentals/ddos-best-practices", "services": [ - "Firewall", - "DDoS" + "DDoS", + "Firewall" ], "severity": "Medium", "subcategory": "DDOS Protection", @@ -24106,8 +24360,8 @@ "guid": "aa359271-8e6e-4205-8725-769e46691e88", "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits", "services": [ - "Arc", - "Entra" + "Entra", + "Arc" ], "severity": "Medium", "subcategory": "Capacity Planning", @@ -24121,8 +24375,8 @@ "guid": "deace4bb-1deb-44c6-9fc3-fc14eeaa3692", "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-resource-providers", "services": [ - "Arc", - "Subscriptions" + "Subscriptions", + "Arc" ], "severity": "High", "subcategory": "General", @@ -24191,8 +24445,8 @@ "guid": "f9ccbd86-8266-4abc-a264-f9a19bf39d95", "link": "https://learn.microsoft.com/azure/azure-arc/servers/organize-inventory-servers#organize-resources-with-built-in-azure-hierarchies", "services": [ - "Arc", - "Subscriptions" + "Subscriptions", + "Arc" ], "severity": "Low", "subcategory": "Organization", @@ -24206,9 +24460,9 @@ "guid": "9bf39d95-d44c-47c8-a19c-a1f6d5215ae5", "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#identity-and-access-control", "services": [ - "Arc", "RBAC", - "Entra" + "Entra", + "Arc" ], "severity": "Medium", "subcategory": "Access", @@ -24221,9 +24475,9 @@ "guid": "14ba34d4-585e-4111-89bd-7ba012f7b94e", "link": "https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad", "services": [ - "Arc", "Entra", - "AKV" + "AKV", + "Arc" ], "severity": "Low", "subcategory": "Access", @@ -24237,9 +24491,9 @@ "guid": "35ac9322-23e1-4380-8523-081a94174158", "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#azure-subscription-and-service-limits", "services": [ - "Arc", "Entra", - "Subscriptions" + "Subscriptions", + "Arc" ], "severity": "High", "subcategory": "Requirements", @@ -24253,9 +24507,9 @@ "guid": "33ee7ad6-c6d3-4733-865c-7acbe44bbe60", "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", "services": [ - "Arc", "RBAC", - "Entra" + "Entra", + "Arc" ], "severity": "Medium", "subcategory": "Requirements", @@ -24269,9 +24523,9 @@ "guid": "9d79f2e8-7778-4424-a516-775c6fa95b96", "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", "services": [ - "Arc", "RBAC", - "Entra" + "Entra", + "Arc" ], "severity": "Medium", "subcategory": "Security", @@ -24285,9 +24539,9 @@ "guid": "ad88408e-3727-434b-a76b-a28f21459013", "link": "https://learn.microsoft.com/azure/azure-arc/servers/onboard-service-principal#create-a-service-principal-for-onboarding-at-scale", "services": [ - "Arc", "RBAC", - "Entra" + "Entra", + "Arc" ], "severity": "Medium", "subcategory": "Security", @@ -24301,9 +24555,9 @@ "guid": "65d38e53-f9cc-4bd8-9826-6abca264f9a1", "link": "https://learn.microsoft.com/azure/azure-arc/servers/prerequisites#required-permissions", "services": [ - "Arc", "RBAC", - "Entra" + "Entra", + "Arc" ], "severity": "Medium", "subcategory": "Security", @@ -24348,8 +24602,8 @@ "link": "https://learn.microsoft.com/azure/azure-arc/servers/manage-vm-extensions", "services": [ "Monitor", - "Arc", - "AzurePolicy" + "AzurePolicy", + "Arc" ], "severity": "Medium", "subcategory": "Management", @@ -24506,10 +24760,10 @@ "guid": "94174158-33ee-47ad-9c6d-3733165c7acb", "link": "https://learn.microsoft.com/azure/azure-arc/servers/private-link-security", "services": [ - "ExpressRoute", - "Arc", "PrivateLink", - "VPN" + "ExpressRoute", + "VPN", + "Arc" ], "severity": "Medium", "subcategory": "Networking", @@ -24565,9 +24819,9 @@ "guid": "a264f9a1-9bf3-49d9-9d44-c7c8919ca1f6", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/hybrid/arc-enabled-servers/eslz-arc-servers-connectivity#define-extensions-connectivity-method", "services": [ + "PrivateLink", "Monitor", - "Arc", - "PrivateLink" + "Arc" ], "severity": "Low", "subcategory": "Networking", @@ -24580,8 +24834,8 @@ "guid": "ac6aae01-e6a8-44de-9df4-7d2d92881b1c", "link": "https://learn.microsoft.com/azure/governance/policy/", "services": [ - "Arc", - "AzurePolicy" + "AzurePolicy", + "Arc" ], "severity": "Medium", "subcategory": "Management", @@ -24607,8 +24861,8 @@ "guid": "667357c4-4967-44c5-bd85-b859c7733be2", "link": "https://learn.microsoft.com/azure/governance/machine-configuration/machine-configuration-create", "services": [ - "Arc", - "AzurePolicy" + "AzurePolicy", + "Arc" ], "severity": "Medium", "subcategory": "Management", @@ -24648,8 +24902,8 @@ "guid": "195abb91-a4ed-490d-ae2c-c84c37b6b780", "link": "https://learn.microsoft.com/azure/key-vault/general/basic-concepts", "services": [ - "Arc", - "AKV" + "AKV", + "Arc" ], "severity": "Medium", "subcategory": "Secrets", @@ -24663,10 +24917,10 @@ "guid": "6d02bfe4-564b-40d8-94a3-48726ee79d6b", "link": "https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret", "services": [ - "Arc", "Storage", "Entra", - "AKV" + "AKV", + "Arc" ], "severity": "High", "subcategory": "Secrets", @@ -24680,8 +24934,8 @@ "guid": "a1a27b77-5a91-4be1-b388-ff394c2bd463", "link": "https://learn.microsoft.com/azure/azure-arc/servers/security-overview#using-disk-encryption", "services": [ - "Arc", - "AKV" + "AKV", + "Arc" ], "severity": "Medium", "subcategory": "Secrets", @@ -24722,8 +24976,8 @@ "guid": "4b69bad3-8aad-453c-a78e-1d76667357c4", "link": "https://learn.microsoft.com/azure/azure-arc/servers/managed-identity-authentication", "services": [ - "Arc", - "Entra" + "Entra", + "Arc" ], "severity": "Medium", "subcategory": "Security", @@ -24737,8 +24991,8 @@ "guid": "5a91be1f-388f-4f39-9c2b-d463cbbbc868", "link": "https://learn.microsoft.com/azure/security-center/security-center-get-started", "services": [ - "Arc", - "Defender" + "Defender", + "Arc" ], "severity": "Medium", "subcategory": "Security", @@ -24773,7 +25027,7 @@ ], "metadata": { "name": "Master checklist", - "timestamp": "January 10, 2024" + "timestamp": "January 11, 2024" }, "severities": [ { diff --git a/checklists/sap_checklist.en.json b/checklists/sap_checklist.en.json index 66439c3fd..95013363c 100644 --- a/checklists/sap_checklist.en.json +++ b/checklists/sap_checklist.en.json @@ -1,5 +1,66 @@ { "items": [ + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": " ", + "text": "Azure doesn't currently support combining ASCS and db HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.", + "guid": "80dc0591-cf65-4de8-b130-9cccd579266b", + "severity": "Medium", + "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": " ", + "text": "Use a Standard Load Balancer SKU in front of ASCS and DB clusters", + "guid": "cca275fa-a1ab-4fe9-b55d-04c3c4919cb1", + "severity": "Medium", + "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": " ", + "text": "Both VMs in the HA pair should be deployed in an availability set, or Availability Zones should be the same size and have the same storage configuration", + "guid": "b3d1325a-e124-4ba3-9df6-85eddce9bd3b", + "severity": "Medium", + "link": "https://www.microsoft.com/itshowcase/implementing-a-zero-trust-security-model-at-microsoft" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": " ", + "text": "Native database replication technology should be used to synchronize the database in a HA pair.", + "guid": "b0cdb3b5-5eb2-4ec1-9eea-a3592829e2ed", + "severity": "Medium", + "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": " ", + "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally", + "guid": "b2173676-aff6-4691-a493-5ada42223ece", + "severity": "Medium", + "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": " ", + "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's Vnet", + "guid": "81b12318-1a54-4174-8583-3fb4ae3c2df7", + "severity": "Medium" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": " ", + "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).", + "guid": "43165c3a-cbe0-45bb-b209-d490da477784", + "severity": "Medium" + }, + { + "category": "Business Continuity and Disaster Recovery", + "subcategory": " ", + "text": "Native database replication should be used to synchronize data to the DR site, rather than Azure Site Recovery", + "guid": "24d11678-5d2f-4a56-a56a-d48408fe7273", + "severity": "Medium" + }, { "category": "Business Continuity and Disaster Recovery", "subcategory": "High availability", @@ -72,7 +133,7 @@ "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations", "link": "https://learn.microsoft.com/azure/virtual-machines/availability" }, - { + { "category": "Business Continuity and Disaster Recovery", "subcategory": "High availability", "text": "If you want to meet the infrastructure SLAs for your applications for SAP components (central services, application servers, and databases), you must choose the same high availability options (VMs, availability sets, availability zones) for all components.", @@ -123,74 +184,6 @@ "severity": "High", "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios" }, - - - - - - - - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": " ", - "text": "Azure doesn't currently support combining ASCS and db HA in the same Linux Pacemaker cluster; separate them into individual clusters. However, you can combine up to five multiple central-services clusters into a pair of VMs.", - "guid": "80dc0591-cf65-4de8-b130-9cccd579266b", - "severity": "Medium", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/design-logs-deployment" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": " ", - "text": "Use a Standard Load Balancer SKU in front of ASCS and DB clusters", - "guid": "cca275fa-a1ab-4fe9-b55d-04c3c4919cb1", - "severity": "Medium", - "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": " ", - "text": "Both VMs in the HA pair should be deployed in an availability set, or Availability Zones should be the same size and have the same storage configuration", - "guid": "b3d1325a-e124-4ba3-9df6-85eddce9bd3b", - "severity": "Medium", - "link": "https://www.microsoft.com/itshowcase/implementing-a-zero-trust-security-model-at-microsoft" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": " ", - "text": "Native database replication technology should be used to synchronize the database in a HA pair.", - "guid": "b0cdb3b5-5eb2-4ec1-9eea-a3592829e2ed", - "severity": "Medium", - "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": " ", - "text": "Perform a point-in-time recovery for your production databases at any point and in a time frame that meets your RTO; point-in-time recovery typically includes operator errors deleting data either on the DBMS layer or through SAP, incidentally", - "guid": "b2173676-aff6-4691-a493-5ada42223ece", - "severity": "Medium", - "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": " ", - "text": "The CIDR for the primary virtual network (VNet) shouldn't conflict or overlap with the CIDR of the DR site's Vnet", - "guid": "81b12318-1a54-4174-8583-3fb4ae3c2df7", - "severity": "Medium" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": " ", - "text": "Use Site Recovery to replicate an application server to a DR site. Site Recovery can also help with replicating central-services cluster VMs to the DR site. When you invoke DR, you'll need to reconfigure the Linux Pacemaker cluster on the DR site (for example, replace the VIP or SBD, run corosync.conf, and more).", - "guid": "43165c3a-cbe0-45bb-b209-d490da477784", - "severity": "Medium" - }, - { - "category": "Business Continuity and Disaster Recovery", - "subcategory": " ", - "text": "Native database replication should be used to synchronize data to the DR site, rather than Azure Site Recovery", - "guid": "24d11678-5d2f-4a56-a56a-d48408fe7273", - "severity": "Medium" - }, { "category": "Compute", "subcategory": " ", @@ -860,60 +853,6 @@ "severity": "Medium", "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration" }, - { - "category": "Security, Governance and Compliance", - "subcategory": "Security", - "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "severity": "High", - "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", - "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles" - }, - { - "category": "Security, Governance and Compliance", - "subcategory": "Security", - "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "severity": "High", - "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", - "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/" - }, - { - "category": "Security, Governance and Compliance", - "subcategory": "Secrets", - "text": "Encrypting SAP HANA database servers on Azrue uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "severity": "High", - "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance" - }, - { - "category": "Security, Governance and Compliance", - "subcategory": "Secrets", - "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "severity": "Medium", - "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", - "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption" - }, - { - "category": "Security, Governance and Compliance", - "subcategory": "Security", - "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "severity": "Low", - "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", - "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations" - }, - { - "category": "Security, Governance and Compliance", - "subcategory": "Security", - "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "severity": "Low", - "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", - "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide" - }, { "category": "Security, Governance and Compliance", "subcategory": "Governance", @@ -932,33 +871,6 @@ "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations" }, - { - "category": "Security, Governance and Compliance", - "subcategory": "Security", - "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.", - "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", - "severity": "High", - "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", - "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape" - }, - { - "category": "Security, Governance and Compliance", - "subcategory": "Security", - "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.", - "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", - "severity": "Low", - "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", - "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance" - }, - { - "category": "Security, Governance and Compliance", - "subcategory": "Security", - "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.", - "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", - "severity": "Medium", - "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", - "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions" - }, { "category": "Security, Governance and Compliance", "subcategory": "Governance", @@ -975,7 +887,25 @@ "severity": "High", "training": "https://me.sap.com/notes/3019299/E", "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security" - }, + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Secrets", + "text": "Encrypting SAP HANA database servers on Azrue uses SAP HANA native encryption technology. Additionally, if you are using SQL Server on Azure, use Transparent Data Encryption (TDE) to protect your data and log files and ensure that your backups are also encrypted.", + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "severity": "High", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Secrets", + "text": "Azure Storage encryption is enabled for all Azure Resource Manager and classic storage accounts, and can't be disabled. Because your data is encrypted by default, you don't need to modify your code or applications to use Azure Storage encryption.", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "severity": "Medium", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption" + }, { "category": "Security, Governance and Compliance", "subcategory": "Secrets", @@ -1074,6 +1004,69 @@ "severity": "Medium", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices" }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Security", + "text": "Customize role-based access control (RBAC) roles for SAP on Azure spoke subscriptions to avoid accidental network-related changes", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "severity": "High", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Security", + "text": "Isolate DMZs and NVAs from the rest of the SAP estate, configure Azure Private Link, and securely manage and control the SAP on Azure resources", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "severity": "High", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Security", + "text": "Consider using Microsoft anti-malware software on Azure to protect your virtual machines from malicious files, adware, and other threats.", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "severity": "Low", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Security", + "text": "For even more powerful protection, consider using Microsoft Defender for Endpoint.", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "severity": "Low", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Security", + "text": "Isolate the SAP application and database servers from the internet or from the on-premises network by passing all traffic through the hub virtual network, which is connected to the spoke network by virtual network peering. The peered virtual networks guarantee that the SAP on Azure solution is isolated from the public internet.", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "severity": "High", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Security", + "text": "For internet-facing applications like SAP Fiori, make sure to distribute load per application requirements while maintaining security levels. For Layer 7 security, you can use a third-party Web Application Firewall (WAF) available in the Azure Marketplace.", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "severity": "Low", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance" + }, + { + "category": "Security, Governance and Compliance", + "subcategory": "Security", + "text": "To enable secure communication in Azure Monitor for SAP solutions, you can choose to use either a root certificate or a server certificate. We highly recommend that you use root certificates.", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "severity": "Medium", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions" + }, { "category": "Storage", "subcategory": " ", @@ -1127,6 +1120,6 @@ "metadata": { "name": "Azure Landing Zone Review", "state": "Preview", - "timestamp": "November 24, 2023" + "timestamp": "January 11, 2024" } } \ No newline at end of file diff --git a/checklists/sap_checklist.es.json b/checklists/sap_checklist.es.json index 32fa20ed8..276671f9b 100644 --- a/checklists/sap_checklist.es.json +++ b/checklists/sap_checklist.es.json @@ -17,38 +17,6 @@ } ], "items": [ - { - "category": "Continuidad del negocio y recuperación ante desastres", - "guid": "aff6691b-4935-4ada-9222-3ece81b12318", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", - "severity": "Medio", - "subcategory": " ", - "text": "No combine ASCS y el clúster de base de datos en una sola máquina virtual o en la misma máquina virtual" - }, - { - "category": "Continuidad del negocio y recuperación ante desastres", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal", - "severity": "Medio", - "subcategory": " ", - "text": "Asegúrese de que la IP flotante esté habilitada en el equilibrador de carga" - }, - { - "category": "Continuidad del negocio y recuperación ante desastres", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/security-center/", - "severity": "Medio", - "subcategory": " ", - "text": "No mezcle servidores de diferentes roles en el mismo conjunto de disponibilidad. Mantenga las máquinas virtuales de servicios centrales, las máquinas virtuales de base de datos y las máquinas virtuales de aplicaciones en sus propios conjuntos de disponibilidad" - }, - { - "category": "Continuidad del negocio y recuperación ante desastres", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/security-center/", - "severity": "Medio", - "subcategory": " ", - "text": "Use un grupo de selección de ubicación de proximidad por SID de SAP. Los grupos no abarcan zonas de disponibilidad ni regiones de Azure" - }, { "category": "Continuidad del negocio y recuperación ante desastres", "guid": "80dc0591-cf65-4de8-b130-9cccd579266b", @@ -101,7 +69,7 @@ "guid": "43165c3a-cbe0-45bb-b209-d490da477784", "severity": "Medio", "subcategory": " ", - "text": "Use Site Recovery para replicar un servidor de aplicaciones en un sitio de recuperación ante desastres. Site Recovery también puede ayudar a replicar máquinas virtuales de clúster de servicios centrales en el sitio de recuperación ante desastres. Al invocar la recuperación ante desastres, deberá volver a configurar el clúster de Linux Pacemaker en el sitio de recuperación ante desastres (por ejemplo, reemplazar la VIP o SBD, ejecutar corosync.conf, etc.)." + "text": "Use Site Recovery para replicar un servidor de aplicaciones en un sitio de recuperación ante desastres. Site Recovery también puede ayudar a replicar máquinas virtuales de clúster de servicios centrales en el sitio de recuperación ante desastres. Al invocar la recuperación ante desastres, deberá volver a configurar el clúster de Linux Pacemaker en el sitio de recuperación ante desastres (por ejemplo, reemplazar el VIP o SBD, ejecutar corosync.conf, etc.)." }, { "category": "Continuidad del negocio y recuperación ante desastres", @@ -110,12 +78,135 @@ "subcategory": " ", "text": "La replicación nativa de la base de datos debe usarse para sincronizar los datos con el sitio de recuperación ante desastres, en lugar de Azure Site Recovery" }, + { + "category": "Continuidad del negocio y recuperación ante desastres", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-architecture-scenario", + "severity": "Alto", + "subcategory": "Alta disponibilidad", + "text": "Considere la disponibilidad del software de SAP frente a puntos únicos de fallo. Esto incluye puntos únicos de falla dentro de aplicaciones como DBMS utilizados en las arquitecturas SAP NetWeaver y SAP S/4HANA, SAP ABAP y ASCS + SCS. También, otras herramientas como SAP Web Dispatcher.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations" + }, + { + "category": "Continuidad del negocio y recuperación ante desastres", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "severity": "Alto", + "subcategory": "Alta disponibilidad", + "text": "En el caso de SAP y bases de datos de SAP, considere la posibilidad de implementar clústeres de conmutación por error automática. En Windows, los clústeres de conmutación por error de Windows Server admiten la conmutación por error. En Linux, Linux Pacemaker o herramientas de terceros como SIOS Protection Suite y Veritas InfoScale admiten la conmutación por error.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations" + }, + { + "category": "Continuidad del negocio y recuperación ante desastres", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "severity": "Alto", + "subcategory": "Alta disponibilidad", + "text": "Azure no admite arquitecturas en las que las máquinas virtuales principal y secundaria compartan el almacenamiento de los datos de DBMS. Para la capa DBMS, el patrón de arquitectura común es replicar bases de datos al mismo tiempo y con pilas de almacenamiento diferentes a las que usan las máquinas virtuales principal y secundaria.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations" + }, + { + "category": "Continuidad del negocio y recuperación ante desastres", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "severity": "Alto", + "subcategory": "Alta disponibilidad", + "text": "Los datos de DBMS y los archivos de registro de transacciones y puesta al día se almacenan en el almacenamiento en bloque compatible con Azure o en Azure NetApp Files. Azure Files o Azure Premium Files no se admiten como almacenamiento para datos de DBMS o archivos de registro de puesta al día con la carga de trabajo de SAP.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads" + }, + { + "category": "Continuidad del negocio y recuperación ante desastres", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "severity": "Alto", + "subcategory": "Alta disponibilidad", + "text": "Puede usar discos compartidos de Azure en Windows para componentes ASCS + SCS y escenarios específicos de alta disponibilidad. Configure los clústeres de conmutación por error por separado para los componentes de la capa de aplicación de SAP y la capa de DBMS. Actualmente, Azure no admite arquitecturas de alta disponibilidad que combinen componentes de la capa de aplicación de SAP y la capa de DBMS en un clúster de conmutación por error.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations" + }, + { + "category": "Continuidad del negocio y recuperación ante desastres", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "severity": "Alto", + "subcategory": "Alta disponibilidad", + "text": "La mayoría de los clústeres de conmutación por error para los componentes de la capa de aplicación (ASCS) de SAP y la capa de DBMS requieren una dirección IP virtual para un clúster de conmutación por error. Azure Load Balancer debe controlar la dirección IP virtual para todos los demás casos. Un principio de diseño es usar un equilibrador de carga por configuración de clúster. Te recomendamos que utilices la versión estándar del equilibrador de carga (SKU de equilibrador de carga estándar).", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations" + }, + { + "category": "Continuidad del negocio y recuperación ante desastres", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "severity": "Alto", + "subcategory": "Alta disponibilidad", + "text": "Asegúrese de que la IP flotante esté habilitada en el equilibrador de carga", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations" + }, + { + "category": "Continuidad del negocio y recuperación ante desastres", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "severity": "Alto", + "subcategory": "Alta disponibilidad", + "text": "Antes de implementar la infraestructura de alta disponibilidad, y en función de la región que elija, determine si desea realizar la implementación con un conjunto de disponibilidad de Azure o una zona de disponibilidad.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "Continuidad del negocio y recuperación ante desastres", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "severity": "Alto", + "subcategory": "Alta disponibilidad", + "text": "Si desea cumplir los acuerdos de nivel de servicio de infraestructura para las aplicaciones de los componentes de SAP (servicios centrales, servidores de aplicaciones y bases de datos), debe elegir las mismas opciones de alta disponibilidad (máquinas virtuales, conjuntos de disponibilidad, zonas de disponibilidad) para todos los componentes." + }, + { + "category": "Continuidad del negocio y recuperación ante desastres", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "severity": "Alto", + "subcategory": "Alta disponibilidad", + "text": "No mezcle servidores de diferentes roles en el mismo conjunto de disponibilidad. Mantenga las máquinas virtuales de servicios centrales, las máquinas virtuales de base de datos y las máquinas virtuales de aplicaciones en sus propios conjuntos de disponibilidad", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "Continuidad del negocio y recuperación ante desastres", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "severity": "Medio", + "subcategory": "Alta disponibilidad", + "text": "No se pueden implementar conjuntos de disponibilidad de Azure dentro de una zona de disponibilidad de Azure a menos que se usen grupos de selección de ubicación de proximidad.", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios" + }, + { + "category": "Continuidad del negocio y recuperación ante desastres", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "severity": "Alto", + "subcategory": "Alta disponibilidad", + "text": "Al crear conjuntos de disponibilidad, use el número máximo de dominios de error y dominios de actualización disponibles. Por ejemplo, si implementa más de dos máquinas virtuales en un conjunto de disponibilidad, use el número máximo de dominios de error (tres) y suficientes dominios de actualización para limitar el efecto de posibles errores de hardware físico, interrupciones de red o interrupciones de energía, además del mantenimiento planeado de Azure. El número predeterminado de dominios de error es dos y no puede cambiarlo en línea más adelante.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "Continuidad del negocio y recuperación ante desastres", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "severity": "Alto", + "subcategory": "Alta disponibilidad", + "text": "Cuando se usan grupos de selección con selección de ubicación de proximidad de Azure en una implementación de conjunto de disponibilidad, los tres componentes de SAP (servicios centrales, servidor de aplicaciones y base de datos) deben estar en el mismo grupo con selección de ubicación de proximidad." + }, + { + "category": "Continuidad del negocio y recuperación ante desastres", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "severity": "Alto", + "subcategory": "Alta disponibilidad", + "text": "Use un grupo de selección de ubicación de proximidad por SID de SAP. Los grupos no abarcan zonas de disponibilidad ni regiones de Azure" + }, { "category": "Calcular", "guid": "2829e2ed-b217-4367-9aff-6691b4935ada", "severity": "Medio", "subcategory": " ", - "text": "Realizar solicitudes de cuota para la SKU y las zonas de VM correctas" + "text": "Realizar solicitudes de cuota para la SKU y las zonas de máquina virtual correctas" }, { "category": "Identidad y acceso", @@ -265,7 +356,7 @@ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", "severity": "Alto", "subcategory": "Suscripciones", - "text": "Aprovechar la suscripción como unidad de escalado y escalar nuestros recursos, considere la posibilidad de implementar la suscripción por entorno, por ejemplo. Sandbox, no-prod, prod ", + "text": "Aprovechar la suscripción como unidad de escalado y escalar nuestros recursos, considere implementar la suscripción por entorno, por ejemplo. Sandbox, no-prod, prod ", "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations" }, { @@ -291,7 +382,7 @@ "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", "severity": "Alto", "subcategory": "Suscripciones", - "text": "Si realiza la implementación en una zona de disponibilidad, asegúrese de que la implementación de la zona de la máquina virtual esté disponible una vez que se haya aprobado la cuota. Envíe una solicitud de soporte técnico con la suscripción, la serie de máquinas virtuales, el número de CPU y la zona de disponibilidad necesaria." + "text": "Si realiza la implementación en una zona de disponibilidad, asegúrese de que la implementación de la zona de la máquina virtual esté disponible una vez que se haya aprobado la cuota. Envíe una solicitud de soporte técnico con la suscripción, la serie de máquinas virtuales, el número de CPU y la zona de disponibilidad necesarias." }, { "category": "Grupo de administración y suscripciones", @@ -308,7 +399,7 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", "severity": "Medio", "subcategory": "Suscripciones", - "text": "Aproveche la etiqueta de recurso de Azure para la categorización de costos y la agrupación de recursos (: BillTo, Departamento (o unidad de negocio), Entorno (producción, Fase, Desarrollo), Nivel (nivel web, nivel de aplicación), Propietario de la aplicación, ProjectName)", + "text": "Aproveche la etiqueta de recurso de Azure para la categorización de costos y la agrupación de recursos (facturación, departamento (o unidad de negocio), entorno (producción, fase, desarrollo), nivel (nivel web, nivel de aplicación), propietario de la aplicación, ProjectName)", "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/" }, { @@ -534,7 +625,7 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", "severity": "Medio", "subcategory": "DNS", - "text": "Si el DNS o el nombre virtual de la máquina virtual no se cambia durante la migración a Azure, el DNS en segundo plano y los nombres virtuales conectan muchas interfaces del sistema en el entorno de SAP, y los clientes solo conocen a veces las interfaces que los desarrolladores definen a lo largo del tiempo. Los problemas de conexión surgen entre varios sistemas cuando los nombres virtuales o DNS cambian después de las migraciones, y se recomienda conservar los alias DNS para evitar este tipo de dificultades.", + "text": "Si el DNS o el nombre virtual de la máquina virtual no se cambia durante la migración a Azure, el DNS en segundo plano y los nombres virtuales conectan muchas interfaces del sistema en el entorno de SAP, y los clientes solo conocen a veces las interfaces que los desarrolladores definen a lo largo del tiempo. Los desafíos de conexión surgen entre varios sistemas cuando los nombres virtuales o DNS cambian después de las migraciones, y se recomienda conservar los alias DNS para evitar este tipo de dificultades.", "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution" }, { @@ -579,7 +670,7 @@ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/network-virtual-appliances/reliability", "severity": "Medio", "subcategory": "Híbrido", - "text": "Considere la posibilidad de implementar aplicaciones virtuales de red (NVA) entre regiones solo si se usan aplicaciones virtuales de red de asociado. Las aplicaciones virtuales de red entre regiones o redes virtuales no son necesarias si hay aplicaciones virtuales de red nativas. Al implementar tecnologías de redes de asociados y aplicaciones virtuales de red, siga las instrucciones del proveedor para comprobar las configuraciones conflictivas con las redes de Azure.", + "text": "Considere la posibilidad de implementar aplicaciones virtuales de red (NVA) entre regiones solo si se usan aplicaciones virtuales de red de asociados. Las aplicaciones virtuales de red entre regiones o redes virtuales no son necesarias si hay aplicaciones virtuales de red nativas. Al implementar tecnologías de redes de asociados y aplicaciones virtuales de red, siga las instrucciones del proveedor para comprobar las configuraciones conflictivas con las redes de Azure.", "training": "https://learn.microsoft.com/training/modules/control-network-traffic-flow-with-routes/?source=recommendations" }, { @@ -687,7 +778,7 @@ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", "severity": "Medio", "subcategory": "Internet", - "text": "Para evitar la pérdida de datos, use Azure Private Link para acceder de forma segura a los recursos de la plataforma como servicio, como Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, etc. El punto de conexión privado de Azure también puede ayudar a proteger el tráfico entre redes virtuales y servicios como Azure Storage, Azure Backup, etc. El tráfico entre la red virtual y el servicio habilitado para punto de conexión privado viaja a través de la red global de Microsoft, lo que impide su exposición a la red pública de Internet.", + "text": "Para evitar la pérdida de datos, use Azure Private Link para acceder de forma segura a los recursos de plataforma como servicio, como Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory, etc. El punto de conexión privado de Azure también puede ayudar a proteger el tráfico entre redes virtuales y servicios como Azure Storage, Azure Backup, etc. El tráfico entre la red virtual y el servicio habilitado para punto de conexión privado viaja a través de la red global de Microsoft, lo que impide su exposición a la red pública de Internet.", "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations" }, { @@ -714,7 +805,7 @@ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", "severity": "Medio", "subcategory": "Segmentación", - "text": "Puede usar reglas de grupo de seguridad de aplicaciones (ASG) y NSG para definir listas de control de acceso de seguridad de red entre las capas de aplicación SAP y DBMS. Los ASG agrupan las máquinas virtuales para ayudar a administrar su seguridad.", + "text": "Puede usar reglas de grupo de seguridad de aplicaciones (ASG) y NSG para definir listas de control de acceso de seguridad de red entre la aplicación SAP y las capas DBMS. Los ASG agrupan las máquinas virtuales para ayudar a administrar su seguridad.", "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations" }, { @@ -750,7 +841,7 @@ "link": "https://me.sap.com/notes/2015553", "severity": "Alto", "subcategory": "Segmentación", - "text": "No se recomienda hospedar el sistema de administración de bases de datos (DBMS) y las capas de aplicación de los sistemas SAP en diferentes redes virtuales y conectarlas con el emparejamiento de redes virtuales debido a los costos sustanciales que puede generar un tráfico de red excesivo entre las capas. Se recomienda el uso de subredes dentro de la red virtual de Azure para separar la capa de aplicación de SAP y la capa de DBMS.", + "text": "No se recomienda hospedar el sistema de administración de bases de datos (DBMS) y las capas de aplicación de los sistemas SAP en diferentes redes virtuales y conectarlas con el emparejamiento de redes virtuales debido a los costos sustanciales que puede producir un tráfico de red excesivo entre las capas. Se recomienda el uso de subredes dentro de la red virtual de Azure para separar la capa de aplicación de SAP y la capa de DBMS.", "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity" }, { @@ -777,55 +868,60 @@ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", "severity": "Medio", "subcategory": "Segmentación", - "text": "En el caso de las implementaciones de SAP RISE/ECS, el emparejamiento virtual es la forma preferida de establecer la conectividad con el entorno de Azure existente del cliente. Tanto la red virtual de SAP como las redes virtuales del cliente están protegidas con grupos de seguridad de red (NSG), lo que permite la comunicación en los puertos de SAP y de base de datos a través del emparejamiento de red virtual" + "text": "En el caso de las implementaciones de SAP RISE/ECS, el emparejamiento virtual es la forma preferida de establecer la conectividad con el entorno de Azure existente del cliente. Tanto la red virtual de SAP como las redes virtuales del cliente están protegidas con grupos de seguridad de red (NSG), lo que permite la comunicación en los puertos de SAP y de base de datos a través del emparejamiento de redes virtuales" }, { "category": "Seguridad, gobernanza y cumplimiento", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "Alto", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "severity": "Medio", "subcategory": "Gobernanza", - "text": "Personalización de los roles de control de acceso basado en rol (RBAC) para SAP en suscripciones de Azure spoke para evitar cambios accidentales relacionados con la red" + "text": "Si ejecuta máquinas virtuales Windows y Linux en Azure, en el entorno local o en otros entornos en la nube, puede usar el Centro de administración de actualizaciones de Automatización de Azure para administrar las actualizaciones del sistema operativo, incluidas las revisiones de seguridad.", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview" }, { "category": "Seguridad, gobernanza y cumplimiento", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", "severity": "Medio", "subcategory": "Gobernanza", - "text": "Aísle las redes perimetrales y las aplicaciones virtuales de red del resto del patrimonio de SAP, configure Azure Private Link y administre y controle de forma segura los recursos de SAP en Azure" + "text": "Revise de forma rutinaria las notas de seguridad de SAP OSS, ya que SAP publica parches de seguridad muy críticos, o revisiones, que requieren una acción inmediata para proteger sus sistemas SAP.", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html" }, { "category": "Seguridad, gobernanza y cumplimiento", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "Medio", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "severity": "Bajo", "subcategory": "Gobernanza", - "text": "Para el cifrado del servidor de base de datos de SAP, use la tecnología de cifrado nativa de SAP HANA. Si usa Azure SQL Database, use el cifrado de datos transparente (TDE) que ofrece el proveedor de DBMS para proteger los datos y los archivos de registro, y asegúrese de que las copias de seguridad también están cifradas." + "text": "En el caso de SAP en SQL Server, puede deshabilitar la cuenta de administrador del sistema de SQL Server porque los sistemas SAP en SQL Server no usan la cuenta. Asegúrese de que otro usuario con derechos de administrador del sistema pueda acceder al servidor antes de deshabilitar la cuenta de administrador del sistema original." }, { "category": "Seguridad, gobernanza y cumplimiento", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "Medio", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "severity": "Alto", "subcategory": "Gobernanza", - "text": "El cifrado de Azure Storage está habilitado de forma predeterminada" + "text": "Deshabilite xp_cmdshell. La característica de SQL Server xp_cmdshell habilita un shell de comandos del sistema operativo interno de SQL Server. Es un riesgo potencial en las auditorías de seguridad.", + "training": "https://me.sap.com/notes/3019299/E" }, { "category": "Seguridad, gobernanza y cumplimiento", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "Medio", - "subcategory": "Gobernanza", - "text": " " + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "Alto", + "subcategory": "Secretos", + "text": "El cifrado de servidores de bases de datos SAP HANA en Azrue utiliza la tecnología de cifrado nativa de SAP HANA. Además, si usa SQL Server en Azure, use el cifrado de datos transparente (TDE) para proteger los datos y los archivos de registro y asegurarse de que las copias de seguridad también están cifradas.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security" }, { "category": "Seguridad, gobernanza y cumplimiento", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", "severity": "Medio", - "subcategory": "Gobernanza", - "text": " " + "subcategory": "Secretos", + "text": "El cifrado de Azure Storage está habilitado para todas las cuentas de Azure Resource Manager y de almacenamiento clásico, y no se puede deshabilitar. Dado que los datos están cifrados de forma predeterminada, no es necesario modificar el código o las aplicaciones para usar el cifrado de Azure Storage.", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations" }, { "category": "Seguridad, gobernanza y cumplimiento", @@ -833,95 +929,160 @@ "link": "https://learn.microsoft.com/azure/key-vault/general/overview", "severity": "Alto", "subcategory": "Secretos", - "text": "Uso de Azure Key Vault para almacenar los secretos y las credenciales" + "text": "Uso de Azure Key Vault para almacenar los secretos y las credenciales", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "Seguridad, gobernanza y cumplimiento", "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", "severity": "Medio", "subcategory": "Secretos", - "text": "Se recomienda BLOQUEAR los recursos de Azure después de la implementación correcta para protegerse contra cambios no autorizados" + "text": "Se recomienda bloquear los recursos de Azure después de la implementación correcta para protegerse contra cambios no autorizados. También puede aplicar restricciones y reglas de LOCK por suscripción mediante directivas de Azure personalizadas (rol personalizado).", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations" }, { "category": "Seguridad, gobernanza y cumplimiento", "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", "severity": "Medio", "subcategory": "Secretos", - "text": "Aprovisione Azure Key Vault con las directivas de eliminación temporal y purga habilitadas para permitir la protección de retención de los objetos eliminados." + "text": "Aprovisione Azure Key Vault con las directivas de eliminación temporal y purga habilitadas para permitir la protección de retención de los objetos eliminados.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "Seguridad, gobernanza y cumplimiento", "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "Medio", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", + "severity": "Alto", "subcategory": "Secretos", - "text": "En función de los requisitos existentes, controles normativos y de cumplimiento (internos y externos): determine qué directivas de Azure y el rol de RBAC de Azure son necesarios" + "text": "En función de los requisitos existentes, controles normativos y de cumplimiento (internos y externos): determine qué directivas de Azure y el rol de RBAC de Azure son necesarios", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations" }, { "category": "Seguridad, gobernanza y cumplimiento", "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "Medio", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "Alto", "subcategory": "Secretos", - "text": "Al habilitar Microsoft Defender for Cloud Standard para SAP, asegúrese de excluir los servidores de base de datos de SAP de cualquier directiva que instale Endpoint Protection." + "text": "Al habilitar Microsoft Defender para punto de conexión en el entorno de SAP, se recomienda excluir los archivos de datos y registro en los servidores DBMS en lugar de dirigirse a todos los servidores. Siga las recomendaciones de su proveedor de DBMS al excluir archivos de destino.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268" }, { "category": "Seguridad, gobernanza y cumplimiento", "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "Medio", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", + "severity": "Alto", "subcategory": "Secretos", - "text": "Delegue un rol personalizado de administrador de SAP con acceso Just-In-Time." + "text": "Delegue un rol personalizado de administrador de SAP con acceso Just-In-Time de Microsoft Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations" }, { "category": "Seguridad, gobernanza y cumplimiento", "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "Medio", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "Bajo", "subcategory": "Secretos", - "text": "cifre los datos en tránsito integrando el producto de seguridad de terceros con comunicaciones de red seguras (SNC) para DIAG (SAP GUI), RFC y SPNEGO para HTTPS" + "text": "cifre los datos en tránsito integrando el producto de seguridad de terceros con comunicaciones de red seguras (SNC) para DIAG (SAP GUI), RFC y SPNEGO para HTTPS", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit" }, { "category": "Seguridad, gobernanza y cumplimiento", - "guid": "55d04c3c-4919-4cb1-a3d1-325ae124ba34", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", "severity": "Medio", "subcategory": "Secretos", - "text": "Azure Active Directory (Azure AD) con SAML 2.0 también puede proporcionar SSO a una amplia gama de aplicaciones y plataformas de SAP, como SAP NetWeaver, SAP HANA y SAP Cloud Platform" + "text": "De forma predeterminada, utilice claves administradas por Microsoft para la funcionalidad de cifrado de entidad de seguridad y use claves administradas por el cliente cuando sea necesario.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "Seguridad, gobernanza y cumplimiento", - "guid": "df685edd-ce9b-4d3b-a0cd-b3b55eb2ec14", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "Medio", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", + "severity": "Alto", "subcategory": "Secretos", - "text": "Asegúrese de reforzar el sistema operativo para erradicar las vulnerabilidades que podrían provocar ataques a la base de datos de SAP." + "text": "Use una instancia de Azure Key Vault por aplicación, por entorno, por región.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "Seguridad, gobernanza y cumplimiento", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "Medio", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", + "severity": "Alto", "subcategory": "Secretos", - "text": "De forma predeterminada, utilice claves administradas por Microsoft para la funcionalidad de cifrado de entidad de seguridad y use claves administradas por el cliente cuando sea necesario." + "text": "Para controlar y administrar claves y secretos de cifrado de disco para sistemas operativos Windows y Windows que no son de HANA, use Azure Key Vault. SAP HANA no es compatible con Azure Key Vault, por lo que debe usar métodos alternativos como SAP ABAP o claves SSH.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations" }, { "category": "Seguridad, gobernanza y cumplimiento", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "severity": "Medio", "subcategory": "Secretos", - "text": "Use una instancia de Azure Key Vault por aplicación, por entorno, por región." + "text": " " }, { "category": "Seguridad, gobernanza y cumplimiento", - "guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", + "severity": "Alto", + "subcategory": "Seguridad", + "text": "Personalización de los roles de control de acceso basado en rol (RBAC) para SAP en suscripciones de Azure spoke para evitar cambios accidentales relacionados con la red", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "severity": "Alto", + "subcategory": "Seguridad", + "text": "Aísle las redes perimetrales y las aplicaciones virtuales de red del resto del patrimonio de SAP, configure Azure Private Link y administre y controle de forma segura los recursos de SAP en Azure", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "severity": "Bajo", + "subcategory": "Seguridad", + "text": "Considere la posibilidad de usar el software antimalware de Microsoft en Azure para proteger las máquinas virtuales de archivos malintencionados, adware y otras amenazas.", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "severity": "Bajo", + "subcategory": "Seguridad", + "text": "Para una protección aún más eficaz, considere la posibilidad de usar Microsoft Defender para punto de conexión.", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "severity": "Alto", + "subcategory": "Seguridad", + "text": "Aísle los servidores de aplicaciones y bases de datos de SAP de Internet o de la red local pasando todo el tráfico a través de la red virtual del centro de conectividad, que está conectada a la red radial mediante el emparejamiento de red virtual. Las redes virtuales emparejadas garantizan que la solución de SAP en Azure esté aislada de la red pública de Internet.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "Bajo", + "subcategory": "Seguridad", + "text": "En el caso de las aplicaciones orientadas a Internet, como SAP Fiori, asegúrese de distribuir la carga según los requisitos de la aplicación mientras se mantienen los niveles de seguridad. Para la seguridad de nivel 7, puede usar un firewall de aplicaciones web (WAF) de terceros disponible en Azure Marketplace.", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations" + }, + { + "category": "Seguridad, gobernanza y cumplimiento", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", "severity": "Medio", - "subcategory": "Secretos", - "text": " " + "subcategory": "Seguridad", + "text": "Para habilitar la comunicación segura en las soluciones de Azure Monitor para SAP, puede optar por usar un certificado raíz o un certificado de servidor. Le recomendamos encarecidamente que utilice certificados raíz.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations" }, { "category": "Almacenamiento", @@ -934,7 +1095,7 @@ "metadata": { "name": "Azure Landing Zone Review", "state": "Preview", - "timestamp": "November 24, 2023" + "timestamp": "January 11, 2024" }, "severities": [ { diff --git a/checklists/sap_checklist.ja.json b/checklists/sap_checklist.ja.json index 6b59b7d66..fa5319820 100644 --- a/checklists/sap_checklist.ja.json +++ b/checklists/sap_checklist.ja.json @@ -17,38 +17,6 @@ } ], "items": [ - { - "category": "ビジネス継続性と災害復旧", - "guid": "aff6691b-4935-4ada-9222-3ece81b12318", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", - "severity": "中程度", - "subcategory": " ", - "text": "ASCS とデータベース クラスターを 1 つまたは同じ VM に結合しないでください" - }, - { - "category": "ビジネス継続性と災害復旧", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal", - "severity": "中程度", - "subcategory": " ", - "text": "ロードバランサーでフローティング IP が有効になっていることを確認します" - }, - { - "category": "ビジネス継続性と災害復旧", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/security-center/", - "severity": "中程度", - "subcategory": " ", - "text": "同じ可用性セット内に異なるロールのサーバーを混在させないでください。セントラル サービス VM、データベース VM、アプリケーション VM を独自の可用性セットに保持する" - }, - { - "category": "ビジネス継続性と災害復旧", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/security-center/", - "severity": "中程度", - "subcategory": " ", - "text": "SAP SID ごとに 1 つの近接配置グループを使用します。グループは、Availability Zones や Azure リージョンにまたがっていません" - }, { "category": "ビジネス継続性と災害復旧", "guid": "80dc0591-cf65-4de8-b130-9cccd579266b", @@ -110,6 +78,129 @@ "subcategory": " ", "text": "ネイティブ データベース レプリケーションは、Azure Site Recovery ではなく、DR サイトにデータを同期するために使用する必要があります" }, + { + "category": "ビジネス継続性と災害復旧", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-architecture-scenario", + "severity": "高い", + "subcategory": "高可用性", + "text": "単一障害点に対する SAP ソフトウェアの可用性を検討します。これには、SAP NetWeaver や SAP S/4HANA アーキテクチャ、SAP ABAP、ASCS + SCS で使用される DBMS などのアプリケーション内の単一障害点が含まれます。また、SAP Web ディスパッチャなどの他のツールも必要です。", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations" + }, + { + "category": "ビジネス継続性と災害復旧", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "severity": "高い", + "subcategory": "高可用性", + "text": "SAP および SAP データベースの場合は、自動フェールオーバー クラスターの実装を検討してください。Windows では、Windows Server フェールオーバー クラスタリングがフェールオーバーをサポートします。Linux では、Linux Pacemaker や、SIOS Protection Suite や Veritas InfoScale などのサードパーティツールがフェイルオーバーをサポートしています。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations" + }, + { + "category": "ビジネス継続性と災害復旧", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "severity": "高い", + "subcategory": "高可用性", + "text": "Azure では、プライマリ VM とセカンダリ VM が DBMS データのストレージを共有するアーキテクチャはサポートされていません。DBMSレイヤーの場合、一般的なアーキテクチャパターンは、プライマリおよびセカンダリVMが使用するストレージスタックとは異なるストレージスタックを使用して、データベースを同時にレプリケートすることです。", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations" + }, + { + "category": "ビジネス継続性と災害復旧", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "severity": "高い", + "subcategory": "高可用性", + "text": "DBMS データとトランザクション/REDO ログ ファイルは、Azure でサポートされているブロック ストレージまたは Azure NetApp Files に格納されます。Azure Files または Azure Premium Files は、SAP ワークロードでの DBMS データや再実行ログ ファイルのストレージとしてはサポートされていません。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads" + }, + { + "category": "ビジネス継続性と災害復旧", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "severity": "高い", + "subcategory": "高可用性", + "text": "Windows の Azure 共有ディスクは、ASCS + SCS コンポーネントと特定の高可用性シナリオに使用できます。フェールオーバー クラスターは、SAP アプリケーション層コンポーネントと DBMS 層に対して個別に設定します。現在、Azure では、SAP アプリケーション レイヤー コンポーネントと DBMS レイヤーを 1 つのフェールオーバー クラスターに結合する高可用性アーキテクチャはサポートされていません。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations" + }, + { + "category": "ビジネス継続性と災害復旧", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "severity": "高い", + "subcategory": "高可用性", + "text": "SAP アプリケーション レイヤー コンポーネント (ASCS) と DBMS レイヤーのほとんどのフェールオーバー クラスターでは、フェールオーバー クラスターの仮想 IP アドレスが必要です。 Azure Load Balancer は、他のすべてのケースで仮想 IP アドレスを処理する必要があります。設計原則の 1 つは、クラスター構成ごとに 1 つのロード バランサーを使用することです。ロード バランサーの Standard バージョン (Standard Load Balancer SKU) を使用することをお勧めします。", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations" + }, + { + "category": "ビジネス継続性と災害復旧", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "severity": "高い", + "subcategory": "高可用性", + "text": "ロードバランサーでフローティング IP が有効になっていることを確認します", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations" + }, + { + "category": "ビジネス継続性と災害復旧", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "severity": "高い", + "subcategory": "高可用性", + "text": "高可用性インフラストラクチャをデプロイする前に、選択したリージョンに応じて、Azure 可用性セットと可用性ゾーンのどちらを使用してデプロイするかを決定します。", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "ビジネス継続性と災害復旧", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "severity": "高い", + "subcategory": "高可用性", + "text": "SAP コンポーネント (セントラル サービス、アプリケーション サーバー、データベース) のアプリケーションのインフラストラクチャ SLA を満たす場合は、すべてのコンポーネントに対して同じ高可用性オプション (VM、可用性セット、可用性ゾーン) を選択する必要があります。" + }, + { + "category": "ビジネス継続性と災害復旧", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "severity": "高い", + "subcategory": "高可用性", + "text": "同じ可用性セット内に異なるロールのサーバーを混在させないでください。セントラル サービス VM、データベース VM、アプリケーション VM を独自の可用性セットに保持する", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "ビジネス継続性と災害復旧", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "severity": "中程度", + "subcategory": "高可用性", + "text": "近接通信配置グループを使用しない限り、Azure 可用性ゾーン内に Azure 可用性セットをデプロイすることはできません。", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios" + }, + { + "category": "ビジネス継続性と災害復旧", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "severity": "高い", + "subcategory": "高可用性", + "text": "可用性セットを作成するときは、使用可能な障害ドメインと更新ドメインの最大数を使用します。たとえば、1 つの可用性セットに 2 つ以上の VM をデプロイする場合は、Azure の計画メンテナンスに加えて、潜在的な物理ハードウェア障害、ネットワークの停止、または停電の影響を制限するために、最大数の障害ドメイン (3 つ) と十分な更新ドメインを使用します。障害ドメインの既定の数は 2 であり、後でオンラインで変更することはできません。", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "ビジネス継続性と災害復旧", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "severity": "高い", + "subcategory": "高可用性", + "text": "可用性セットのデプロイで Azure 近接通信配置グループを使用する場合は、3 つの SAP コンポーネント (セントラル サービス、アプリケーション サーバー、データベース) をすべて同じ近接通信配置グループに含める必要があります。" + }, + { + "category": "ビジネス継続性と災害復旧", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "severity": "高い", + "subcategory": "高可用性", + "text": "SAP SID ごとに 1 つの近接配置グループを使用します。グループは、Availability Zones や Azure リージョンにまたがっていません" + }, { "category": "計算する", "guid": "2829e2ed-b217-4367-9aff-6691b4935ada", @@ -274,7 +365,7 @@ "link": "https://learn.microsoft.com/azure/quotas/quotas-overview", "severity": "高い", "subcategory": "サブスクリプション", - "text": "サブスクリプションのプロビジョニングの一環としてクォータの増加を確認する (例: サブスクリプション内で使用可能な VM コアの合計)", + "text": "サブスクリプションのプロビジョニングの一環としてクォータを確実に増やす (例: サブスクリプション内で使用可能な VM コアの合計数)", "training": "https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits" }, { @@ -299,7 +390,7 @@ "link": "https://azure.microsoft.com/explore/global-infrastructure/products-by-region/", "severity": "高い", "subcategory": "サブスクリプション", - "text": "必要なサービスと機能が、選択したデプロイ リージョン内で利用可能であることを確認します。ANF、ゾーンなど", + "text": "必要なサービスと機能が、選択した展開リージョン内で利用可能であることを確認します。ANF、ゾーンなど", "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions?source=recommendations" }, { @@ -308,7 +399,7 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", "severity": "中程度", "subcategory": "サブスクリプション", - "text": "コストの分類とリソースのグループ化 (BillTo、部門 (または部署)、環境 (運用、ステージング、開発)、層 (Web 層、アプリケーション層)、アプリケーション所有者、プロジェクト名) に Azure リソース タグを活用します", + "text": "コストの分類とリソースのグループ化 (BillTo、部門 (または部署)、環境 (運用、ステージ、開発)、層 (Web 層、アプリケーション層)、アプリケーション所有者、プロジェクト名) に Azure リソース タグを活用します", "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/" }, { @@ -326,7 +417,7 @@ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", "severity": "中程度", "subcategory": "BCDR (英語)", - "text": "HANA、Oracle、または DB2 データベース用に Azure NetApp Files をデプロイする場合は、Azure アプリケーション整合性スナップショット ツール (AzAcSnap) を使用して、アプリケーション整合性スナップショットを作成します。AzAcSnap は Oracle データベースもサポートしています。個々の VM ではなく、中央の VM で AzAcSnap を使用することを検討してください。" + "text": "HANA、Oracle、または DB2 データベースに Azure NetApp Files をデプロイする場合は、Azure アプリケーション整合性スナップショット ツール (AzAcSnap) を使用して、アプリケーション整合性スナップショットを作成します。AzAcSnap は Oracle データベースもサポートしています。個々の VM ではなく、中央の VM で AzAcSnap を使用することを検討してください。" }, { "category": "管理と監視", @@ -552,7 +643,7 @@ "link": "https://learn.microsoft.com/azure/virtual-network/virtual-network-peering-overview", "severity": "中程度", "subcategory": "ハイブリッド", - "text": "ローカルおよびグローバル VNet ピアリングは接続を提供し、複数の Azure リージョンにまたがる SAP デプロイのランディング ゾーン間の接続を確保するための推奨されるアプローチです", + "text": "ローカルとグローバルの VNet ピアリングは接続を提供し、複数の Azure リージョンにまたがる SAP デプロイのランディング ゾーン間の接続を確保するための推奨されるアプローチです", "training": "https://learn.microsoft.com/training/modules/configure-vnet-peering/?source=recommendations" }, { @@ -561,7 +652,7 @@ "link": "https://learn.microsoft.com/azure/sap/workloads/planning-guide", "severity": "高い", "subcategory": "ハイブリッド", - "text": "SAP アプリケーションと SAP データベース サーバーの間に NVA をデプロイすることはサポートされていません", + "text": "SAP アプリケーションと SAP データベース サーバー間の NVA のデプロイはサポートされていません", "training": "https://me.sap.com/notes/2731110" }, { @@ -660,7 +751,7 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", "severity": "中程度", "subcategory": "インターネット", - "text": "Azure Front Door と Application Gateway を使用して HTTP/S アプリケーションを保護する場合は、Azure Front Door の Web アプリケーション ファイアウォール ポリシーを活用します。Application Gateway をロックダウンして、Azure Front Door からのトラフィックのみを受信します。", + "text": "Azure Front Door と Application Gateway を使用して HTTP/S アプリケーションを保護する場合は、Azure Front Door の Web アプリケーション ファイアウォール ポリシーを利用します。Application Gateway をロックダウンして、Azure Front Door からのトラフィックのみを受信します。", "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations" }, { @@ -669,7 +760,7 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "severity": "中程度", "subcategory": "インターネット", - "text": "Web アプリケーション ファイアウォールを使用して、インターネットに公開されているトラフィックをスキャンします。もう 1 つのオプションは、ロード バランサー、または Application Gateway やサードパーティ ソリューションなどのファイアウォール機能が組み込まれているリソースと共に使用することです。", + "text": "Web アプリケーション ファイアウォールを使用して、インターネットに公開されているトラフィックをスキャンします。別のオプションとして、ロード バランサーや、Application Gateway やサードパーティ ソリューションなどのファイアウォール機能が組み込まれているリソースと共に使用することもできます。", "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations" }, { @@ -687,7 +778,7 @@ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", "severity": "中程度", "subcategory": "インターネット", - "text": "データ漏えいを防ぐには、Azure Private Link を使用して、Azure Blob Storage、Azure Files、Azure Data Lake Storage Gen2、Azure Data Factory などのサービスとしてのプラットフォーム リソースに安全にアクセスします。Azure プライベート エンドポイントは、VNet と Azure Storage、Azure Backup などのサービス間のトラフィックをセキュリティで保護するのにも役立ちます。VNet とプライベート エンドポイント対応サービス間のトラフィックは、Microsoft グローバル ネットワークを経由するため、パブリック インターネットへの公開が防止されます。", + "text": "データ漏えいを防ぐには、Azure Private Link を使用して、Azure Blob Storage、Azure Files、Azure Data Lake Storage Gen2、Azure Data Factory などのサービスとしてのプラットフォーム リソースに安全にアクセスします。Azure プライベート エンドポイントは、VNet と Azure Storage、Azure Backup などのサービス間のトラフィックをセキュリティで保護するのにも役立ちます。VNet とプライベート エンドポイント対応サービス間のトラフィックは、Microsoft グローバル ネットワークを経由するため、パブリック インターネットへの公開は防止されます。", "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations" }, { @@ -750,7 +841,7 @@ "link": "https://me.sap.com/notes/2015553", "severity": "高い", "subcategory": "セグメンテーション", - "text": "SAP システムのデータベース管理システム (DBMS) とアプリケーション レイヤーを異なる VNet でホストし、それらを VNet ピアリングに接続することは、レイヤー間の過剰なネットワーク トラフィックによって生成される可能性があるため、お勧めしません。Azure 仮想ネットワーク内のサブネットを使用して、SAP アプリケーション レイヤーと DBMS レイヤーを分離することをお勧めします。", + "text": "SAP システムのデータベース管理システム (DBMS) レイヤーとアプリケーション レイヤーを異なる VNet でホストし、それらを VNet ピアリングに接続することは、レイヤー間の過剰なネットワーク トラフィックによって生成される可能性があるため、お勧めしません。Azure 仮想ネットワーク内のサブネットを使用して、SAP アプリケーション レイヤーと DBMS レイヤーを分離することをお勧めします。", "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity" }, { @@ -781,51 +872,56 @@ }, { "category": "セキュリティ、ガバナンス、コンプライアンス", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "高い", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "severity": "中程度", "subcategory": "統治", - "text": "SAP on Azure スポーク サブスクリプションのロールベースのアクセス制御 (RBAC) ロールをカスタマイズして、偶発的なネットワーク関連の変更を回避します" + "text": "Azure、オンプレミス、またはその他のクラウド環境で Windows VM と Linux VM を実行している場合は、Azure Automation の更新管理センターを使用して、セキュリティ パッチを含むオペレーティング システムの更新プログラムを管理できます。", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", "severity": "中程度", "subcategory": "統治", - "text": "DMZ と NVA を SAP 資産の残りの部分から分離し、Azure Private Link を構成し、SAP on Azure リソースを安全に管理および制御します" + "text": "SAP は、SAP システムを保護するために即時のアクションを必要とする非常に重要なセキュリティ パッチまたはホット フィックスをリリースしているため、SAP セキュリティ OSS ノートを定期的に確認してください。", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "中程度", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "severity": "低い", "subcategory": "統治", - "text": "SAP データベース サーバーの暗号化には、SAP HANA ネイティブ暗号化テクノロジを使用します。Azure SQL Database を使用している場合は、DBMS プロバイダーが提供する Transparent Data Encryption (TDE) を使用して、データとログ ファイルをセキュリティで保護し、バックアップも暗号化されるようにします。" + "text": "SQL Server 上の SAP システムではアカウントを使用しないため、SQL Server 上の SAP システム管理者アカウントを無効にすることができます。元のシステム管理者アカウントを無効にする前に、システム管理者権限を持つ別のユーザーがサーバーにアクセスできることを確認してください。" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "中程度", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "severity": "高い", "subcategory": "統治", - "text": "Azure Storage の暗号化は既定で有効になっています" + "text": "xp_cmdshellを無効にします。SQL Server 機能xp_cmdshell、SQL Server 内部オペレーティング システムのコマンド シェルを有効にします。これは、セキュリティ監査における潜在的なリスクです。", + "training": "https://me.sap.com/notes/3019299/E" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "中程度", - "subcategory": "統治", - "text": " " + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "高い", + "subcategory": "秘密", + "text": "Azrue での SAP HANA データベース サーバーの暗号化では、SAP HANA ネイティブ暗号化テクノロジが使用されます。さらに、Azure で SQL Server を使用している場合は、Transparent Data Encryption (TDE) を使用してデータとログ ファイルを保護し、バックアップも暗号化されるようにします。", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", "severity": "中程度", - "subcategory": "統治", - "text": " " + "subcategory": "秘密", + "text": "Azure Storage の暗号化は、すべての Azure Resource Manager とクラシック ストレージ アカウントに対して有効になっており、無効にすることはできません。データは既定で暗号化されるため、Azure Storage 暗号化を使用するためにコードやアプリケーションを変更する必要はありません。", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", @@ -833,95 +929,160 @@ "link": "https://learn.microsoft.com/azure/key-vault/general/overview", "severity": "高い", "subcategory": "秘密", - "text": "Azure Key Vault を使用してシークレットと資格情報を格納する" + "text": "Azure Key Vault を使用してシークレットと資格情報を格納する", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", "severity": "中程度", "subcategory": "秘密", - "text": "デプロイが成功したら Azure リソースをロックして、承認されていない変更から保護することをお勧めします" + "text": "デプロイが成功したら、Azure リソースを LOCK して、承認されていない変更から保護することをお勧めします。また、カスタマイズされた Azure ポリシー (Custome ロール) を使用して、サブスクリプションごとに LOCK の制約とルールを適用することもできます。", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", "severity": "中程度", "subcategory": "秘密", - "text": "論理的な削除ポリシーと消去ポリシーを有効にして Azure Key Vault をプロビジョニングし、削除されたオブジェクトの保持保護を許可します。" + "text": "論理的な削除ポリシーと消去ポリシーを有効にして Azure Key Vault をプロビジョニングし、削除されたオブジェクトの保持保護を許可します。", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "中程度", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", + "severity": "高い", "subcategory": "秘密", - "text": "既存の要件、規制、コンプライアンス制御 (内部/外部) に基づいて、必要な Azure ポリシーと Azure RBAC ロールを決定します" + "text": "既存の要件、規制、コンプライアンス制御 (内部/外部) に基づいて、必要な Azure ポリシーと Azure RBAC ロールを決定します", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "中程度", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "高い", "subcategory": "秘密", - "text": "Microsoft Defender for Cloud Standard for SAP を有効にする場合は、エンドポイント保護をインストールするポリシーから SAP データベース サーバーを除外してください。" + "text": "SAP 環境でMicrosoft Defender for Endpointを有効にする場合は、すべてのサーバーを対象とするのではなく、DBMS サーバー上のデータとログ ファイルを除外することをお勧めします。ターゲット ファイルを除外する場合は、DBMS ベンダーの推奨事項に従ってください。", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "中程度", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", + "severity": "高い", "subcategory": "秘密", - "text": "ジャストインタイムアクセス権を持つ SAP 管理者カスタム ロールを委任します。" + "text": "Microsoft Defender for Cloud の Just-In-Time アクセス権を持つ SAP 管理者カスタム ロールを委任します。", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "中程度", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "低い", "subcategory": "秘密", - "text": "サードパーティのセキュリティ製品を DIAG (SAP GUI)、RFC、および HTTPS の SPNEGO のセキュアネットワーク通信 (SNC) と統合することにより、転送中のデータを暗号化します。" + "text": "サードパーティのセキュリティ製品を DIAG (SAP GUI)、RFC、および SPNEGO for HTTPS のセキュアネットワーク通信 (SNC) と統合することにより、転送中のデータを暗号化します。", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", - "guid": "55d04c3c-4919-4cb1-a3d1-325ae124ba34", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", "severity": "中程度", "subcategory": "秘密", - "text": "SAML 2.0 を使用した Azure Active Directory (Azure AD) では、SAP NetWeaver、SAP HANA、SAP Cloud Platform など、さまざまな SAP アプリケーションやプラットフォームに SSO を提供することもできます" + "text": "プリンシパル暗号化機能には既定で Microsoft マネージド キーを使用し、必要に応じてカスタマー マネージド キーを使用します。", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", - "guid": "df685edd-ce9b-4d3b-a0cd-b3b55eb2ec14", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "中程度", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", + "severity": "高い", "subcategory": "秘密", - "text": "SAP データベースへの攻撃につながる可能性のある脆弱性を根絶するために、オペレーティング システムを強化してください。" + "text": "Azure Key Vault は、アプリケーションごと、環境ごと、リージョンごとに使用します。", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "中程度", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", + "severity": "高い", "subcategory": "秘密", - "text": "プリンシパル暗号化機能には既定で Microsoft マネージド キーを使用し、必要に応じてカスタマー マネージド キーを使用します。" + "text": "HANA 以外の Windows オペレーティング システムと Windows 以外のオペレーティング システムのディスク暗号化キーとシークレットを制御および管理するには、Azure Key Vault を使用します。SAP HANA は Azure Key Vault ではサポートされていないため、SAP ABAP キーや SSH キーなどの代替方法を使用する必要があります。", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations" }, { "category": "セキュリティ、ガバナンス、コンプライアンス", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "severity": "中程度", "subcategory": "秘密", - "text": "Azure Key Vault は、アプリケーションごと、環境ごと、リージョンごとに使用します。" + "text": " " }, { "category": "セキュリティ、ガバナンス、コンプライアンス", - "guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", + "severity": "高い", + "subcategory": "安全", + "text": "SAP on Azure スポーク サブスクリプションのロールベースのアクセス制御 (RBAC) ロールをカスタマイズして、偶発的なネットワーク関連の変更を回避します", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "severity": "高い", + "subcategory": "安全", + "text": "DMZ と NVA を SAP 資産の残りの部分から分離し、Azure Private Link を構成し、SAP on Azure リソースを安全に管理および制御します", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "severity": "低い", + "subcategory": "安全", + "text": "Azure で Microsoft マルウェア対策ソフトウェアを使用して、悪意のあるファイル、アドウェア、その他の脅威から仮想マシンを保護することを検討してください。", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "severity": "低い", + "subcategory": "安全", + "text": "さらに強力な保護を行うには、Microsoft Defender for Endpointの使用を検討してください。", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "severity": "高い", + "subcategory": "安全", + "text": "仮想ネットワーク ピアリングによってスポーク ネットワークに接続されているハブ仮想ネットワークを介してすべてのトラフィックを渡すことで、SAP アプリケーションとデータベース サーバーをインターネットまたはオンプレミス ネットワークから分離します。ピアリングされた仮想ネットワークにより、SAP on Azure ソリューションがパブリック インターネットから分離されることが保証されます。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "低い", + "subcategory": "安全", + "text": "SAP Fiori などのインターネットに接続するアプリケーションの場合は、セキュリティレベルを維持しながら、アプリケーション要件ごとに負荷を分散してください。レイヤー 7 セキュリティについては、Azure Marketplace で入手できるサードパーティの Web アプリケーション ファイアウォール (WAF) を使用できます。", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations" + }, + { + "category": "セキュリティ、ガバナンス、コンプライアンス", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", "severity": "中程度", - "subcategory": "秘密", - "text": " " + "subcategory": "安全", + "text": "Azure Monitor for SAP solutions でセキュリティで保護された通信を有効にするには、ルート証明書またはサーバー証明書のいずれかを使用することを選択できます。ルート証明書を使用することを強くお勧めします。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations" }, { "category": "貯蔵", @@ -934,7 +1095,7 @@ "metadata": { "name": "Azure Landing Zone Review", "state": "Preview", - "timestamp": "November 24, 2023" + "timestamp": "January 11, 2024" }, "severities": [ { diff --git a/checklists/sap_checklist.ko.json b/checklists/sap_checklist.ko.json index 5038ee792..4df3305dc 100644 --- a/checklists/sap_checklist.ko.json +++ b/checklists/sap_checklist.ko.json @@ -17,38 +17,6 @@ } ], "items": [ - { - "category": "비즈니스 연속성 및 재해 복구", - "guid": "aff6691b-4935-4ada-9222-3ece81b12318", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", - "severity": "보통", - "subcategory": " ", - "text": "ASCS와 데이터베이스 클러스터를 단일/동일한 VM에 결합하지 마세요." - }, - { - "category": "비즈니스 연속성 및 재해 복구", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal", - "severity": "보통", - "subcategory": " ", - "text": "로드 밸런서에서 유동 IP가 사용하도록 설정되어 있는지 확인합니다." - }, - { - "category": "비즈니스 연속성 및 재해 복구", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/security-center/", - "severity": "보통", - "subcategory": " ", - "text": "동일한 가용성 집합에 서로 다른 역할의 서버를 혼합하지 마십시오. 중앙 서비스 VM, 데이터베이스 VM, 애플리케이션 VM을 자체 가용성 집합으로 유지" - }, - { - "category": "비즈니스 연속성 및 재해 복구", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/security-center/", - "severity": "보통", - "subcategory": " ", - "text": "SAP SID당 하나의 근접 배치 그룹을 사용합니다. 그룹은 가용성 영역 또는 Azure 지역에 걸쳐 있지 않습니다." - }, { "category": "비즈니스 연속성 및 재해 복구", "guid": "80dc0591-cf65-4de8-b130-9cccd579266b", @@ -71,7 +39,7 @@ "link": "https://www.microsoft.com/itshowcase/implementing-a-zero-trust-security-model-at-microsoft", "severity": "보통", "subcategory": " ", - "text": "HA 쌍의 두 VM이 모두 가용성 집합에 배포되거나 가용성 영역의 크기와 스토리지 구성이 동일해야 합니다" + "text": "HA 쌍의 두 VM이 모두 가용성 집합에 배포되거나 가용성 영역의 크기가 동일하고 스토리지 구성이 동일해야 합니다" }, { "category": "비즈니스 연속성 및 재해 복구", @@ -110,6 +78,129 @@ "subcategory": " ", "text": "네이티브 데이터베이스 복제는 Azure Site Recovery가 아닌 DR 사이트에 데이터를 동기화하는 데 사용해야 합니다" }, + { + "category": "비즈니스 연속성 및 재해 복구", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-architecture-scenario", + "severity": "높다", + "subcategory": "고가용성", + "text": "단일 장애 지점에 대한 SAP 소프트웨어의 가용성을 고려합니다. 여기에는 SAP NetWeaver 및 SAP S/4HANA 아키텍처, SAP ABAP 및 ASCS + SCS에서 사용되는 DBMS와 같은 애플리케이션 내의 단일 실패 지점이 포함됩니다. 또한 SAP Web Dispatcher와 같은 다른 도구도 있습니다.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations" + }, + { + "category": "비즈니스 연속성 및 재해 복구", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "severity": "높다", + "subcategory": "고가용성", + "text": "SAP 및 SAP 데이터베이스의 경우 자동 장애 조치(failover) 클러스터를 구현하는 것이 좋습니다. Windows에서 Windows Server 장애 조치(failover) 클러스터링은 장애 조치(failover)를 지원합니다. Linux에서 Linux Pacemaker 또는 SIOS Protection Suite 및 Veritas InfoScale과 같은 타사 툴은 장애 조치를 지원합니다.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations" + }, + { + "category": "비즈니스 연속성 및 재해 복구", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "severity": "높다", + "subcategory": "고가용성", + "text": "Azure는 기본 및 보조 VM이 DBMS 데이터에 대한 스토리지를 공유하는 아키텍처를 지원하지 않습니다. DBMS 계층의 경우 일반적인 아키텍처 패턴은 기본 및 보조 VM에서 사용하는 것과 다른 스토리지 스택을 사용하여 동시에 데이터베이스를 복제하는 것입니다.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations" + }, + { + "category": "비즈니스 연속성 및 재해 복구", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "severity": "높다", + "subcategory": "고가용성", + "text": "DBMS 데이터 및 트랜잭션/다시 실행 로그 파일은 Azure 지원 블록 스토리지 또는 Azure NetApp Files에 저장됩니다. Azure Files 또는 Azure Premium Files는 DBMS 데이터 및/또는 SAP 워크로드가 있는 다시 실행 로그 파일에 대한 스토리지로 지원되지 않습니다.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads" + }, + { + "category": "비즈니스 연속성 및 재해 복구", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "severity": "높다", + "subcategory": "고가용성", + "text": "ASCS + SCS 구성 요소 및 특정 고가용성 시나리오에 대해 Windows에서 Azure 공유 디스크를 사용할 수 있습니다. SAP 애플리케이션 계층 구성 요소 및 DBMS 계층에 대해 장애 조치(failover) 클러스터를 별도로 설정합니다. Azure는 현재 SAP 애플리케이션 계층 구성 요소와 DBMS 계층을 하나의 장애 조치(failover) 클러스터로 결합하는 고가용성 아키텍처를 지원하지 않습니다.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations" + }, + { + "category": "비즈니스 연속성 및 재해 복구", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "severity": "높다", + "subcategory": "고가용성", + "text": "SAP ASCS(애플리케이션 계층 구성 요소) 및 DBMS 계층에 대한 대부분의 장애 조치(failover) 클러스터에는 장애 조치(failover) 클러스터에 대한 가상 IP 주소가 필요합니다. Azure Load Balancer는 다른 모든 경우에 대한 가상 IP 주소를 처리해야 합니다. 한 가지 설계 원칙은 클러스터 구성당 하나의 부하 분산 장치를 사용하는 것입니다. 부하 분산 장치의 표준 버전(표준 Load Balancer SKU)을 사용하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations" + }, + { + "category": "비즈니스 연속성 및 재해 복구", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "severity": "높다", + "subcategory": "고가용성", + "text": "로드 밸런서에서 유동 IP가 사용하도록 설정되어 있는지 확인합니다.", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations" + }, + { + "category": "비즈니스 연속성 및 재해 복구", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "severity": "높다", + "subcategory": "고가용성", + "text": "고가용성 인프라를 배포하기 전에 선택한 지역에 따라 Azure 가용성 집합 또는 가용성 영역을 사용하여 배포할지 여부를 결정합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "비즈니스 연속성 및 재해 복구", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "severity": "높다", + "subcategory": "고가용성", + "text": "SAP 구성 요소(중앙 서비스, 애플리케이션 서버 및 데이터베이스)용 애플리케이션에 대한 인프라 SLA를 충족하려면 모든 구성 요소에 대해 동일한 고가용성 옵션(VM, 가용성 집합, 가용성 영역)을 선택해야 합니다." + }, + { + "category": "비즈니스 연속성 및 재해 복구", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "severity": "높다", + "subcategory": "고가용성", + "text": "동일한 가용성 집합에 서로 다른 역할의 서버를 혼합하지 마십시오. 중앙 서비스 VM, 데이터베이스 VM, 애플리케이션 VM을 자체 가용성 집합으로 유지", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "비즈니스 연속성 및 재해 복구", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "severity": "보통", + "subcategory": "고가용성", + "text": "근접 배치 그룹을 사용하지 않는 한 Azure 가용성 영역 내에 Azure 가용성 집합을 배포할 수 없습니다.", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios" + }, + { + "category": "비즈니스 연속성 및 재해 복구", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "severity": "높다", + "subcategory": "고가용성", + "text": "가용성 집합을 만들 때 사용 가능한 최대 장애 도메인 및 업데이트 도메인 수를 사용합니다. 예를 들어 하나의 가용성 집합에 두 개 이상의 VM을 배포하는 경우 Azure의 계획된 유지 관리 외에도 잠재적인 물리적 하드웨어 오류, 네트워크 중단 또는 전원 중단의 영향을 제한하기 위해 최대 장애 도메인 수(3개)와 충분한 업데이트 도메인을 사용합니다. 장애 도메인의 기본 수는 2개이며 나중에 온라인으로 변경할 수 없습니다.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "비즈니스 연속성 및 재해 복구", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "severity": "높다", + "subcategory": "고가용성", + "text": "가용성 집합 배포에서 Azure 근접 배치 그룹을 사용하는 경우 세 가지 SAP 구성 요소(중앙 서비스, 애플리케이션 서버 및 데이터베이스)가 모두 동일한 근접 배치 그룹에 있어야 합니다." + }, + { + "category": "비즈니스 연속성 및 재해 복구", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "severity": "높다", + "subcategory": "고가용성", + "text": "SAP SID당 하나의 근접 배치 그룹을 사용합니다. 그룹은 가용성 영역 또는 Azure 지역에 걸쳐 있지 않습니다." + }, { "category": "계산", "guid": "2829e2ed-b217-4367-9aff-6691b4935ada", @@ -174,7 +265,7 @@ "guid": "23181aa4-1742-4694-9ff8-ae7d7d474317", "severity": "보통", "subcategory": "신원", - "text": "SAP GUI 및 웹 브라우저 액세스를 위한 SSO의 경우 구성 및 유지 관리가 용이하여 SNC – Kerberos/SPNEGO(간단하고 보호된 GSSAPI 협상 메커니즘)를 구현합니다. X.509 클라이언트 인증서를 사용하는 SSO의 경우 SAP SSO 솔루션의 구성 요소인 SAP 보안 로그인 서버를 고려하십시오.", + "text": "SAP GUI 및 웹 브라우저 액세스를 위한 SSO의 경우 구성 및 유지 관리가 용이하기 때문에 SNC – Kerberos/SPNEGO(간단하고 보호된 GSSAPI 협상 메커니즘)를 구현합니다. X.509 클라이언트 인증서를 사용하는 SSO의 경우 SAP SSO 솔루션의 구성 요소인 SAP 보안 로그인 서버를 고려합니다.", "training": "https://learn.microsoft.com/training/modules/explore-identity-services/9-exercise-integrate-active-directory-sap-single-sign-on" }, { @@ -183,7 +274,7 @@ "link": "https://blogs.sap.com/2017/07/12/sap-single-sign-on-protect-your-sap-landscape-with-x.509-certificates/", "severity": "보통", "subcategory": "신원", - "text": "SAP GUI 및 웹 브라우저 액세스를 위한 SSO의 경우 구성 및 유지 관리가 용이하여 SNC – Kerberos/SPNEGO(간단하고 보호된 GSSAPI 협상 메커니즘)를 구현합니다. X.509 클라이언트 인증서를 사용하는 SSO의 경우 SAP SSO 솔루션의 구성 요소인 SAP 보안 로그인 서버를 고려하십시오." + "text": "SAP GUI 및 웹 브라우저 액세스를 위한 SSO의 경우 구성 및 유지 관리가 용이하기 때문에 SNC – Kerberos/SPNEGO(간단하고 보호된 GSSAPI 협상 메커니즘)를 구현합니다. X.509 클라이언트 인증서를 사용하는 SSO의 경우 SAP SSO 솔루션의 구성 요소인 SAP 보안 로그인 서버를 고려합니다." }, { "category": "ID 및 액세스", @@ -223,7 +314,7 @@ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial", "severity": "보통", "subcategory": "신원", - "text": "SAP IAS(Identity Authentication Service)가 필요한 SAP BTP 서비스 또는 SaaS 솔루션을 사용하는 경우 SAP Cloud Identity Authentication Services와 Azure AD 간에 SSO를 구현하여 해당 SAP 서비스에 액세스하는 것이 좋습니다. 이 통합을 통해 SAP IAS는 프록시 ID 공급자 역할을 하고 인증 요청을 중앙 사용자 저장소 및 ID 공급자인 Azure AD에 전달할 수 있습니다." + "text": "SAP IAS(Identity Authentication Service)가 필요한 SAP BTP 서비스 또는 SaaS 솔루션을 사용하는 경우 SAP Cloud Identity Authentication Services와 Azure AD 간에 SSO를 구현하여 해당 SAP 서비스에 액세스하는 것이 좋습니다. 이 통합을 통해 SAP IAS는 프록시 ID 공급자 역할을 하고 중앙 사용자 저장소 및 ID 공급자인 Azure AD에 인증 요청을 전달할 수 있습니다." }, { "category": "ID 및 액세스", @@ -265,7 +356,7 @@ "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", "severity": "높다", "subcategory": "구독", - "text": "구독을 배율 단위로 활용하고 리소스를 확장하고, 예를 들어 환경별로 구독을 배포하는 것이 좋습니다. 샌드박스, 비프로덕션, 프로덕션 ", + "text": "구독을 배율 단위로 활용하고 리소스를 확장하려면 환경별로 구독을 배포하는 것이 좋습니다. 샌드박스, 비프로덕션, 프로덕션 ", "training": "https://learn.microsoft.com/training/modules/configure-subscriptions/?source=recommendations" }, { @@ -359,7 +450,7 @@ "link": "https://learn.microsoft.com/azure/lighthouse/overview", "severity": "보통", "subcategory": "경영", - "text": "SAP 자산을 관리하여 고객과 파트너 관계를 맺는 경우 Azure Lighthouse를 사용하는 것이 좋습니다. Azure Lighthouse를 사용하면 관리 서비스 공급자가 Azure 네이티브 ID 서비스를 사용하여 고객 환경에 인증할 수 있습니다. 고객은 언제든지 액세스 권한을 취소하고 서비스 제공업체의 조치를 감사할 수 있으므로 제어권을 고객에게 부여합니다." + "text": "SAP 자산을 관리하여 고객과 파트너 관계를 맺는 경우 Azure Lighthouse를 사용하는 것이 좋습니다. Azure Lighthouse를 사용하면 관리 서비스 공급자가 Azure 네이티브 ID 서비스를 사용하여 고객 환경에 인증할 수 있습니다. 고객은 언제든지 액세스 권한을 취소하고 서비스 제공업체의 조치를 감사할 수 있으므로 고객의 손에 제어 권한을 부여합니다." }, { "category": "관리 및 모니터링", @@ -624,7 +715,7 @@ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", "severity": "보통", "subcategory": "IP 플랜", - "text": "Azure는 VNet에서 여러 위임된 서브넷을 만드는 데 도움이 되지만 Azure NetApp Files용 VNet에는 위임된 서브넷이 하나만 존재할 수 있습니다. Azure NetApp Files에 위임된 서브넷을 두 개 이상 사용하는 경우 새 볼륨을 만들려는 시도가 실패합니다.", + "text": "Azure는 VNet에서 여러 위임된 서브넷을 만드는 데 도움이 되지만 Azure NetApp Files용 VNet에는 위임된 서브넷이 하나만 존재할 수 있습니다. Azure NetApp Files에 대해 둘 이상의 위임된 서브넷을 사용하는 경우 새 볼륨을 만들려는 시도가 실패합니다.", "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations" }, { @@ -687,7 +778,7 @@ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", "severity": "보통", "subcategory": "인터넷", - "text": "데이터 유출을 방지하려면 Azure Private Link를 사용하여 Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory 등과 같은 PaaS(Platform as a Service) 리소스에 안전하게 액세스합니다. Azure 프라이빗 엔드포인트는 VNet과 Azure Storage, Azure Backup 등과 같은 서비스 간의 트래픽을 보호하는 데도 도움이 될 수 있습니다. VNet과 프라이빗 엔드포인트 지원 서비스 간의 트래픽은 Microsoft 글로벌 네트워크를 통해 이동하므로 공용 인터넷에 노출되지 않습니다.", + "text": "데이터 유출을 방지하려면 Azure Private Link를 사용하여 Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2, Azure Data Factory 등과 같은 PaaS(Platform as a Service) 리소스에 안전하게 액세스합니다. Azure 프라이빗 엔드포인트는 VNet과 Azure Storage, Azure Backup 등과 같은 서비스 간의 트래픽을 보호하는 데도 도움이 될 수 있습니다. VNet과 프라이빗 엔드포인트 사용 서비스 간의 트래픽은 Microsoft 글로벌 네트워크를 통해 이동하므로 공용 인터넷에 노출되지 않습니다.", "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations" }, { @@ -750,7 +841,7 @@ "link": "https://me.sap.com/notes/2015553", "severity": "높다", "subcategory": "세분화", - "text": "계층 간의 과도한 네트워크 트래픽으로 인해 발생할 수 있는 상당한 비용 때문에 SAP 시스템의 DBMS(데이터베이스 관리 시스템) 및 애플리케이션 계층을 서로 다른 VNet에 호스트하고 VNet 피어링과 연결하는 것은 권장되지 않습니다. Azure 가상 네트워크 내에서 서브넷을 사용하여 SAP 애플리케이션 계층과 DBMS 계층을 분리하는 것이 좋습니다.", + "text": "계층 간의 과도한 네트워크 트래픽으로 인해 발생할 수 있는 상당한 비용 때문에 다른 VNet에서 SAP 시스템의 DBMS(데이터베이스 관리 시스템) 및 애플리케이션 계층을 호스트하고 VNet 피어링과 연결하는 것은 권장되지 않습니다. Azure 가상 네트워크 내에서 서브넷을 사용하여 SAP 애플리케이션 계층과 DBMS 계층을 분리하는 것이 좋습니다.", "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity" }, { @@ -781,51 +872,56 @@ }, { "category": "보안, 거버넌스 및 규정 준수", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "높다", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "severity": "보통", "subcategory": "지배구조", - "text": "실수로 인한 네트워크 관련 변경을 방지하기 위해 Azure의 SAP 스포크 구독에 대한 RBAC(역할 기반 액세스 제어) 역할 사용자 지정" + "text": "Azure, 온-프레미스 또는 기타 클라우드 환경에서 Windows 및 Linux VM을 실행하는 경우 Azure Automation의 업데이트 관리 센터를 사용하여 보안 패치를 포함한 운영 체제 업데이트를 관리할 수 있습니다.", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview" }, { "category": "보안, 거버넌스 및 규정 준수", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", "severity": "보통", "subcategory": "지배구조", - "text": "나머지 SAP 자산에서 DMZ 및 NVA를 격리하고, Azure Private Link를 구성하고, Azure의 SAP 리소스를 안전하게 관리 및 제어합니다" + "text": "SAP는 SAP 시스템을 보호하기 위해 즉각적인 조치가 필요한 매우 중요한 보안 패치 또는 핫픽스를 릴리스하므로 SAP 보안 OSS 노트를 정기적으로 검토합니다.", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html" }, { "category": "보안, 거버넌스 및 규정 준수", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "보통", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "severity": "낮다", "subcategory": "지배구조", - "text": "SAP 데이터베이스 서버 암호화의 경우 SAP HANA 네이티브 암호화 기술을 사용합니다. Azure SQL Database를 사용하는 경우 DBMS 공급자가 제공하는 TDE(투명한 데이터 암호화)를 사용하여 데이터 및 로그 파일을 보호하고 백업도 암호화되도록 합니다." + "text": "SQL Server SAP의 경우 SQL Server SAP 시스템에서 계정을 사용하지 않으므로 SQL Server 시스템 관리자 계정을 사용하지 않도록 설정할 수 있습니다. 원래 시스템 관리자 계정을 비활성화하기 전에 시스템 관리자 권한이 있는 다른 사용자가 서버에 액세스할 수 있는지 확인합니다." }, { "category": "보안, 거버넌스 및 규정 준수", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "보통", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "severity": "높다", "subcategory": "지배구조", - "text": "Azure Storage 암호화는 기본적으로 사용하도록 설정되어 있습니다" + "text": "xp_cmdshell 비활성화합니다. SQL Server 기능 xp_cmdshell SQL Server 내부 운영 체제 명령 셸을 사용할 수 있습니다. 이는 보안 감사에서 발생할 수 있는 잠재적 위험입니다.", + "training": "https://me.sap.com/notes/3019299/E" }, { "category": "보안, 거버넌스 및 규정 준수", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "보통", - "subcategory": "지배구조", - "text": " " + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "높다", + "subcategory": "비밀", + "text": "Azrue에서 SAP HANA 데이터베이스 서버를 암호화하는 데는 SAP HANA 네이티브 암호화 기술이 사용됩니다. 또한 Azure에서 SQL Server를 사용하는 경우 TDE(투명한 데이터 암호화)를 사용하여 데이터 및 로그 파일을 보호하고 백업도 암호화되도록 합니다.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security" }, { "category": "보안, 거버넌스 및 규정 준수", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", "severity": "보통", - "subcategory": "지배구조", - "text": " " + "subcategory": "비밀", + "text": "Azure Storage 암호화는 모든 Azure Resource Manager 및 클래식 스토리지 계정에 대해 사용하도록 설정되며 사용하지 않도록 설정할 수 없습니다. 데이터는 기본적으로 암호화되므로 Azure Storage 암호화를 사용하기 위해 코드 또는 애플리케이션을 수정할 필요가 없습니다.", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations" }, { "category": "보안, 거버넌스 및 규정 준수", @@ -833,95 +929,160 @@ "link": "https://learn.microsoft.com/azure/key-vault/general/overview", "severity": "높다", "subcategory": "비밀", - "text": "Azure Key Vault를 사용하여 비밀 및 자격 증명 저장" + "text": "Azure Key Vault를 사용하여 비밀 및 자격 증명 저장", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "보안, 거버넌스 및 규정 준수", "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", "severity": "보통", "subcategory": "비밀", - "text": "무단 변경으로부터 보호하기 위해 성공적인 배포 후 Azure 리소스를 잠그는 것이 좋습니다" + "text": "무단 변경으로부터 보호하기 위해 성공적인 배포 후 Azure 리소스를 잠그는 것이 좋습니다. 사용자 지정된 Azure 정책(Custome 역할)을 사용하여 구독별로 LOCK 제약 조건 및 규칙을 적용할 수도 있습니다.", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations" }, { "category": "보안, 거버넌스 및 규정 준수", "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", "severity": "보통", "subcategory": "비밀", - "text": "삭제된 개체에 대한 보존 보호를 허용하기 위해 일시 삭제 및 제거 정책을 사용하도록 설정된 Azure Key Vault를 프로비전합니다." + "text": "삭제된 개체에 대한 보존 보호를 허용하기 위해 일시 삭제 및 제거 정책을 사용하도록 설정된 Azure Key Vault를 프로비전합니다.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "보안, 거버넌스 및 규정 준수", "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "보통", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", + "severity": "높다", "subcategory": "비밀", - "text": "기존 요구 사항에 따라 규정 및 규정 준수 제어(내부/외부) - 필요한 Azure 정책 및 Azure RBAC 역할 결정" + "text": "기존 요구 사항에 따라 규정 및 규정 준수 제어(내부/외부) - 필요한 Azure 정책 및 Azure RBAC 역할 결정", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations" }, { "category": "보안, 거버넌스 및 규정 준수", "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "보통", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "높다", "subcategory": "비밀", - "text": "SAP용 클라우드용 Microsoft Defender 표준을 사용하도록 설정하는 경우 엔드포인트 보호를 설치하는 정책에서 SAP 데이터베이스 서버를 제외해야 합니다." + "text": "SAP 환경에서 엔드포인트용 Microsoft Defender 사용하도록 설정하는 경우 모든 서버를 대상으로 하는 대신 DBMS 서버에서 데이터 및 로그 파일을 제외하는 것이 좋습니다. 대상 파일을 제외할 때 DBMS 공급업체의 권장 사항을 따릅니다.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268" }, { "category": "보안, 거버넌스 및 규정 준수", "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "보통", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", + "severity": "높다", "subcategory": "비밀", - "text": "Just-In-Time 액세스 권한이 있는 SAP 관리자 사용자 지정 역할을 위임합니다." + "text": "클라우드용 Microsoft Defender의 Just-In-Time 액세스 권한이 있는 SAP 관리자 사용자 지정 역할을 위임합니다.", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations" }, { "category": "보안, 거버넌스 및 규정 준수", "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "보통", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "낮다", "subcategory": "비밀", - "text": "타사 보안 제품을 DIAG(SAP GUI)용 SNC(Secure Network Communications), RFC 및 HTTPS용 SPNEGO와 통합하여 전송 중인 데이터를 암호화합니다." + "text": "타사 보안 제품을 DIAG(SAP GUI)용 SNC(Secure Network Communications), RFC 및 HTTPS용 SPNEGO와 통합하여 전송 중인 데이터를 암호화합니다.", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit" }, { "category": "보안, 거버넌스 및 규정 준수", - "guid": "55d04c3c-4919-4cb1-a3d1-325ae124ba34", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", "severity": "보통", "subcategory": "비밀", - "text": "SAML 2.0을 사용하는 Azure AD(Azure Active Directory)는 SAP NetWeaver, SAP HANA 및 SAP Cloud Platform과 같은 다양한 SAP 애플리케이션 및 플랫폼에 SSO를 제공할 수도 있습니다" + "text": "보안 주체 암호화 기능을 위해 기본적으로 Microsoft 관리형 키를 사용하고 필요한 경우 고객 관리형 키를 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "보안, 거버넌스 및 규정 준수", - "guid": "df685edd-ce9b-4d3b-a0cd-b3b55eb2ec14", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "보통", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", + "severity": "높다", "subcategory": "비밀", - "text": "SAP 데이터베이스에 대한 공격으로 이어질 수 있는 취약성을 근절하기 위해 운영 체제를 강화해야 합니다." + "text": "애플리케이션, 환경, 지역당 Azure Key Vault를 사용합니다.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "보안, 거버넌스 및 규정 준수", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "보통", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", + "severity": "높다", "subcategory": "비밀", - "text": "보안 주체 암호화 기능을 위해 기본적으로 Microsoft 관리형 키를 사용하고 필요한 경우 고객 관리형 키를 사용합니다." + "text": "비 HANA Windows 및 비 Windows 운영 체제에 대한 디스크 암호화 키 및 비밀을 제어하고 관리하려면 Azure Key Vault를 사용합니다. SAP HANA는 Azure Key Vault에서 지원되지 않으므로 SAP ABAP 또는 SSH 키와 같은 대체 방법을 사용해야 합니다.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations" }, { "category": "보안, 거버넌스 및 규정 준수", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "severity": "보통", "subcategory": "비밀", - "text": "애플리케이션, 환경, 지역당 Azure Key Vault를 사용합니다." + "text": " " }, { "category": "보안, 거버넌스 및 규정 준수", - "guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", + "severity": "높다", + "subcategory": "안전", + "text": "실수로 인한 네트워크 관련 변경을 방지하기 위해 Azure의 SAP 스포크 구독에 대한 RBAC(역할 기반 액세스 제어) 역할 사용자 지정", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "severity": "높다", + "subcategory": "안전", + "text": "나머지 SAP 자산에서 DMZ 및 NVA를 격리하고, Azure Private Link를 구성하고, Azure의 SAP 리소스를 안전하게 관리 및 제어합니다", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "severity": "낮다", + "subcategory": "안전", + "text": "Azure에서 Microsoft 맬웨어 방지 소프트웨어를 사용하여 악성 파일, 애드웨어 및 기타 위협으로부터 가상 머신을 보호하는 것이 좋습니다.", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "severity": "낮다", + "subcategory": "안전", + "text": "더욱 강력한 보호를 위해 엔드포인트용 Microsoft Defender 사용하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "severity": "높다", + "subcategory": "안전", + "text": "가상 네트워크 피어링을 통해 스포크 네트워크에 연결된 허브 가상 네트워크를 통해 모든 트래픽을 전달하여 SAP 애플리케이션 및 데이터베이스 서버를 인터넷 또는 온-프레미스 네트워크에서 격리합니다. 피어링된 가상 네트워크는 Azure의 SAP 솔루션이 공용 인터넷에서 격리되도록 보장합니다.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "낮다", + "subcategory": "안전", + "text": "SAP Fiori와 같은 인터넷 연결 애플리케이션의 경우 보안 수준을 유지하면서 애플리케이션 요구 사항에 따라 부하를 분산해야 합니다. 계층 7 보안의 경우 Azure Marketplace에서 사용할 수 있는 타사 WAF(Web Application Firewall)를 사용할 수 있습니다.", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations" + }, + { + "category": "보안, 거버넌스 및 규정 준수", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", "severity": "보통", - "subcategory": "비밀", - "text": " " + "subcategory": "안전", + "text": "SAP용 Azure Monitor 솔루션에서 보안 통신을 사용하도록 설정하려면 루트 인증서 또는 서버 인증서를 사용하도록 선택할 수 있습니다. 루트 인증서를 사용하는 것이 좋습니다.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations" }, { "category": "보관", @@ -934,7 +1095,7 @@ "metadata": { "name": "Azure Landing Zone Review", "state": "Preview", - "timestamp": "November 24, 2023" + "timestamp": "January 11, 2024" }, "severities": [ { diff --git a/checklists/sap_checklist.pt.json b/checklists/sap_checklist.pt.json index fad52d784..cfbba1bcd 100644 --- a/checklists/sap_checklist.pt.json +++ b/checklists/sap_checklist.pt.json @@ -17,38 +17,6 @@ } ], "items": [ - { - "category": "Continuidade de negócios e recuperação de desastres", - "guid": "aff6691b-4935-4ada-9222-3ece81b12318", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", - "severity": "Média", - "subcategory": " ", - "text": "Não combinar ASCS e cluster de banco de dados em uma única ou mesma VM" - }, - { - "category": "Continuidade de negócios e recuperação de desastres", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal", - "severity": "Média", - "subcategory": " ", - "text": "Verifique se o IP flutuante está habilitado no balanceador de carga" - }, - { - "category": "Continuidade de negócios e recuperação de desastres", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/security-center/", - "severity": "Média", - "subcategory": " ", - "text": "Não misture servidores de funções diferentes no mesmo conjunto de disponibilidade. Mantenha VMs de serviços centrais, VMs de banco de dados, VMs de aplicativos em seus próprios conjuntos de disponibilidade" - }, - { - "category": "Continuidade de negócios e recuperação de desastres", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/security-center/", - "severity": "Média", - "subcategory": " ", - "text": "Use um grupo de posicionamento de proximidade por SAP SID. Os grupos não se estendem por zonas de disponibilidade ou regiões do Azure" - }, { "category": "Continuidade de negócios e recuperação de desastres", "guid": "80dc0591-cf65-4de8-b130-9cccd579266b", @@ -63,7 +31,7 @@ "link": "https://learn.microsoft.com/security/benchmark/azure/security-control-incident-response", "severity": "Média", "subcategory": " ", - "text": "Usar um SKU do Standard Load Balancer na frente de clusters ASCS e DB" + "text": "Usar uma SKU do Standard Load Balancer na frente de clusters ASCS e DB" }, { "category": "Continuidade de negócios e recuperação de desastres", @@ -71,7 +39,7 @@ "link": "https://www.microsoft.com/itshowcase/implementing-a-zero-trust-security-model-at-microsoft", "severity": "Média", "subcategory": " ", - "text": "Ambas as VMs no par de HA devem ser implantadas em um conjunto de disponibilidade, ou as zonas de disponibilidade devem ter o mesmo tamanho e a mesma configuração de armazenamento" + "text": "Ambas as VMs no par de HAs devem ser implantadas em um conjunto de disponibilidade, ou as zonas de disponibilidade devem ter o mesmo tamanho e a mesma configuração de armazenamento" }, { "category": "Continuidade de negócios e recuperação de desastres", @@ -94,7 +62,7 @@ "guid": "81b12318-1a54-4174-8583-3fb4ae3c2df7", "severity": "Média", "subcategory": " ", - "text": "O CIDR para a rede virtual primária (VNet) não deve entrar em conflito ou se sobrepor ao CIDR da Vnet do site de DR" + "text": "O CIDR para a rede virtual primária (VNet) não deve entrar em conflito ou se sobrepor ao CIDR da Vnet do site de recuperação de desastres" }, { "category": "Continuidade de negócios e recuperação de desastres", @@ -110,6 +78,129 @@ "subcategory": " ", "text": "A replicação de banco de dados nativo deve ser usada para sincronizar dados com o site de recuperação de desastres, em vez do Azure Site Recovery" }, + { + "category": "Continuidade de negócios e recuperação de desastres", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-architecture-scenario", + "severity": "Alto", + "subcategory": "Alta disponibilidade", + "text": "Considere a disponibilidade do software SAP em relação a pontos únicos de falha. Isso inclui pontos únicos de falha em aplicativos como SGBDs utilizados nas arquiteturas SAP NetWeaver e SAP S/4HANA, SAP ABAP e ASCS + SCS. Além disso, outras ferramentas, como o SAP Web Dispatcher.", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations" + }, + { + "category": "Continuidade de negócios e recuperação de desastres", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "severity": "Alto", + "subcategory": "Alta disponibilidade", + "text": "Para bancos de dados SAP e SAP, considere a implementação de clusters de failover automático. No Windows, o Clustering de Failover do Windows Server oferece suporte a failover. No Linux, Linux Pacemaker ou ferramentas de terceiros como SIOS Protection Suite e Veritas InfoScale suportam failover.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations" + }, + { + "category": "Continuidade de negócios e recuperação de desastres", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "severity": "Alto", + "subcategory": "Alta disponibilidade", + "text": "O Azure não oferece suporte a arquiteturas nas quais as VMs primária e secundária compartilham armazenamento para dados DBMS. Para a camada DBMS, o padrão de arquitetura comum é replicar bancos de dados ao mesmo tempo e com pilhas de armazenamento diferentes daquelas que as VMs primária e secundária usam.", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations" + }, + { + "category": "Continuidade de negócios e recuperação de desastres", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "severity": "Alto", + "subcategory": "Alta disponibilidade", + "text": "Os dados do DBMS e os arquivos de log de transação/refazer são armazenados no armazenamento em bloco com suporte do Azure ou nos Arquivos do Azure NetApp. Os Arquivos do Azure ou os Arquivos Premium do Azure não têm suporte como armazenamento para dados DBMS e/ou arquivos de log de refazer com a carga de trabalho SAP.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads" + }, + { + "category": "Continuidade de negócios e recuperação de desastres", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "severity": "Alto", + "subcategory": "Alta disponibilidade", + "text": "Você pode usar discos compartilhados do Azure no Windows para componentes ASCS + SCS e cenários específicos de alta disponibilidade. Configure seus clusters de failover separadamente para componentes da camada de aplicativo SAP e a camada DBMS. No momento, o Azure não oferece suporte a arquiteturas de alta disponibilidade que combinam componentes da camada de aplicativo SAP e a camada DBMS em um cluster de failover.", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations" + }, + { + "category": "Continuidade de negócios e recuperação de desastres", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "severity": "Alto", + "subcategory": "Alta disponibilidade", + "text": "A maioria dos clusters de failover para ASCS (Application Layer Components, componentes da camada de aplicativo) SAP e a camada DBMS exigem um endereço IP virtual para um cluster de failover. O Balanceador de Carga do Azure deve manipular o endereço IP virtual para todos os outros casos. Um princípio de design é usar um balanceador de carga por configuração de cluster. Recomendamos que você use a versão padrão do balanceador de carga (SKU do Standard Load Balancer).", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations" + }, + { + "category": "Continuidade de negócios e recuperação de desastres", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "severity": "Alto", + "subcategory": "Alta disponibilidade", + "text": "Verifique se o IP flutuante está habilitado no balanceador de carga", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations" + }, + { + "category": "Continuidade de negócios e recuperação de desastres", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "severity": "Alto", + "subcategory": "Alta disponibilidade", + "text": "Antes de implantar sua infraestrutura de alta disponibilidade, e dependendo da região escolhida, determine se deseja implantar com um conjunto de disponibilidade do Azure ou uma zona de disponibilidade.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "Continuidade de negócios e recuperação de desastres", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "severity": "Alto", + "subcategory": "Alta disponibilidade", + "text": "Se desejar atender aos SLAs de infraestrutura de seus aplicativos para componentes SAP (serviços centrais, servidores de aplicativos e bancos de dados), você deverá escolher as mesmas opções de alta disponibilidade (VMs, conjuntos de disponibilidade, zonas de disponibilidade) para todos os componentes." + }, + { + "category": "Continuidade de negócios e recuperação de desastres", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "severity": "Alto", + "subcategory": "Alta disponibilidade", + "text": "Não misture servidores de funções diferentes no mesmo conjunto de disponibilidade. Mantenha VMs de serviços centrais, VMs de banco de dados, VMs de aplicativos em seus próprios conjuntos de disponibilidade", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "Continuidade de negócios e recuperação de desastres", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "severity": "Média", + "subcategory": "Alta disponibilidade", + "text": "Você não pode implantar conjuntos de disponibilidade do Azure em uma zona de disponibilidade do Azure, a menos que use grupos de posicionamento de proximidade.", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios" + }, + { + "category": "Continuidade de negócios e recuperação de desastres", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "severity": "Alto", + "subcategory": "Alta disponibilidade", + "text": "Ao criar conjuntos de disponibilidade, use o número máximo de domínios de falha e atualize domínios disponíveis. Por exemplo, se você implantar mais de duas VMs em um conjunto de disponibilidade, use o número máximo de domínios de falha (três) e domínios de atualização suficientes para limitar o efeito de possíveis falhas de hardware físico, interrupções de rede ou interrupções de energia, além da manutenção planejada do Azure. O número padrão de domínios de falha é dois e você não pode alterá-lo online mais tarde.", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "Continuidade de negócios e recuperação de desastres", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "severity": "Alto", + "subcategory": "Alta disponibilidade", + "text": "Quando você usa grupos de posicionamento de proximidade do Azure em uma implantação de conjunto de disponibilidade, todos os três componentes SAP (serviços centrais, servidor de aplicativos e banco de dados) devem estar no mesmo grupo de posicionamento de proximidade." + }, + { + "category": "Continuidade de negócios e recuperação de desastres", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "severity": "Alto", + "subcategory": "Alta disponibilidade", + "text": "Use um grupo de posicionamento de proximidade por SAP SID. Os grupos não se estendem por zonas de disponibilidade ou regiões do Azure" + }, { "category": "Calcular", "guid": "2829e2ed-b217-4367-9aff-6691b4935ada", @@ -166,7 +257,7 @@ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", "severity": "Média", "subcategory": "Identidade", - "text": "Você pode implementar o SSO para SAP GUI usando o SAP NetWeaver SSO ou uma solução de parceiro.", + "text": "Você pode implementar o SSO no SAP GUI usando o SAP NetWeaver SSO ou uma solução de parceiro.", "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver" }, { @@ -308,7 +399,7 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-resource-organization", "severity": "Média", "subcategory": "Assinaturas", - "text": "Aproveite a marca de recurso do Azure para categorização de custos e agrupamento de recursos (: BillTo, Departamento (ou Unidade de Negócios), Ambiente (Produção, Estágio, Desenvolvimento), Camada (Camada da Web, Camada de Aplicativo), Proprietário do Aplicativo, Nome do Projeto)", + "text": "Aproveite a marca de recurso do Azure para categorização de custos e agrupamento de recursos (: BillTo, Departamento (ou Unidade de Negócios), Ambiente (Produção, Estágio, Desenvolvimento), Camada (Camada da Web, Camada de Aplicativo), Proprietário do Aplicativo, ProjectName)", "training": "https://learn.microsoft.com/training/paths/implement-resource-mgmt-security/" }, { @@ -326,7 +417,7 @@ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azacsnap-introduction", "severity": "Média", "subcategory": "BCDR", - "text": "Se você implantar o Azure NetApp Files para seu banco de dados HANA, Oracle ou DB2, use a ferramenta Azure Application Consistent Snapshot (AzAcSnap) para tirar instantâneos consistentes com o aplicativo. O AzAcSnap também suporta bancos de dados Oracle. Considere usar o AzAcSnap em uma VM central em vez de em VMs individuais." + "text": "Se você implantar os Arquivos NetApp do Azure para seu banco de dados HANA, Oracle ou DB2, use a ferramenta Azure Application Consistent Snapshot (AzAcSnap) para tirar instantâneos consistentes com o aplicativo. O AzAcSnap também suporta bancos de dados Oracle. Considere usar o AzAcSnap em uma VM central em vez de em VMs individuais." }, { "category": "Gestão e Monitoramento", @@ -342,7 +433,7 @@ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", "severity": "Média", "subcategory": "Gestão", - "text": "Não agrupe serviços de aplicativos diferentes no mesmo cluster. Por exemplo, não combine clusters de serviços centrais e DRBD no mesmo cluster. No entanto, você pode usar o mesmo cluster do Pacemaker para gerenciar aproximadamente cinco serviços centrais diferentes (cluster multi-SID).", + "text": "Não agrupe serviços de aplicativos diferentes no mesmo cluster. Por exemplo, não combine clusters DRBD e de serviços centrais no mesmo cluster. No entanto, você pode usar o mesmo cluster do Pacemaker para gerenciar aproximadamente cinco serviços centrais diferentes (cluster multi-SID).", "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations" }, { @@ -359,7 +450,7 @@ "link": "https://learn.microsoft.com/azure/lighthouse/overview", "severity": "Média", "subcategory": "Gestão", - "text": "Se você faz parceria com clientes gerenciando suas propriedades SAP, considere o Farol do Azure. O Azure Lighthouse permite que os provedores de serviços gerenciados usem os serviços de identidade nativos do Azure para se autenticar no ambiente dos clientes. Ele coloca o controle nas mãos dos clientes, pois eles podem revogar o acesso a qualquer momento e auditar as ações dos prestadores de serviços." + "text": "Se você faz parceria com clientes gerenciando suas propriedades SAP, considere o Farol do Azure. O Azure Lighthouse permite que os provedores de serviços gerenciados usem os serviços de identidade nativos do Azure para se autenticar no ambiente dos clientes. Ele coloca o controle nas mãos dos clientes, porque eles podem revogar o acesso a qualquer momento e auditar as ações dos prestadores de serviços." }, { "category": "Gestão e Monitoramento", @@ -385,7 +476,7 @@ "link": "https://learn.microsoft.com/azure/sap/monitor/about-azure-monitor-sap-solutions", "severity": "Média", "subcategory": "Monitorização", - "text": "Use o Azure Monitor para soluções SAP para monitorar suas cargas de trabalho SAP (SAP HANA, clusters SUSE de alta disponibilidade e sistemas SQL) no Azure. Considere complementar o Azure Monitor para soluções SAP com o SAP Solution Manager.", + "text": "Use as soluções do Azure Monitor for SAP para monitorar suas cargas de trabalho SAP (SAP HANA, clusters SUSE de alta disponibilidade e sistemas SQL) no Azure. Considere complementar o Azure Monitor para soluções SAP com o SAP Solution Manager.", "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations" }, { @@ -534,7 +625,7 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", "severity": "Média", "subcategory": "DNS", - "text": "Se o DNS ou o nome virtual da máquina virtual não for alterado durante a migração para o Azure, o DNS em segundo plano e os nomes virtuais conectam muitas interfaces do sistema no cenário SAP, e os clientes só às vezes estão cientes das interfaces que os desenvolvedores definem ao longo do tempo. Os desafios de conexão surgem entre vários sistemas quando os nomes virtuais ou DNS são alterados após as migrações, e é recomendável manter os aliases DNS para evitar esses tipos de dificuldades.", + "text": "Se o DNS ou o nome virtual da máquina virtual não for alterado durante a migração para o Azure, o DNS em segundo plano e os nomes virtuais conectam muitas interfaces do sistema no cenário SAP, e os clientes só às vezes estão cientes das interfaces que os desenvolvedores definem ao longo do tempo. Surgem desafios de conexão entre vários sistemas quando os nomes virtuais ou DNS mudam após as migrações, e é recomendável manter os aliases DNS para evitar esses tipos de dificuldades.", "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution" }, { @@ -543,7 +634,7 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", "severity": "Média", "subcategory": "DNS", - "text": "Use zonas DNS diferentes para distinguir cada ambiente (sandbox, desenvolvimento, pré-produção e produção) uns dos outros. A exceção é para implantações SAP com sua própria VNet; aqui, zonas DNS privadas podem não ser necessárias.", + "text": "Use zonas DNS diferentes para distinguir cada ambiente (sandbox, desenvolvimento, pré-produção e produção) um do outro. A exceção é para implantações SAP com sua própria VNet; aqui, zonas DNS privadas podem não ser necessárias.", "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution" }, { @@ -588,7 +679,7 @@ "link": "https://learn.microsoft.com/azure/architecture/networking/hub-spoke-vwan-architecture", "severity": "Média", "subcategory": "Híbrido", - "text": "A WAN virtual gerencia a conectividade entre VNets spoke para topologias baseadas em WAN virtual (não há necessidade de configurar o roteamento definido pelo usuário [UDR] ou NVAs) e a taxa de transferência máxima de rede para o tráfego de VNet-to-VNet no mesmo hub virtual é de 50 gigabits por segundo. Se necessário, as zonas de aterrissagem SAP podem usar o emparelhamento de VNet para se conectar a outras zonas de aterrissagem e superar essa limitação de largura de banda.", + "text": "A WAN virtual gerencia a conectividade entre VNets spoke para topologias baseadas em WAN virtual (não há necessidade de configurar o roteamento definido pelo usuário [UDR] ou NVAs), e a taxa de transferência máxima de rede para o tráfego de VNet-to-VNet no mesmo hub virtual é de 50 gigabits por segundo. Se necessário, as zonas de aterrissagem SAP podem usar o emparelhamento de VNet para se conectar a outras zonas de aterrissagem e superar essa limitação de largura de banda.", "training": "https://learn.microsoft.com/training/modules/hub-and-spoke-network-architecture/?source=recommendations" }, { @@ -624,7 +715,7 @@ "link": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-delegate-subnet", "severity": "Média", "subcategory": "Plano IP", - "text": "Embora o Azure ajude você a criar várias sub-redes delegadas em uma rede virtual, somente uma sub-rede delegada pode existir em uma rede virtual para arquivos do Azure NetApp. As tentativas de criar um novo volume falharão se você usar mais de uma sub-rede delegada para Arquivos do Azure NetApp.", + "text": "Embora o Azure ajude você a criar várias sub-redes delegadas em uma rede virtual, apenas uma sub-rede delegada pode existir em uma rede virtual para arquivos do Azure NetApp. As tentativas de criar um novo volume falharão se você usar mais de uma sub-rede delegada para Arquivos do Azure NetApp.", "training": "https://learn.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies?source=recommendations" }, { @@ -660,7 +751,7 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", "severity": "Média", "subcategory": "Internet", - "text": "Aproveite as políticas do Firewall de Aplicativo Web no Azure Front Door ao usar o Azure Front Door e o Gateway de Aplicativo para proteger aplicativos HTTP/S. Bloqueie o Gateway de Aplicativo para receber tráfego somente do Azure Front Door.", + "text": "Aproveite as políticas do Web Application Firewall no Azure Front Door quando estiver usando o Azure Front Door e o Application Gateway para proteger aplicativos HTTP/S. Bloqueie o Gateway de Aplicativo para receber tráfego somente do Azure Front Door.", "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations" }, { @@ -705,7 +796,7 @@ "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-multivip-overview", "severity": "Média", "subcategory": "Segmentação", - "text": "Verifique se as implantações internas do Balanceador de Carga do Azure estão configuradas para usar o DSR (Direct Server Return). Essa configuração reduzirá a latência quando as configurações internas do balanceador de carga forem usadas para configurações de alta disponibilidade na camada DBMS.", + "text": "Verifique se as implantações internas do Azure Load Balancer estão configuradas para usar DSR (Direct Server Return). Essa configuração reduzirá a latência quando as configurações internas do balanceador de carga forem usadas para configurações de alta disponibilidade na camada DBMS.", "training": "https://learn.microsoft.com/ja-jp/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations" }, { @@ -714,7 +805,7 @@ "link": "https://learn.microsoft.com/azure/virtual-network/network-security-group-how-it-works", "severity": "Média", "subcategory": "Segmentação", - "text": "Você pode usar regras ASG (grupo de segurança de aplicativo) e NSG para definir listas de controle de acesso de segurança de rede entre o aplicativo SAP e as camadas DBMS. Os ASGs agrupam máquinas virtuais para ajudar a gerenciar sua segurança.", + "text": "Você pode usar as regras ASG (grupo de segurança de aplicativo) e NSG para definir listas de controle de acesso de segurança de rede entre o aplicativo SAP e as camadas DBMS. Os ASGs agrupam máquinas virtuais para ajudar a gerenciar sua segurança.", "training": "https://learn.microsoft.com/training/modules/configure-network-security-groups/?source=recommendations" }, { @@ -777,55 +868,60 @@ "link": "https://learn.microsoft.com/azure/sap/workloads/rise-integration", "severity": "Média", "subcategory": "Segmentação", - "text": "Para implantações SAP RISE/ECS, o emparelhamento virtual é a maneira preferencial de estabelecer conectividade com o ambiente existente do Azure do cliente. Tanto a vnet do SAP quanto a(s) vnet(s) do cliente são protegidas com grupos de segurança de rede (NSG), permitindo a comunicação nas portas SAP e de banco de dados por meio do emparelhamento vnet" + "text": "Para implantações SAP RISE/ECS, o emparelhamento virtual é a maneira preferida de estabelecer conectividade com o ambiente existente do Azure do cliente. Tanto a vnet do SAP quanto a(s) vnet(s) do cliente são protegidas com grupos de segurança de rede (NSG), permitindo a comunicação nas portas SAP e de banco de dados por meio do emparelhamento vnet" }, { "category": "Segurança, Governança e Compliance", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "Alto", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "severity": "Média", "subcategory": "Governança", - "text": "Personalizar funções RBAC (controle de acesso baseado em função) para SAP em assinaturas do Azure spoke para evitar alterações acidentais relacionadas à rede" + "text": "Se você executar VMs do Windows e Linux no Azure, no local ou em outros ambientes de nuvem, poderá usar o Centro de gerenciamento de atualizações na Automação do Azure para gerenciar atualizações do sistema operacional, incluindo patches de segurança.", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview" }, { "category": "Segurança, Governança e Compliance", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", "severity": "Média", "subcategory": "Governança", - "text": "Isole DMZs e NVAs do restante do estado SAP, configure o Azure Private Link e gerencie e controle com segurança os recursos do SAP no Azure" + "text": "Analise rotineiramente as notas de OSS de segurança do SAP porque o SAP lança patches de segurança altamente críticos, ou hot fixes, que exigem ação imediata para proteger seus sistemas SAP.", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html" }, { "category": "Segurança, Governança e Compliance", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "Média", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "severity": "Baixo", "subcategory": "Governança", - "text": "Para criptografia do servidor de banco de dados SAP, use a tecnologia de criptografia nativa do SAP HANA. Se você estiver usando o Banco de Dados SQL do Azure, use a TDE (Criptografia de Dados Transparente) oferecida pelo provedor DBMS para proteger seus dados e arquivos de log e garantir que os backups também sejam criptografados." + "text": "Para SAP no SQL Server, você pode desabilitar a conta de administrador do sistema do SQL Server porque os sistemas SAP no SQL Server não usam a conta. Certifique-se de que outro usuário com direitos de administrador do sistema possa acessar o servidor antes de desabilitar a conta de administrador do sistema original." }, { "category": "Segurança, Governança e Compliance", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "Média", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "severity": "Alto", "subcategory": "Governança", - "text": "A criptografia do Armazenamento do Azure está habilitada por padrão" + "text": "Desative xp_cmdshell. O recurso do SQL Server xp_cmdshell habilita um shell de comando do sistema operacional interno do SQL Server. É um risco potencial em auditorias de segurança.", + "training": "https://me.sap.com/notes/3019299/E" }, { "category": "Segurança, Governança e Compliance", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "Média", - "subcategory": "Governança", - "text": " " + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "Alto", + "subcategory": "Segredos", + "text": "A criptografia de servidores de banco de dados SAP HANA no Azrue usa a tecnologia de criptografia nativa do SAP HANA. Além disso, se você estiver usando o SQL Server no Azure, use a TDE (Criptografia de Dados Transparente) para proteger seus dados e arquivos de log e garantir que seus backups também sejam criptografados.", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security" }, { "category": "Segurança, Governança e Compliance", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", "severity": "Média", - "subcategory": "Governança", - "text": " " + "subcategory": "Segredos", + "text": "A criptografia de Armazenamento do Azure está habilitada para todas as contas clássicas e do Gerenciador de Recursos do Azure e não pode ser desabilitada. Como seus dados são criptografados por padrão, você não precisa modificar seu código ou aplicativos para usar a criptografia do Armazenamento do Azure.", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations" }, { "category": "Segurança, Governança e Compliance", @@ -833,95 +929,160 @@ "link": "https://learn.microsoft.com/azure/key-vault/general/overview", "severity": "Alto", "subcategory": "Segredos", - "text": "Usar o Cofre de Chaves do Azure para armazenar seus segredos e credenciais" + "text": "Usar o Cofre de Chaves do Azure para armazenar seus segredos e credenciais", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "Segurança, Governança e Compliance", "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", "severity": "Média", "subcategory": "Segredos", - "text": "É recomendável BLOQUEAR os Recursos do Azure após a implantação bem-sucedida para proteger contra alterações não autorizadas" + "text": "É recomendável BLOQUEAR os Recursos do Azure após a implantação bem-sucedida para proteger contra alterações não autorizadas. Você também pode impor restrições e regras LOCK em sua base por assinatura usando políticas personalizadas do Azure (função Personalizada).", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations" }, { "category": "Segurança, Governança e Compliance", "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", "severity": "Média", "subcategory": "Segredos", - "text": "Provisione o Cofre de Chaves do Azure com as políticas de exclusão e limpeza suaves habilitadas para permitir a proteção de retenção para objetos excluídos." + "text": "Provisione o Cofre de Chaves do Azure com as políticas de exclusão e limpeza suaves habilitadas para permitir a proteção de retenção para objetos excluídos.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "Segurança, Governança e Compliance", "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "Média", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", + "severity": "Alto", "subcategory": "Segredos", - "text": "Com base nos requisitos existentes, controles normativos e de conformidade (internos/externos) - Determine quais Políticas do Azure e a função RBAC do Azure são necessárias" + "text": "Com base nos requisitos existentes, controles normativos e de conformidade (internos/externos) - Determine quais Políticas do Azure e a função RBAC do Azure são necessárias", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations" }, { "category": "Segurança, Governança e Compliance", "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "Média", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "Alto", "subcategory": "Segredos", - "text": "Ao habilitar o Microsoft Defender for Cloud Standard for SAP, certifique-se de excluir os servidores de banco de dados SAP de qualquer política que instale a proteção de ponto de extremidade." + "text": "Ao habilitar o Microsoft Defender for Endpoint no ambiente SAP, recomende excluir arquivos de dados e de log em servidores DBMS em vez de direcionar todos os servidores. Siga as recomendações do fornecedor do DBMS ao excluir arquivos de destino.", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268" }, { "category": "Segurança, Governança e Compliance", "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "Média", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", + "severity": "Alto", "subcategory": "Segredos", - "text": "Delegue uma função personalizada de administrador SAP com acesso just-in-time." + "text": "Delegue uma função personalizada de administrador SAP com acesso just-in-time do Microsoft Defender for Cloud.", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations" }, { "category": "Segurança, Governança e Compliance", "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "Média", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "Baixo", "subcategory": "Segredos", - "text": "criptografar dados em trânsito integrando o produto de segurança de terceiros com comunicações de rede seguras (SNC) para DIAG (SAP GUI), RFC e SPNEGO para HTTPS" + "text": "criptografar dados em trânsito integrando o produto de segurança de terceiros com comunicações de rede seguras (SNC) para DIAG (SAP GUI), RFC e SPNEGO para HTTPS", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit" }, { "category": "Segurança, Governança e Compliance", - "guid": "55d04c3c-4919-4cb1-a3d1-325ae124ba34", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", "severity": "Média", "subcategory": "Segredos", - "text": "O Azure Active Directory (Azure AD) com SAML 2.0 também pode fornecer SSO para uma variedade de aplicativos e plataformas SAP, como SAP NetWeaver, SAP HANA e SAP Cloud Platform" + "text": "O padrão é chaves gerenciadas pela Microsoft para a funcionalidade de criptografia principal e use chaves gerenciadas pelo cliente quando necessário.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "Segurança, Governança e Compliance", - "guid": "df685edd-ce9b-4d3b-a0cd-b3b55eb2ec14", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "Média", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", + "severity": "Alto", "subcategory": "Segredos", - "text": "Certifique-se de proteger o sistema operacional para erradicar vulnerabilidades que podem levar a ataques no banco de dados SAP." + "text": "Use um Cofre de Chaves do Azure por aplicativo, por ambiente, por região.", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "Segurança, Governança e Compliance", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "Média", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", + "severity": "Alto", "subcategory": "Segredos", - "text": "O padrão é chaves gerenciadas pela Microsoft para a funcionalidade de criptografia principal e use chaves gerenciadas pelo cliente quando necessário." + "text": "Para controlar e gerenciar chaves de criptografia de disco e segredos para sistemas operacionais Windows e não Windows HANA, use o Cofre de Chaves do Azure. O SAP HANA não tem suporte com o Cofre de Chaves do Azure, portanto, você deve usar métodos alternativos, como chaves SAP ABAP ou SSH.", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations" }, { "category": "Segurança, Governança e Compliance", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "severity": "Média", "subcategory": "Segredos", - "text": "Use um Cofre de Chaves do Azure por aplicativo, por ambiente, por região." + "text": " " }, { "category": "Segurança, Governança e Compliance", - "guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", + "severity": "Alto", + "subcategory": "Segurança", + "text": "Personalizar funções RBAC (controle de acesso baseado em função) para SAP em assinaturas spoke do Azure para evitar alterações acidentais relacionadas à rede", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations" + }, + { + "category": "Segurança, Governança e Compliance", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "severity": "Alto", + "subcategory": "Segurança", + "text": "Isole DMZs e NVAs do restante do estado SAP, configure o Azure Private Link e gerencie e controle com segurança os recursos do SAP no Azure", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal" + }, + { + "category": "Segurança, Governança e Compliance", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "severity": "Baixo", + "subcategory": "Segurança", + "text": "Considere usar o software antimalware da Microsoft no Azure para proteger suas máquinas virtuais contra arquivos mal-intencionados, adware e outras ameaças.", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/" + }, + { + "category": "Segurança, Governança e Compliance", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "severity": "Baixo", + "subcategory": "Segurança", + "text": "Para obter uma proteção ainda mais poderosa, considere usar o Microsoft Defender for Endpoint.", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations" + }, + { + "category": "Segurança, Governança e Compliance", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "severity": "Alto", + "subcategory": "Segurança", + "text": "Isole os servidores de aplicativo e banco de dados SAP da Internet ou da rede local passando todo o tráfego pela rede virtual de hub, que está conectada à rede spoke por emparelhamento de rede virtual. As redes virtuais emparelhadas garantem que a solução SAP no Azure seja isolada da Internet pública.", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations" + }, + { + "category": "Segurança, Governança e Compliance", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "Baixo", + "subcategory": "Segurança", + "text": "Para aplicativos voltados para a Internet, como o SAP Fiori, certifique-se de distribuir a carga por requisitos de aplicativo, mantendo os níveis de segurança. Para segurança de Camada 7, você pode usar um WAF (Web Application Firewall) de terceiros disponível no Azure Marketplace.", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations" + }, + { + "category": "Segurança, Governança e Compliance", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", "severity": "Média", - "subcategory": "Segredos", - "text": " " + "subcategory": "Segurança", + "text": "Para habilitar a comunicação segura no Azure Monitor para soluções SAP, você pode optar por usar um certificado raiz ou um certificado de servidor. É altamente recomendável que você use certificados raiz.", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations" }, { "category": "Armazenamento", @@ -934,7 +1095,7 @@ "metadata": { "name": "Azure Landing Zone Review", "state": "Preview", - "timestamp": "November 24, 2023" + "timestamp": "January 11, 2024" }, "severities": [ { diff --git a/checklists/sap_checklist.zh-Hant.json b/checklists/sap_checklist.zh-Hant.json index 9b0e064a0..f45ce677b 100644 --- a/checklists/sap_checklist.zh-Hant.json +++ b/checklists/sap_checklist.zh-Hant.json @@ -17,38 +17,6 @@ } ], "items": [ - { - "category": "業務連續性和災難恢復", - "guid": "aff6691b-4935-4ada-9222-3ece81b12318", - "link": "https://learn.microsoft.com/azure/active-directory/reports-monitoring/overview-reports", - "severity": "中等", - "subcategory": " ", - "text": "不要將 ASCS 和資料庫群集合並到單個/同一 VM 上" - }, - { - "category": "業務連續性和災難恢復", - "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", - "link": "https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal", - "severity": "中等", - "subcategory": " ", - "text": "確保在負載均衡器上啟用了浮動IP" - }, - { - "category": "業務連續性和災難恢復", - "guid": "cbe05bbe-209d-4490-ba47-778424d11678", - "link": "https://learn.microsoft.com/azure/security-center/", - "severity": "中等", - "subcategory": " ", - "text": "不要在同一可用性集中混合使用不同角色的伺服器。將中央服務 VM、資料庫 VM、應用程式 VM 保留在其自己的可用性集中" - }, - { - "category": "業務連續性和災難恢復", - "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", - "link": "https://learn.microsoft.com/azure/security-center/", - "severity": "中等", - "subcategory": " ", - "text": "每個 SAP SID 使用一個鄰近放置組。組不跨可用性區域或 Azure 區域" - }, { "category": "業務連續性和災難恢復", "guid": "80dc0591-cf65-4de8-b130-9cccd579266b", @@ -94,14 +62,14 @@ "guid": "81b12318-1a54-4174-8583-3fb4ae3c2df7", "severity": "中等", "subcategory": " ", - "text": "主虛擬網路 (VNet) 的 CIDR 不應與 DR 網站的 Vnet 的 CIDR 衝突或重疊" + "text": "主虛擬網路 (VNet) 的 CIDR 不應與DR網站的 VNet 的 CIDR 衝突或重疊" }, { "category": "業務連續性和災難恢復", "guid": "43165c3a-cbe0-45bb-b209-d490da477784", "severity": "中等", "subcategory": " ", - "text": "使用 Site Recovery 將應用程式伺服器複製到 DR 網站。Site Recovery 還有助於將中心服務群集 VM 複製到DR網站。調用DR時,需要在DR網站上重新配置Linux Pacemaker群集(例如,替換VIP或SBD、運行 corosync.conf等)。" + "text": "使用 Site Recovery 將應用程式伺服器複製到 DR 網站。Site Recovery 還有助於將中心服務群集 VM 複製到DR網站。調用DR時,需要在DR網站上重新配置Linux Pacemaker群集(例如,替換VIP或SBD、運行 corosync.conf 等)。" }, { "category": "業務連續性和災難恢復", @@ -110,6 +78,129 @@ "subcategory": " ", "text": "應使用本機資料庫複製將數據同步到DR網站,而不是 Azure Site Recovery" }, + { + "category": "業務連續性和災難恢復", + "guid": "8300cb30-766b-4084-b126-0dd8fb1269a1", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-architecture-scenario", + "severity": "高", + "subcategory": "高可用性", + "text": "考慮針對單點故障的 SAP 軟體的可用性。這包括應用程式內的單點故障,例如 SAP NetWeaver 和 SAP S/4HANA 架構中使用的 DBMS、SAP ABAP 和 ASCS + SCS。此外,還有其他工具,例如 SAP Web Dispatcher。", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/2-explore-high-availability-disaster-recovery-support-azure-for-sap-workloads?source=recommendations" + }, + { + "category": "業務連續性和災難恢復", + "guid": "56402f11-ccbe-42c3-a2f6-c6f6f38ab579", + "link": "https://learn.microsoft.com/azure/sap/workloads/planning-supported-configurations", + "severity": "高", + "subcategory": "高可用性", + "text": "對於 SAP 和 SAP 資料庫,請考慮實現自動故障轉移群集。在 Windows 中,Windows Server 故障轉移群集支援故障轉移。在 Linux 中,Linux Pacemaker 或第三方工具(如 SIOS Protection Suite 和 Veritas InfoScale)支援故障轉移。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations" + }, + { + "category": "業務連續性和災難恢復", + "guid": "afae6bec-2671-49ae-bc69-140b8ec8d320", + "link": "https://learn.microsoft.com/azure/sap/workloads/disaster-recovery-sap-guide?tabs=windows", + "severity": "高", + "subcategory": "高可用性", + "text": "Azure 不支援主 VM 和輔助 VM 共用 DBMS 數據存儲的體系結構。對於 DBMS 層,常見的體系結構模式是同時複製資料庫,並使用與主 VM 和輔助 VM 使用的儲存堆疊不同的儲存堆疊。", + "training": "https://learn.microsoft.com/training/paths/ensure-business-continuity-implement-disaster-recovery/?source=recommendationshttps%3A%2F%2Flearn.microsoft.com%2Fja-jp%2Ftraining%2Fpaths%2Fensure-business-continuity-implement-disaster-recovery%2F%3Fsource%3Drecommendations" + }, + { + "category": "業務連續性和災難恢復", + "guid": "ac614e95-6767-4bc3-b8a4-9953533da6ba", + "link": "https://learn.microsoft.com/azure/sap/workloads/dbms-guide-general", + "severity": "高", + "subcategory": "高可用性", + "text": "DBMS 數據和事務/重做日誌檔存儲在 Azure 支援的塊存儲或 Azure NetApp 檔中。不支援將 Azure 檔案儲存或 Azure 高級檔儲存作為 SAP 工作負載的 DBMS 資料和/或重做日誌檔的存儲。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-databases/2-explore-database-support-azure-for-sap-workloads" + }, + { + "category": "業務連續性和災難恢復", + "guid": "1f737179-8e7f-4e1a-a30c-e5a649a3092b", + "link": "https://learn.microsoft.com/azure/sap/workloads/sap-high-availability-guide-wsfc-shared-disk", + "severity": "高", + "subcategory": "高可用性", + "text": "可以在 Windows 中將 Azure 共用磁碟用於 ASCS + SCS 元件和特定的高可用性方案。為 SAP 應用程式層元件和 DBMS 層單獨設置故障轉移群集。Azure 目前不支援將 SAP 應用程式層元件和 DBMS 層合併到一個故障轉移群集中的高可用性體系結構。", + "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations" + }, + { + "category": "業務連續性和災難恢復", + "guid": "a78b3d31-3170-44f2-b5d7-651a29f4ccf5", + "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-standard-load-balancer-outbound-connections", + "severity": "高", + "subcategory": "高可用性", + "text": "SAP 應用程式層元件 (ASCS) 和 DBMS 層的大多數故障轉移群集都需要故障轉移群集的虛擬 IP 位址。 對於所有其他情況,Azure 負載均衡器應處理虛擬IP位址。一個設計原則是每個群集配置使用一個負載均衡器。建議使用負載均衡器的標準版本(標準負載均衡器 SKU)。", + "training": "https://learn.microsoft.com/training/modules/implement-high-availability-for-sap-workloads-azure/?source=recommendations" + }, + { + "category": "業務連續性和災難恢復", + "guid": "1a541741-5833-4fb4-ae3c-2df743165c3a", + "link": "https://learn.microsoft.com/azure/load-balancer/load-balancer-ha-ports-overview?source=recommendations", + "severity": "高", + "subcategory": "高可用性", + "text": "確保在負載均衡器上啟用了浮動IP", + "training": "https://learn.microsoft.com/training/modules/load-balancing-non-https-traffic-azure/?source=recommendations" + }, + { + "category": "業務連續性和災難恢復", + "guid": "c47cc4f3-f105-452c-845e-9b307b3856c1", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability", + "severity": "高", + "subcategory": "高可用性", + "text": "在部署高可用性基礎結構之前,根據所選區域,確定是使用 Azure 可用性集還是可用性區域進行部署。", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "業務連續性和災難恢復", + "guid": "844f69c3-07e5-4ec1-bff7-4be27bcf5fea", + "link": "https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1", + "severity": "高", + "subcategory": "高可用性", + "text": "如果要滿足 SAP 元件(中央服務、應用程式伺服器和資料庫)應用程式的基礎結構 SLA,則必須為所有元件選擇相同的高可用性選項(VM、可用性集、可用性區域)。" + }, + { + "category": "業務連續性和災難恢復", + "guid": "cbe05bbe-209d-4490-ba47-778424d11678", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "severity": "高", + "subcategory": "高可用性", + "text": "不要在同一可用性集中混合使用不同角色的伺服器。將中央服務 VM、資料庫 VM、應用程式 VM 保留在其自己的可用性集中", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "業務連續性和災難恢復", + "guid": "f2201000-d045-40a6-a79a-d7cdc01b4d86", + "link": "https://learn.microsoft.com/azure/virtual-machines/co-location", + "severity": "中等", + "subcategory": "高可用性", + "text": "除非使用鄰近放置組,否則無法在 Azure 可用性區域中部署 Azure 可用性集。", + "training": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios" + }, + { + "category": "業務連續性和災難恢復", + "guid": "9674e7c7-7796-4181-8920-09f4429543ba", + "link": "https://learn.microsoft.com/azure/virtual-machines/availability-set-overview", + "severity": "高", + "subcategory": "高可用性", + "text": "創建可用性集時,請使用可用的容錯域和更新域的最大數量。例如,如果在一個可用性集中部署兩個以上的 VM,則除了 Azure 計劃內維護外,還要使用最大數量的容錯域(三個)和足夠的更新域來限制潛在的物理硬體故障、網路中斷或電源中斷的影響。容錯域的預設數量為 2,以後無法連線更改。", + "training": "https://learn.microsoft.com/training/modules/configure-virtual-machine-availability/?source=recommendations" + }, + { + "category": "業務連續性和災難恢復", + "guid": "ae4ecb95-b70f-428f-8b9a-4c5b7e3478a2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "severity": "高", + "subcategory": "高可用性", + "text": "在可用性集部署中使用 Azure 鄰近放置組時,所有三個 SAP 元件(中央服務、應用程式伺服器和資料庫)都應位於同一鄰近放置組中。" + }, + { + "category": "業務連續性和災難恢復", + "guid": "5d2fa56c-56ad-4484-88fe-72734c486ba2", + "link": "https://learn.microsoft.com/azure/sap/workloads/proximity-placement-scenarios", + "severity": "高", + "subcategory": "高可用性", + "text": "每個 SAP SID 使用一個鄰近放置組。組不跨可用性區域或 Azure 區域" + }, { "category": "計算", "guid": "2829e2ed-b217-4367-9aff-6691b4935ada", @@ -149,7 +240,7 @@ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-netweaver-tutorial", "severity": "中等", "subcategory": "身份", - "text": "使用 SAML 對基於 SAP NetWeaver 的 Web 應用程式(如 SAP Fiori 和 SAP Web GUI)實施 SSO。", + "text": "使用 SAML 實現對基於 SAP NetWeaver 的 Web 應用程式(如 SAP Fiori 和 SAP Web GUI)的 SSO。", "training": "https://learn.microsoft.com/training/modules/explore-identity-services/8-exercise-integrate-azure-active-directory-sap-netweaver" }, { @@ -157,7 +248,7 @@ "guid": "9eb54dad-7861-4e1c-973a-f3bb003fc9c1", "severity": "中等", "subcategory": "身份", - "text": "使用 SAML 對基於 SAP NetWeaver 的 Web 應用程式(如 SAP Fiori 和 SAP Web GUI)實施 SSO。", + "text": "使用 SAML 實現對基於 SAP NetWeaver 的 Web 應用程式(如 SAP Fiori 和 SAP Web GUI)的 SSO。", "training": "https://learn.microsoft.com/training/modules/explore-identity-services/6-exercise-integrate-azure-active-directory-sap-fiori" }, { @@ -231,7 +322,7 @@ "link": "https://learn.microsoft.com/azure/active-directory/saas-apps/sap-hana-cloud-platform-tutorial", "severity": "中等", "subcategory": "身份", - "text": "實現SAP BTP 的 SSO" + "text": "實現對 SAP BTP 的 SSO" }, { "category": "標識和訪問", @@ -291,7 +382,7 @@ "link": "https://learn.microsoft.com/azure/quotas/quickstart-increase-quota-portal", "severity": "高", "subcategory": "訂閱", - "text": "如果部署到可用性區域,請確保在配額獲得批准后,VM 的區域部署可用。提交支援請求,其中包含所需的訂閱、VM 系列、CPU 數量和可用性區域。" + "text": "如果部署到可用性區域,請確保在批准配額后,VM 的區域部署可用。提交支援請求,其中包含所需的訂閱、VM 系列、CPU 數量和可用性區域。" }, { "category": "管理組和訂閱", @@ -342,7 +433,7 @@ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-guide-rhel-multi-sid", "severity": "中等", "subcategory": "管理", - "text": "不要在同一集群中對不同的應用程式服務進行分組。例如,不要將DRBD和中央服務群集合並到同一個群集上。但是,可以使用同一個 Pacemaker 群集來管理大約五個不同的中心服務(多 SID 群集)。", + "text": "不要在同一集群中對不同的應用程式服務進行分組。例如,不要將DRBD和中央服務群集合並到同一個群集上。但是,可以使用同一個 Pacemaker 群集來管理大約五個不同的中央服務(多 SID 群集)。", "training": "https://learn.microsoft.com/training/modules/implement-ha-sap-netweaver-anydb/?source=recommendations" }, { @@ -412,7 +503,7 @@ "link": "https://learn.microsoft.com/azure/network-watcher/connection-monitor-overview", "severity": "中等", "subcategory": "監測", - "text": "使用 Azure 網路觀察程式中的連接監視器來監視 SAP 資料庫和應用程式伺服器的延遲指標。或者使用 Azure Monitor 收集和顯示網路延遲度量值。", + "text": "使用 Azure 網路觀察程式中的連接監視器監視 SAP 資料庫和應用程式伺服器的延遲指標。或者使用 Azure Monitor 收集和顯示網路延遲度量值。", "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/collecting-and-displaying-niping-network-latency-measurements/ba-p/1833979" }, { @@ -438,7 +529,7 @@ "link": "https://learn.microsoft.com/azure/sap/workloads/high-availability-zones", "severity": "高", "subcategory": "監測", - "text": "對於每個 Azure 訂閱,請在區域部署之前對 Azure 可用性區域運行延遲測試,以選擇用於在 Azure 上部署 SAP 的低延遲區域。", + "text": "對於每個 Azure 訂閱,請在區域部署之前在 Azure 可用性區域上運行延遲測試,以選擇用於在 Azure 上部署 SAP 的低延遲區域。", "training": "https://github.com/Azure/SAP-on-Azure-Scripts-and-Utilities/tree/main/AvZone-Latency-Test" }, { @@ -534,7 +625,7 @@ "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-network-topology-and-connectivity", "severity": "中等", "subcategory": "DNS解析", - "text": "如果在遷移到 Azure 期間未更改虛擬機器的 DNS 或虛擬名稱,則後台 DNS 和虛擬名稱會連接 SAP 環境中的許多系統介面,並且客戶有時只會知道開發人員隨時間推移定義的介面。遷移后,當虛擬名稱或 DNS 名稱發生更改時,各種系統之間會出現連接挑戰,建議保留 DNS 別名以防止出現這些類型的困難。", + "text": "如果在遷移到 Azure 期間未更改虛擬機器的 DNS 或虛擬名稱,則後台 DNS 和虛擬名稱會連接 SAP 環境中的許多系統介面,並且客戶有時只知道開發人員隨時間推移定義的介面。遷移后,當虛擬名稱或 DNS 名稱發生更改時,各種系統之間會出現連接挑戰,建議保留 DNS 別名以防止出現這些類型的困難。", "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/4-explore-name-resolution" }, { @@ -570,7 +661,7 @@ "link": "https://learn.microsoft.com/training/modules/introduction-azure-virtual-wan/?source=recommendations", "severity": "中等", "subcategory": "混合", - "text": "在需要跨 Azure 區域和本地位置進行全球傳輸連接的新網路、大型網路或全球網路中的 Azure 部署使用虛擬 WAN。使用此方法,無需手動為 Azure 網路設置可傳遞路由,並且可以遵循 Azure 上的 SAP 部署的標準。", + "text": "在需要跨 Azure 區域和本地位置進行全球傳輸連接的新網路、大型網路或全球網路中,將虛擬 WAN 用於 Azure 部署。使用此方法,無需手動為 Azure 網路設置可傳遞路由,並且可以遵循 Azure 上的 SAP 部署的標準。", "training": "https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about" }, { @@ -633,7 +724,7 @@ "link": "https://learn.microsoft.com/azure/well-architected/services/networking/azure-firewall?toc=%2Fazure%2Ffirewall%2Ftoc.json&bc=%2Fazure%2Ffirewall%2Fbreadcrumb%2Ftoc.json", "severity": "中等", "subcategory": "互聯網", - "text": "使用 Azure 防火牆管理發往 Internet 的 Azure 出站流量、非 HTTP/S 入站連接和東/西流量篩選(如果組織需要)", + "text": "使用 Azure 防火牆管理發往 Internet、非 HTTP/S 入站連接和東西方流量篩選的 Azure 出站流量(如果組織需要)", "training": "https://learn.microsoft.com/training/paths/secure-networking-infrastructure/" }, { @@ -660,7 +751,7 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/afds/afds-overview", "severity": "中等", "subcategory": "互聯網", - "text": "使用 Azure Front Door 和應用程式閘道保護 HTTP/S 應用程式時,利用 Azure Front Door 中的 Web 應用程式防火牆策略。鎖定應用程式閘道以僅接收來自 Azure Front Door 的流量。", + "text": "使用 Azure Front Door 和應用程式閘道來保護 HTTP/S 應用程式時,請利用 Azure Front Door 中的 Web 應用程式防火牆策略。鎖定應用程式閘道以僅接收來自 Azure Front Door 的流量。", "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations" }, { @@ -669,7 +760,7 @@ "link": "https://learn.microsoft.com/azure/web-application-firewall/ag/ag-overview", "severity": "中等", "subcategory": "互聯網", - "text": "當流量暴露給 Internet 時,使用 Web 應用程式防火牆掃描流量。另一種選擇是將其與負載均衡器或具有內置防火牆功能(如應用程式閘道或第三方解決方案)的資源一起使用。", + "text": "當流量暴露在互聯網上時,使用 Web 應用程式防火牆掃描流量。另一種選擇是將其與負載均衡器或具有內置防火牆功能(如應用程式閘道或第三方解決方案)的資源一起使用。", "training": "https://learn.microsoft.com/training/modules/introduction-azure-web-application-firewall/?source=recommendations" }, { @@ -678,7 +769,7 @@ "link": "https://learn.microsoft.com/azure/frontdoor/front-door-overview", "severity": "中等", "subcategory": "互聯網", - "text": "在需要跨 Azure 區域和本地位置進行全球傳輸連接的新網路、大型網路或全球網路中的 Azure 部署使用虛擬 WAN。使用此方法,無需手動為 Azure 網路設置可傳遞路由,並且可以遵循 Azure 上的 SAP 部署的標準。", + "text": "在需要跨 Azure 區域和本地位置進行全球傳輸連接的新網路、大型網路或全球網路中,將虛擬 WAN 用於 Azure 部署。使用此方法,無需手動為 Azure 網路設置可傳遞路由,並且可以遵循 Azure 上的 SAP 部署的標準。", "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/10-explore-azure-front-door" }, { @@ -687,7 +778,7 @@ "link": "https://learn.microsoft.com/azure/virtual-network/vnet-integration-for-azure-services", "severity": "中等", "subcategory": "互聯網", - "text": "若要防止數據洩露,請使用 Azure 專用連結安全地訪問平臺即服務資源,例如 Azure Blob 存儲、Azure 檔存儲、Azure Data Lake Storage Gen2、Azure 數據工廠等。Azure 專用終結點還可以幫助保護 VNet 與 Azure 存儲、Azure 備份等服務之間的流量。VNet 與啟用了專用終結點的服務之間的流量通過 Microsoft 全球網路傳輸,從而防止其暴露在公共 Internet 上。", + "text": "若要防止數據洩露,請使用 Azure 專用連結安全地訪問平臺即服務資源,例如 Azure Blob 存儲、Azure 檔存儲、Azure Data Lake Storage Gen2、Azure 數據工廠等。Azure 專用終結點還可以幫助保護 VNet 與 Azure 存儲、Azure 備份等服務之間的流量。VNet 與啟用了專用終結點的服務之間的流量通過 Microsoft 全球網路傳輸,從而防止其暴露給公共 Internet。", "training": "https://learn.microsoft.com/training/modules/design-implement-private-access-to-azure-services/?source=recommendations" }, { @@ -781,51 +872,56 @@ }, { "category": "安全性、治理與合規性", - "guid": "209d490d-a477-4784-84d1-16785d2fa56c", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "高", + "guid": "18dffcf3-248c-4039-a67c-dec8e3a5f804", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", + "severity": "中等", "subcategory": "統轄", - "text": "為 Azure 上的 SAP 分支訂閱自定義基於角色的訪問控制 (RBAC) 角色,以避免與網路相關的意外更改" + "text": "如果在 Azure、本地或其他雲環境中運行 Windows 和 Linux VM,則可以使用 Azure 自動化中的更新管理中心來管理作業系統更新,包括安全修補程式。", + "training": "https://learn.microsoft.com/azure/automation/update-management/overview" }, { "category": "安全性、治理與合規性", - "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "guid": "08951710-79a2-492a-adbc-06d7a401545b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-security-operations", "severity": "中等", "subcategory": "統轄", - "text": "將 DMZ 和 NVA 與 SAP 資產的其餘部分隔離開來,配置 Azure 專用連結,並安全地管理和控制 Azure 上的 SAP 資源" + "text": "請定期查看 SAP 安全 OSS 說明,因為 SAP 會發佈高度關鍵的安全補丁或熱修復程式,需要立即採取措施來保護 SAP 系統。", + "training": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html" }, { "category": "安全性、治理與合規性", - "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "中等", + "guid": "1b8b394e-ae64-4a74-8933-357b523ea0a0", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "severity": "低", "subcategory": "統轄", - "text": "對於 SAP 資料庫伺服器加密,請使用 SAP HANA 本機加密技術。如果使用的是 Azure SQL 資料庫,請使用 DBMS 提供者提供的透明數據加密 (TDE) 來保護數據和日誌檔,並確保備份也已加密。" + "text": "對於 SQL Server 上的 SAP,可以禁用 SQL Server 系統管理員帳戶,因為 SQL Server 上的 SAP 系統不使用該帳戶。在禁用原始系統管理員帳戶之前,請確保具有系統管理員許可權的其他使用者可以訪問伺服器。" }, { "category": "安全性、治理與合規性", - "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "中等", + "guid": "5a76a033-ced9-4eef-9a43-5e4f96634c8e", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security", + "severity": "高", "subcategory": "統轄", - "text": "默認情況下,Azure 儲存加密處於啟用狀態" + "text": "禁用xp_cmdshell。SQL Server 功能xp_cmdshell啟用 SQL Server 內部作業系統命令行介面。這是安全審計中的潛在風險。", + "training": "https://me.sap.com/notes/3019299/E" }, { "category": "安全性、治理與合規性", - "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", - "severity": "中等", - "subcategory": "統轄", - "text": " " + "guid": "cf65de8e-1309-4ccc-b579-266bcca275fa", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "高", + "subcategory": "秘密", + "text": "在 Azrue 上加密 SAP HANA 資料庫伺服器使用 SAP HANA 原生加密技術。此外,如果在 Azure 上使用 SQL Server,請使用透明數據加密 (TDE) 來保護數據和日誌檔,並確保備份也已加密。", + "training": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/sap-lza-database-security" }, { "category": "安全性、治理與合規性", - "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", - "link": "https://learn.microsoft.com/azure/governance/policy/overview", + "guid": "a1abfe9d-55d0-44c3-a491-9cb1b3d1325a", + "link": "https://learn.microsoft.com/azure/storage/common/storage-service-encryption", "severity": "中等", - "subcategory": "統轄", - "text": " " + "subcategory": "秘密", + "text": "已為所有 Azure 資源管理器和經典記憶體啟用 Azure 儲存加密,並且無法禁用。由於數據預設是加密的,因此無需修改代碼或應用程式即可使用 Azure 儲存加密。", + "training": "https://learn.microsoft.com/training/modules/encrypt-sector-data/?source=recommendations" }, { "category": "安全性、治理與合規性", @@ -833,95 +929,160 @@ "link": "https://learn.microsoft.com/azure/key-vault/general/overview", "severity": "高", "subcategory": "秘密", - "text": "使用 Azure Key Vault 儲存機密和憑據" + "text": "使用 Azure Key Vault 儲存機密和憑據", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "安全性、治理與合規性", "guid": "829e2edb-2173-4676-aff6-691b4935ada4", - "link": "https://learn.microsoft.com/azure/key-vault/general/overview-throttling", + "link": "https://learn.microsoft.com/azure/azure-resource-manager/management/lock-resources?tabs=json", "severity": "中等", "subcategory": "秘密", - "text": "建議在成功部署后鎖定 Azure 資源,以防止未經授權的更改" + "text": "建議在成功部署后鎖定 Azure 資源,以防止未經授權的更改。還可以使用自定義的 Azure 策略(自定義角色)在每個訂閱的基礎上強制實施 LOCK 約束和規則。", + "training": "https://learn.microsoft.com/training/modules/use-azure-resource-manager/?source=recommendations" }, { "category": "安全性、治理與合規性", "guid": "2223ece8-1b12-4318-8a54-17415833fb4a", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "link": "https://learn.microsoft.com/azure/key-vault/general/soft-delete-overview", "severity": "中等", "subcategory": "秘密", - "text": "預配 Azure Key Vault 並啟用軟刪除和清除策略,以允許對已刪除物件進行保留保護。" + "text": "預配啟用軟刪除和清除策略的 Azure Key Vault,以允許對已刪除物件進行保留保護。", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "安全性、治理與合規性", "guid": "e3c2df74-3165-4c3a-abe0-5bbe209d490d", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "中等", + "link": "https://learn.microsoft.com/azure/role-based-access-control/security-controls-policy", + "severity": "高", "subcategory": "秘密", - "text": "根據現有要求、法規和合規性控制(內部/外部) - 確定所需的 Azure 策略和 Azure RBAC 角色" + "text": "根據現有要求、法規和合規性控制(內部/外部) - 確定所需的 Azure 策略和 Azure RBAC 角色", + "training": "https://learn.microsoft.com/training/paths/describe-azure-management-governance/?source=recommendations" }, { "category": "安全性、治理與合規性", "guid": "a4777842-4d11-4678-9d2f-a56c56ad4840", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "中等", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "高", "subcategory": "秘密", - "text": "啟用適用於 SAP 的 Microsoft Defender for Cloud Standard 時,請確保從安裝終結點保護的任何策略中排除 SAP 資料庫伺服器。" + "text": "在 SAP 環境中啟用 Microsoft Defender for Endpoint 時,建議排除 DBMS 伺服器上的數據和日誌檔,而不是面向所有伺服器。在排除目標檔時,請遵循 DBMS 供應商的建議。", + "training": "https://techcommunity.microsoft.com/t5/running-sap-applications-on-the/microsoft-defender-endpoint-mde-for-sap-applications-on-windows/ba-p/3912268" }, { "category": "安全性、治理與合規性", "guid": "8fe72734-c486-4ba2-a0dc-0591cf65de8e", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "中等", + "link": "https://learn.microsoft.com/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks", + "severity": "高", "subcategory": "秘密", - "text": "委派具有即時訪問許可權的 SAP 管理員自定義角色。" + "text": "委派具有 Microsoft Defender for Cloud 實時訪問許可權的 SAP 管理員自定義角色。", + "training": "https://learn.microsoft.com/training/modules/secure-vms-with-azure-security-center/?source=recommendations" }, { "category": "安全性、治理與合規性", "guid": "1309cccd-5792-466b-aca2-75faa1abfe9d", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "中等", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "低", "subcategory": "秘密", - "text": "通過將第三方安全產品與用於 DIAG (SAP GUI)、RFC 和用於 HTTPS 的 SPNEGO 的安全網路通信 (SNC) 集成,對傳輸中的數據進行加密" + "text": "通過將第三方安全產品與用於 DIAG (SAP GUI)、RFC 和用於 HTTPS 的 SPNEGO 的安全網路通信 (SNC) 集成,對傳輸中的數據進行加密", + "training": "https://learn.microsoft.com/azure/security/fundamentals/encryption-overview#encryption-of-data-in-transit" }, { "category": "安全性、治理與合規性", - "guid": "55d04c3c-4919-4cb1-a3d1-325ae124ba34", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", + "link": "https://learn.microsoft.com/azure/storage/common/storage-encryption-key-model-get?tabs=portal", "severity": "中等", "subcategory": "秘密", - "text": "具有 SAML 2.0 的 Azure Active Directory (Azure AD) 還可以為一系列 SAP 應用程式和平臺(如 SAP NetWeaver、SAP HANA 和 SAP Cloud Platform)提供 SSO" + "text": "預設使用 Microsoft 管理的金鑰以實現主體加密功能,並在需要時使用客戶管理的金鑰。", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "安全性、治理與合規性", - "guid": "df685edd-ce9b-4d3b-a0cd-b3b55eb2ec14", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "中等", + "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "link": "https://learn.microsoft.com/ja-jp/azure/key-vault/general/best-practices", + "severity": "高", "subcategory": "秘密", - "text": "請確保強化操作系統,以消除可能導致對 SAP 資料庫進行攻擊的漏洞。" + "text": "每個應用程式、每個環境、每個區域使用 Azure Key Vault。", + "training": "https://learn.microsoft.com/training/modules/manage-secrets-with-azure-key-vault/?source=recommendations" }, { "category": "安全性、治理與合規性", - "guid": "eeaa3592-829e-42ed-a217-3676aff6691b", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", - "severity": "中等", + "guid": "abc9634d-c44d-41e9-a530-e8444e16aa3c", + "link": "https://learn.microsoft.com/azure/key-vault/certificates/certificate-scenarios", + "severity": "高", "subcategory": "秘密", - "text": "預設使用 Microsoft 管理的金鑰以實現主體加密功能,並在需要時使用客戶管理的金鑰。" + "text": "若要控制和管理非 HANA Windows 和非 Windows 作業系統的磁碟加密密鑰和機密,請使用 Azure Key Vault。Azure Key Vault 不支援 SAP HANA,因此必須使用 SAP ABAP 或 SSH 密鑰等備用方法。", + "training": "https://learn.microsoft.com/training/modules/configure-and-manage-azure-key-vault/?source=recommendations" }, { "category": "安全性、治理與合規性", - "guid": "4935ada4-2223-4ece-a1b1-23181a541741", + "guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe", "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", "severity": "中等", "subcategory": "秘密", - "text": "每個應用程式、每個環境、每個區域使用 Azure Key Vault。" + "text": " " }, { "category": "安全性、治理與合規性", - "guid": "5833fb4a-e3c2-4df7-9316-5c3acbe05bbe", - "link": "https://learn.microsoft.com/azure/key-vault/general/best-practices", + "guid": "209d490d-a477-4784-84d1-16785d2fa56c", + "link": "https://learn.microsoft.com/azure/role-based-access-control/built-in-roles", + "severity": "高", + "subcategory": "安全", + "text": "為 Azure 上的 SAP 分支訂閱自定義基於角色的訪問控制 (RBAC) 角色,以避免與網路相關的意外更改", + "training": "https://learn.microsoft.com/training/modules/secure-azure-resources-with-rbac/?source=recommendations" + }, + { + "category": "安全性、治理與合規性", + "guid": "56ad4840-8fe7-4273-9c48-6ba280dc0591", + "link": "https://blogs.sap.com/2019/07/21/sap-security-operations-on-azure/", + "severity": "高", + "subcategory": "安全", + "text": "將 DMZ 和 NVA 與 SAP 資產的其餘部分隔離開來,配置 Azure 專用連結,並安全地管理和控制 Azure 上的 SAP 資源", + "training": "https://learn.microsoft.com/azure/architecture/reference-architectures/dmz/secure-vnet-dmz?tabs=portal" + }, + { + "category": "安全性、治理與合規性", + "guid": "e124ba34-df68-45ed-bce9-bd3bb0cdb3b5", + "link": "https://learn.microsoft.com/en-us/training/modules/secure-vms-with-azure-security-center/?source=recommendations", + "severity": "低", + "subcategory": "安全", + "text": "請考慮在 Azure 上使用 Microsoft 反惡意軟體來保護虛擬機免受惡意檔、廣告軟體和其他威脅的侵害。", + "training": "https://azure.microsoft.com/blog/deploying-antimalware-solutions-on-azure-virtual-machines/" + }, + { + "category": "安全性、治理與合規性", + "guid": "5eb2ec14-eeaa-4359-8829-e2edb2173676", + "link": "https://learn.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide", + "severity": "低", + "subcategory": "安全", + "text": "若要獲得更強大的保護,請考慮使用 Microsoft Defender for Endpoint。", + "training": "https://learn.microsoft.com/training/modules/implement-endpoint-protection-use-microsoft-defender/?source=recommendations" + }, + { + "category": "安全性、治理與合規性", + "guid": "87a924c4-25c2-419f-a2f0-96c7c4fe4525", + "link": "https://learn.microsoft.com/azure/architecture/guide/sap/sap-whole-landscape", + "severity": "高", + "subcategory": "安全", + "text": "通過將所有流量傳遞到中心虛擬網路(通過虛擬網路對等互連連接到分支網路),將 SAP 應用程式和資料庫伺服器與 Internet 或本地網路隔離開來。對等互連虛擬網路保證 Azure 上的 SAP 解決方案與公共 Internet 隔離。", + "training": "https://learn.microsoft.com/training/modules/explore-azure-networking/?source=recommendations" + }, + { + "category": "安全性、治理與合規性", + "guid": "491ca1c4-3d40-42c0-9d85-b8933999590b", + "link": "https://learn.microsoft.com/azure/cloud-adoption-framework/scenarios/sap/eslz-security-governance-and-compliance", + "severity": "低", + "subcategory": "安全", + "text": "對於面向 Internet 的應用程式(如 SAP Fiori),請確保在保持安全級別的同時,按應用程式要求分配負載。對於第 7 層安全性,可以使用 Azure 市場中提供的第三方 Web 應用程式防火牆 (WAF)。", + "training": "https://learn.microsoft.com/training/modules/simplify-cloud-procurement-governance-azure-marketplace/?source=recommendations" + }, + { + "category": "安全性、治理與合規性", + "guid": "9fc945b9-0527-47af-8200-9d652fe02fcc", + "link": "https://learn.microsoft.com/azure/sap/monitor/enable-tls-azure-monitor-sap-solutions", "severity": "中等", - "subcategory": "秘密", - "text": " " + "subcategory": "安全", + "text": "若要在用於 SAP 解決方案的 Azure Monitor 中啟用安全通信,可以選擇使用根證書或伺服器證書。我們強烈建議您使用根證書。", + "training": "https://learn.microsoft.com/training/modules/implement-azure-monitoring-sap-workloads-azure-virtual-machines/?source=recommendations" }, { "category": "存儲", @@ -934,7 +1095,7 @@ "metadata": { "name": "Azure Landing Zone Review", "state": "Preview", - "timestamp": "November 24, 2023" + "timestamp": "January 11, 2024" }, "severities": [ { diff --git a/spreadsheet/macrofree/checklist.en.master.xlsx b/spreadsheet/macrofree/checklist.en.master.xlsx index 6462abce7f66f6b4e93951e10ed1c216068aea51..7fd75b5607fec3f28b6ccd80b0e1c038da8979ee 100644 GIT binary patch literal 316496 zcmZ6y1yozn5;lr^aV_pz+%>qn1&X^<9Euh9;u;)^6nA&m;vQ&mr#OTHk9+_Bw(q^Q z_DN3G+9&zWd^6wdJ#(U_2n&Y`1qFo!RUyg@l+o`)3x4}l_jX{u9Tv{!YOcH!k9qJ&&F3b6W6rez7|D0!f^M|QUe>Q zG2iDuf~l%&n?;ATgWBaZ>F99pbw!9U)JfOwN@xf^3)H+~0i;clM~cFf{aiP%o+9=+ zs)55cNwcAN?+mXye^#u=CwlM%BG?tJIX;oQ@L)4K))O1;X4j!^BdewUa?SY-{Lv4- zgb4MV$#;l)-oE?)+ARjtRxu0V&1{rVP&jXP^LAi!x3P4z{6DW8|FPVeo}x1`A7(ef zVIc6-aJ7X@W*49@@3UHmCB*1jtecXC@5Pvq;z)_4MpJ5pf-4tegmSYasm=|6nea6Z$>`KE(DV=mWD}vwcIejR&@Axx8(^j_DIY{TzUPkvrWZfA z`#AS#e$NU|U^t^1*D&B40cI@oioKpPttD`%)IwjCuK+x_(p+0j^{9fKXsT-|RZJ^K zyn|`DeYTEW-O)bd*tInqHe*X^%*(06*m->x!8SD)(>+@IYMt_PyM2G(p^!H$Pb<2T zy3mhpyde6f-oWdp1px;><=!w>p$E?XMg5MyAC+xJRL`3V~!8ud(wB@Hw5 zWdUlPQ|F7#GJsd$Duf z0j{D<+vim7#ULRA*H6COp}*+`Q%z&>vN~`(;~@M)bECs6Q08$fuoAc(PRWs6eV^yN z0kL#c`pKusu;m2p;@H0@fU=kdRV!9c-Ln>2rQKoiS~L!*QXWhk+LPXIhEr&aRhNhv z{Xk<*I@ZMzj~jxDoO^CQ9_vYfT9CZ@%RKDdag_aYi}SooAypd5FIqVJ%pvzeS8gb9{W-tfH8HE z|NRJdLFg&jc>|AM^N3=Ub?hA6rAO8U+CqZu0As20HzDr#4CN`m9p;baPb1-S6ojsA3-0GNq2INo6mLB6cYs+kr^&Iv7c{t%Ehp8InrMTETaXWN5@wV{F@>!+n(FCmu7sBv?KX!K*2+HQJ_f56eqTk1kc?)!OMtaGj$%k+2gG+er^6iQ9r7lS@s} zTIS2~4DyQpZ2nXV5Vz?$jei{K?7!8$M3a_xO>ZGwqhiyI= z;wC@B2UmTvG??SOQ)6yl0WE(k|n;UK$5EdwxPn+zKA|kouM( z%peq`A)MV+nr#u>>6K=vQp~Yk>?GP45>DPO4y>;b@7VS2HvEq8u4VxV=7%lfSFl}s zd@lp1O12577vjsq{N)X8;AYQNp;%@rSeGgd$WjwkWxyXed(mp`JL`;DJ2z0jUhdOm z)uwg*J|}6*PDin+c7vs9-1OU`ZJ2n|l8?oES%DR2?*d~dT}4ZJG{u0`=`@Y1RHp6| z-aiUOYj?!)C7y`Plhs_B2PAy2|Gy=GpL)W3M;SP%ENo&Z!vB-XyqsO_-E1r^-QC#! z`}W^_HrZwGwa(vM{iN${7u&_mBa@H-<$VIK@GW*YsQ;c6J$kGa2#-9oAI>|z-Naqf79{Br8qdO5p2 z5$w^tFAUIjT$HhwZt5WLecn00^U%h%tgf#3^QngSX?ejTWLc;Q|EYd$!E3Mir67)% zR;LThNC{GGHEt<5mu`FfMIPvE^wjBgrSM&K+vs^2qugg`Uc+OhW+HCR%)hmVpkpL& zu^n<}EaokC!$z}r2JZIxbu0GLjn~4Y{S@fv0sXvl!g?k4!m8*G+th7mT^jv{FYdl& z0X1VC*KYIXo7UEGa-h(y;q4i?I;H3M2J&+A@t#U?QGd^u7UUPGz3876)6~5=D)M-l z+;-&gR9Jpn`MoEYHOz_~^*5a?-)abpSg*_C5ljs+Us#X= zpaXQ5#Mp?hb-RCrFoa&;<6*jU1YZ-z_FQdbC?jEcQubSW5GuXH@}MlVrYzJI?**F_ z(>)Qo5KxQ8V<9{&_n!42R_~$k-f4Gk|Mh}u`NF|6 zNgqf;b`c`{r2qN6f&oRsc`ok8SnXn!Pb)&4JkdPkMd(=MDQS4ih2wd7!S_YvIXC90 z=lf>E1<}i|nHPH*Yrp!NhcN^eJF)cTsy!aw&mZo#$pg2vx3Y5>t3p75e(Wypdez1Z zFPGAl7~fw414;q|4gc(1U^qse=e&ZuHJ7Kygtqd!uA9CFDiyL#KCpQhi!83sraYl~ zORl5N5Y!m6^6jUav~StAE$DW?j(k+V2;7SLQ&AK+BK#Qos57d~0;T z?JR7xuTA_z_`Tp}NtFz>fn@(Xn$9!00M^bExK{&j3}o{5jvK_qNry!x$HhsR@0p|( zNlo&(;88r9|1;N8EeFsa!K%gH>fzMkVb$Rw>Uz@o9PaaLjIYv>l^bL9QFmJEKE7#a zq{o~5mO%BWWNpQ(>fPmOT20Wh^OxlW zW09O(Tle@-``+!r8ucI;^*|d1u6L6OSJ3>t#W*{0{}dyJ*gXE*G1c_H7dWaB_0@60 zU*j?`a^EjUOT;|UA4&9hgTDzP#S^8^f?aqd1vaQ^~dUEGiye_kUi}VMDS46 z2k9*;X`EEu`}U8Fpz~VVUZKw6E5kN;g&x_OKjLTO&qd!35i1XkPBEH4zBr#g&2H45 ztzV*QT$z9S$go#Z#$p*LJ$@Xn(#FWwl2%CGQOKco16Fak$X*mbbGW@hW`3^0SWYwR zX&RdR4gGs;w_U`F@qviZTU#%$6EE#YtRQfl7T9(bVE-Y53Vy4H2><*OsHZP(NlVU&*Ddi+&=0h6$_`)wV8;~$Pq4gR;A%CUj(hgWr{Jxjs14PM3N zoVV8M)%P94bjAXC?#}{GLIqo1x=ZcUEk@*9o8hy@iZ~@qYkBr(#Dc{uT2Dg$N9|NM zsJBKAuD9d+pi$bMV+Rn~-2-qe}S| z`~+mhCE^88G~9!WCRGDMw8yls>UqL{EVfTNQf^XFI`Pt<&q*=f?tJE?xvcDVB;)!J z#XstLaY(o9X_#fb<->5o$-KPZFhNFYx%rJ4xs>4gp)380tPOWmD8Cf_`YYkpSMMON z!G!;golQ#r^he>zs9j+i1L>4Ovbabjk>wAa2D?FL=K(R47hnG8dO=!uVSCtCJsz9j&sPbRhE$aj5y{+F{A=;}%}! z6a$BBC4q>pyUd;&--eOEJA%6(`%(|+(7pKiV*lh;`*sk`o>=t(yz@0gqEw)Yy zJ%3a$m&Gb_UQ`!eJ0Z6rF7v)Q?aj?awOL`4Ga>EoGKkS}a@R~tC$9%YPu(O>QxCrK zYq6w_wyK(^C9|8f3*glzAZ^{togc93Zrqw}wdk1wOdd65HuxKD7Vy0Fl`ToTA^g8wW+WZHR`l;6&F$ zh+9_0snsc|@k%o_yL-pdO?s4m-!D z(Z_Vx5S_%j(cJ?+UA7!zf9PhH*A`%G;E~Ss$ocGr)0DfIhoqeExXi~uE|ua?Zb^AC zpy#DZ&FRXOd8zsG!b?-*&PfwpV`(bChA0Q(2dps;6kYI|dKM_GIxy1(3q7_wRH_Ii z-wlQrHe{i>;+aguOg9mt=%X2$ao{%o=Y+H+qwJ?vcp{Z4i(4USSR#LN3X!WGh`F^l^`L>a-%{^q6K=}M{*FL9AIG^3d z)v_$wKJ`<>9zmJeyaS(jQRH05S==@A+z50K*U84Wzk}OuYDuMo$i;6YRNqB1k0HWq zrzE}XwP^Z5S$5$@2UNgLYb-EarM23)7EsguJ+7!I6NNIID7A|VT=8s3d$P$=6&`9J zXd{Oy6Z{?<_FdEm4jP32p2QJrlo$+AfmO7*(UI>vV=Y)rXb2=MOtXDlEJ#UDw%5>* zHFWZmz9`sfhKCQ*6Jht{Q&QH+zC&hw>I&z6)o_|&$}*D!#-;T31r@z$abk}Ok24=rZ97x^X&pyC%8m|^S`$~jSc*c; z8oi8#@g|4)&v|yfFuCNesV(Z9$>=ML;sp&49=yjvjEiF9phN%fNjx!5jKto70(Lw? zTjrHH4R)9+=kdNci7eI6pv4S+8>NK*1rIk}U=qh80XN-S@NiIC_AF=Y8;`%!mmbbA zQIt?1&x0s8`E=HxH#P7qanE695vrlVbZ@>Ff-34BDf}8c`QSFyi#XM5Y=$6e^Pln3 zO2jZ+$d8`tl)u}aiankX*@+a1RQ9_wW2D<3y(Y$<3-+%wXNj|qp#`I6L1X(ape59A z*&|%D?IBbZx^Mv$?th%CI99YT^t_PE=bUW)x+-rf5Tf$@2#{zo%xDnJsMP9ublHl% zdv8p(t8P{SaH# zd!aN_qrR3;7G@@h!V;bdxvZGi@(}Qg1`&nr5FmG|jwmr6Py;*FlS14W9SiHfnTlan z6Yzo0SV(9tkVx+LGiAfv8gRkB$xt``*-wXyggN_JB`_A^q6>;})pdkweFP7#{3y8< zLY*VcQUa%zyv}c>PcyV=mphJ6N~MC5?N`gX^mrX^33demfyf6CMWnX@9IVN|s?%lJ z$NCDA9p+5s8k6tipPx$KpyoiO8T0GOFF+FcR{8LzmsVu|D36y1HhPJ(zK;>HBa>Ub z;E9LN;MSM6*4hDn-0%2##5Xn)F0K_Wa+-x{)oQjvQP+-`bkH&dSz$Oj_!ehP(r}BL zWSb$Zx*B_}09Ki;Dx!ujw}0iY12-8o!-~#FC-;o7dKBaEr00>9kN_vKgWECeT__U@ z$e7Zw@P4`0B*f0Fd`WOgNsN@i8UvCciH&OSyH%hD;qsLIPZtbruocb>6TS_b#kXT> z+$|s9HB(A9BKueJmfV{f^SF2YWOABW6S&JWy3;k~$+KN(U>Q0q`F`7ABy@83Qi&h3 zIkPF?;6c5^n5$Xg&&9N%WOTyxbXopmiM#QbyyMp%xyMi%=!NIm^SR+%F6!3YO|S3_ zcW->-dM!~wc1w6Fp-NRW^=YTn>~OeVbcaBw%~tlvm~@1w$^X%$TU#(+-lEc_^!T`T zehGMP-^6-ahOR+RZN!^?@OI1ItJsAd81|Q(2}f_Y?Bm{7#E>4nD~y6vs<$~^PR6JWSq#uZvv+6;23HGiY~~b1*x%+aO-KA#a|`g8q~f*goLD7oILn*!ns$kjH|7(| zO#du*Ins^y*rvP{SnJ5Vx^i?@rDN}Z-&S>TN7iA!GJI%&>6>x2FnoxO*@5x2G5mS2 zE$&_F0dhHg8-2N|0pGkbCm$|NOzKNWM|**cIbSR_C{7)75Fr(>j3z&6Eu|n%8K&+C zUfhA@t}Kqyl74js2AjAlor}0(4Id$So!rDbz}^nfL756~k?SFlcL%>pvi~FQ*ha`ZZ-|sVnAa4 zYvCC|y1wz7w`=fy7X%aPlPk@k3u2cha8EM6po02HYNG=mbvvTBR}2LFi*pF_ypD~; z3ikb%hMa*fo)+aNTsd&CSAEGRz(Oqg%n2IJ1o;xh3=0&_FK=95m%BtXzNlZcO+}oJNb7$YLWMI*zJ$Ocscxl6B{(H#mj)GJ(P$K#Y)~QL zSX}=V-W0mME?-oNtJ3wh(P#Mt`T7`e&hCJxJTSmhxLMmIGtTkJQZo6Dgm~^U6I|f3yeJ2IPqK8+*gTfokodS_%9aefQMMmZRGts7zIZhnb|& z-l6@dhAYnoYA5G3yuM~Jq&j!2IsAfydZb<2oRoC9+Ob%gE1k52LP&}7&%LhNqntQ< z29*i>L3gRJc$D5yHHevmnhK3D3Kl<0`_u}nW04WSPWaEB9LQ)T1aKk$v1d@qGwWM% z6u#&dmLFbY^2P`KV|`7e&*v$U=}i(?wI25+GdEv$qszHkucvW`feqn}A(f4a{Vy;T zF-mea5Prc#J+bOMK*MaHBfh^UnBp1j&nB5`$=IS)-^e)H%S898vt&#&? z&m84fe^2nZEK2YoE_Bor_(P z5W08PctX@aA2sU!p7Xh;ZF-M{ePE>tYM;tt@Q^&nDo?XYMz*C3BA?^So2+!ZZpoDL zjCR#LUv$w~Ii{Mg=OxA`qwn|CA6`-P6;S~PF73BN>;+FxG+GQBcet0eT6iwU+idC6 z$Ge@IZ3&EyBI&+lf*{8Z6?V!>pGZe7oXzwl6Pa<-LEv)#U}5D)(Os6CZml2&_O*HD#rJlmyAhMKm8eD7 zT3{{Wr1TfYNGPvyB@8G=QxuJU+=9>;VQgsz;iQNZ9BB_`+IuQ_Z&n68aq)rv%{pjC zQ?>uCpFj7~C}gMOf`^00tpQRtaHF z@#^k-`CAj*#apc__wSw@oA@GZ72MhhiavWsNUr6i-UdD^XWb=3n`Si#c{0_Ioe~%J zj9|w-Oc=a)Ww`!iQ+(JGtsF82ym*xX!-05lg}on;lDX-qV&N}CE09o8*os)pgKDcK z@+n?XnV8k&0klnwl7X3nuXFN$E~o;3XCF$;nRp(iGdyB64*caP)Gv;J)!n5}O!l1*>|U?P0X&e{A*R&dyv1 zgXDgCLXhPfxT1>~^jtb+QCktLj3C?%$CYV1u92G~YkvQ*CC+Lxiwh^H0q(}Z#hL#iGB`e zXU~g0RdgK0?(pQ63p9Y4)DO^xL`dzNnC_NHhx)bb`&LcdZvOFdlm^?MrDZIpQ!5Nu zL)aU$;E>vb|CjJ*Xy}5f9k37EM`;q!^5rS^N;2WF;kb}1J%^RdVD{IR&S$9KJG1v3 zGb(=$7 zEh+ZK0pqEZDa@$-R5un<8LRx`_l7n{FTtZ+6- z|D%>VccX;fZr@07yKE(Y{Y=@z73f^i&Kd-b$#NBGJPEHsgj8Hl3t)l`(n5eKM}yW# zbuCX=qwQoskx%0gua7(k)ztZ9+*-$U8UPJb{+GF%7{V_OT&=^UPpWt$*TxoJK*tbK$0Ud)Y*M*c*rUPgzV~^> z{;RRCcnIh-hyNbD`l|*;j)>)9KhV(XZo0*RHEta6KJ~-uV_Hz}n-#Ugp(+IMVk@$7 z-gC*cqPSAI;bTf0;)PO8;4)XT!opPiHKBW^d@oZ6e{HlSl%Z9BT3zb|i@EOX8V9S} z^}&+xpuERQ#ju-^U|x4;-Fpn|>6L*FkJKY{={bI7XQbt^(U3prsJ@?r1|ANC20aid znx5!#+Gjm=H$gfY4JG?4R`r1bkfuIe1Vvl?2LYj+wNKag5$ytYQdy*~PhFajGZc4w zduNEo6o>47+2)#P0~g5J(#=N);i}RB`NudQH#JC@S<-tc_L>S+OQoLb9tkIriW4Vg zmkJ$~@2iM>RkjGMkIr8OUt6NdO*PE69^y2}5oXeP>c0#4;I&^?M*tf4dDxkvhy5sU z0g9W~SkHR4XW6uF;z};qZ>tj|(lH%w?mk4VgWzj;|72`Wb-%XW-rZvrOYx1!Ahs9# zn%mFOb(Vfn8xBti&$Z+X$Lg)B?Z?#ndsW#+s=selA%hGoevQ)J^iz`|kWC1Bo zawcS0Dn{xdU^k%ASP@A~qGX+H>WD`X;|H_T(iXJw=18C{pH_i}M4Q^tz2@)G!xmXKr&VxKl)*mEFb`jRrGJ?;Q}g9+4< zkc~5L`;*`(b&D~>eoOr#D6l6lg|5^6YtF1en$uK665k=te7c}BqL@rLnS3g`OVT6L zdF~@%xn!(H=FZ%!@y)6#rJa+`0^#?3v1&|X3ZJG5UuuCALoG4 zuSf3|OF*7W*O+yvgqJaGyC>{>y=-X-HU7XD<1f1>YIU)#xYg+qEYxIslrGW?a--mE z236$u)*9?WkK=$Vy#Hkygn&N!#F{_byUc0O*Qk}k`vgFrLAGvskwXGG%!40Kw_922 z%de0=Da{VV+X1nFt*AnV>zz+wQ&P1RPXi88^%pRy9yk*>((Qfd4Tr7Z^V@INQ=PZX z8dfcO^F#)DoD96Ly{-c_+l=4C)ZTB;(WeB3CrbFBTx zXa-97G08o=6xTHQAN%Aaq56MS;gCEzUnjt&3~%BK1W|+R7Nb~rpL{Ek>@NP2!t<37 zP33L<_jKA_Y`sH26*)Ak!h73H+ECj*;E#uFX&)K7__6SP#>d?xBDE79<>(8O0+&}s^ zy$KS`n;?D7s+&o3XPaX|YyyE$a?b=eMOj+7qpR@nWmU+1hiy3SAxVT0t8>O~@+;`Umtv#gj_rB5$h3wP|I0A_Uvht@R0#O#? zT)#L~{H>ah613p|?&+kJsI(u43q14t~?{}F+d4Acs6!G9w{5Jn>)nwo-=UAC9k z&T+b}POsnkB%A5|#dYb+QPUcL^Akn@=8A+(x zBQ{cM2qqIErPfzKS(2>N&+ClVx)CHz)5DZ92a*_2{~ktotb6$so_P#iQR4lxMF7qy?9e13#-HFC59>KA0fTX{VVD>;qr$J zJ^X^vmVhp3#@D{evD#Ni$MCpW$rtTuB)aI-t~PKJ;&s|xDkJdm9-`^wUHyC#h6BE=JZW{Pwjk|R-<_S-`oyfssO{nb{TP>lj}Vupu)mGRGniSoj9J^b-e zmH>Y^MlrB#T2LnNQj?tMDC%dEi-G);ScI>e`97AD7{bH;rl|{v2xEu%bzVC?N?+j_ zD^0os7P!vGArzKD?-)4PbHU_B6T1koYRK|qtq@QWU{9c}v?55rR|loG2#pl`9|8 zo~Eys%Wcl6yY=N}u)> z#OAt4sz1^v=HcLH1RgELoLDhUyKdQWQEVgsZ-W90x}>MfeHp@1Wr4Ng0{T1^5Ao=r zao{x?$?PlAZC*YyVL=c2MhrbIYhKPbQH}hz;`(yuH&uG3aDf4;H{{h2Vsn?>r*G(V z-a2J)4RluNNooG(|5mdI5*f&g@j%zi{T$u{cXB!)dLL`#b50~VBw;zIzB{5WUKWY! zcF0TXG7Q^a6zLmK%_&or`zr)U|96WiVvfCZWK44MX1v^>ln7ySqN%8*i41F#js_JV zcks}|tNU!^wFFqufj*~dh35m7VfO}q`=M@!+oX)>bK7Vs236h*_U=4lqAIzRs6X6e z>@$UKcXU)Fi~@=@7nPqbwz#cQCi&pxX8EP~F3$h5RroXq^5YHLS3ff%wS(Ra`CfrE z(_EXbSb-7m)yE0h+L-p;D=e1#$d8lX#QYOpZqjG+MCAe@6wgQ0H>IxTTi3zCt(lX^ zKm52LSf6QP@G#7d5W}3oUNeYCs(&4$eTW7!-^2g>=B;2DM(5@U_Wa;Q&NS0Jo4wex zB#xu@cZ4tXeJt;#I>p;K03@h?%Hu7h`=3Pm+6`qUeN~NN?5;%8+y`0qg9}8F!Xb*i zYUFT|{+MXDSnMei*|OE6^3|^Lz-%{-QDF-4U8_kCNj6L!_65W~wZ9OuhG^IqdiV+7 zG-nEiQOpj1B2ul(MWjDSBk_ia@(t04{~*GWTMa-NIL44$rSG)s z)Z^I0UfbH!;p-J8UsYYX6Ny2XWcRp&A#Kf$3xc?DsF4o>o@oioFwF8rBZDAF2;T|u zgfS%gEzXlR%(K1QWTRARF)VVUCR>=|*5jhP`F`8e~Q!%54Gl`?tC7@+7A| zx&P?~q)wJxgvZG1vd>4e@g@&p9oN3J$K_zCV5w(ZI#)Mhs=HaF;^KF-&9sJX1on5Z zx!anbFPeXz<+@7oc~)}C;&i(+S(?=#_Wo6_=%_D5(OZ>#SHwTz{swEaVbqljUr)SV z7+sFiOeW>V1BWu63$NAy(&iCXj&YUySJxUtk^q>wbh6|$FEQ`X=#qRzXRHA_3))iX2RrK2B1g8rB%H|ZuhqLCgDilrlJp!NO)ORQvrwRBn{ z1I`+2iZSMp)-FUHceu_U26j;JZ?3i>NUl|R-3HR9nJ%!_R)n0vFbdca$mtETCd^sQ z)%$3Hs5h529C8RmVjZ1DOj1A1D8n0uflD&?>-dzDAbT$2pHYohN3g7lGG7e1-7;KF zU=(L2-|8%I0B*N3Vbu&SzFn&?>gwv4TPzp_OfgX)cnN9YXyK=39nnaue_0BSt|0Se zXjX}3pbXhW7ZKDeg*0aevof8zL&t8~G2w<|vt+tL3RMv#jm{3rx;fBDev?c@poH?9 zWTHc9Bufs#SYHdraEZ~^t=b61zWoLxwFK8Vu-K2y#1jUknC|Z#|AgwJvEyvz=ZUf; zbc3oq9d+~T%0GRl|u&0mRe#8qrMX z@J0|;70B_tJJmijCTBtH$Z5>T%goO0x13wXsP63{=D{%?$B<}GQ#ICrYd8DNFjsXHGdN*Ob5R zqtebGh3O{6i9sFJS#hc}tYToKPb)#C^F-Our-f-ltK4M7) zn-GPT#-0d0DuqCSLqwruQS42qpr0`6Az-S}PGiMMQLWY%oti$|e@;Mw^EVqy_GAo7 zArM$o)u9yya2Vkq{r+eOH-s!}04D?=5FKOEq|QhGHO=0mg8Vl%_NBT*BZzyVcD(!i zEIAt(+_G40AGiU^uu5B;NxJ*dCbm<%rB>s=d|=h*?Y3g>*v>;Yyi^HOabi_x)9{=0 zOJ(f@F-J~YiY1grS|9c}CluoZR51%|XuZ4Po>hTUF|JFA99Ao9l&efsjjOISyf$a; zy#-+WAEhN+QT1<>>b+5_Y~6WEGOyQbXl6;DiLOIjb`%-H@{YvxE}A`F$V!5cWsPI4 zH*tboG#K{7McoWF0%!Uh8bE;yC}E30@r~$9iq#jjET_Tp-2m}cdMfPM1e_n&{t__& z`K^N_pQW)>sABHF0cb;!%rNzHJB98|asa~<(;Nx#H*`98V}eG4ZC?k$5P=cY&f8KiV7PYhPV12@K%cR{-ly+vQ^4xGpC$wfu*W|@bgRQbzQlXzD^ zgHA^m7+}Sf(`Qh^1(i8%f;><3Made9GY7igeK%744q-C~-QPGAeB%&-)5!B{5Q~XOUA^2oYy~3Nn4QJb97zLD-zi+&>-eq~ zzvH&Z3FQ>TV=$~KwZq8vxwYb>%Ub6h4@liA*R!L(h4f0dg3-saS(+#0~c+flFRbv zY{1*3zoNjMC|_*-$z={_;`f3?%Nmjf%jDbCS6}7iovCSF)mQwgb++>A z)p^$OnC5m5Vdl#)cqP>rXW}XLT#OdvMw##O5Zr#v zn~n#ueF##0s>L^k`88i)Ml}C{{~gK^wk^6<8q3#6T{!r}FpzaLf|k@$5gH7p=)dhM zn{u#fNX$Sf5MeMqVJ?#G1EW7zxs#~w31?vT41Jc?>^fc6Vlo|j)pJ5clxbzzn#CfH ztm_Meo=B4$DAmjmftWe@pcv z;zp;_F6v6)oN8}n#h;2M#Sm$B$*OxZw;7T5<;^F@vkOKO#Yuw!YAwPhQkV7D3N zYzH;dQo6-Y5PsvvI*2%ASAK^Q5=W8rH1k|L)ZOwVjyN738vFPa)!HJJyf?Gx{;(7t z)Ne4y11G=y3Hj)KaIrm7QZ=PSyA1r44+Y#{0IT*i_ohh%nzC!lW*#ExviD&o`An&SqRW{UvY8={+<=fVbxgv~_8vBtdfL zWi=KJW@oo*ebvhD2;oIPsGW`bia=~Tx@6U*l>BX#Ov!rAFu7+~vnQ{=Q+yUK{%?xgGkq0gJzow=xzT@?GoZt&|22fH$1r1`gefLVQh^Z2)3boXTMyv`~vk8gz2j5AH!;HCQ`XsqI?SUmQ>;FZ| zo>H*GK#XMbTeP^=o`ifrWQ+n%r-;aouvo9vUCJ`s=Dyrz@(hqiJbiF4A;xce=s9I- zU|jpeDoq@W>)0Av_)a{U7mjfav%m)SXs-X-9D7DBiG3P{%4|PT!XhZvr>wYEfe8OlMBd)eJVWnD(VzYHwNKv6v(r zE%|(0x#FuP*S!Qbx{)D}GwT9JH0hEPaQSy%Y!gzExZW zccRrPJ~HD${3q5>jKnc{+l9W%e(AZ<7NOCoXd4-Vcge)tn#G7vN%3S#{d9R@32)&J2r=x)v(MfW^tV+p9qkUwpXYh6=dQ95FDczCx6fyuk`vcq zY)-dT@&=WMYyROQAm-}WIE?{h+ZAQot>+$eiJU4wXH>AozO;#s_$r z#AGSXp=+YE*dfcWM>GL(<>t`wP=6Uqg%LoKyeoeWmbyrpeOu>oDiKn1Nj%_gY_SI< z{p)?=^F$TDY0uo7_QXgi7{@@W`=qOQn~;i!6aqDT=baxUPp^fVKtI*wIx9-4v(MKV zzLK=UH*^ISS}TIf=C%lYVXb-Dh^O}~BN!3S>q67t+OZq3 zyOt5r-*k7&DWX#q`whI}IK`NdP`Tt=(dzlH>-jO-7DWI?e=#APV<~T27R6lG1H)bJ zdlg>w!FRGB{Is47Ge3S50;aeS_bHS@u5N3*H^dSEy*F-RDX79{C&zdAf=~Eeu1&W1 zoY4U)WgV$I(TCFEI4x{f@J==}uzq9^T_f1>#PF;(%i3x1}ao1|JtsJIqK= zqz2@>3gNE1ynW}IThTp;{ z&>dSIKEeez{d0vpc@sx>m)ifh0*1!t!bcVuhgrdXVMNB)1co}+SB>dI%T7t=dTQ&6 zce6_##!FTaM?1aMn)s?QFjb!H#N~1OR83fs3o?ocYe-Ud)R^UQn8m!4T#2#*)CTh6 z#cc0fYF<+jGui5uY@BP+o24i;{)vlFM(BbJfvnw|xR6qOqhITzYQ$&uH)s&HLgvr4 zFVSib4_kbffCMg^^kNa`6?1>ar$t0fikL#-65gmHfOGyW0^t~N;!H1y1BCPH_s_^s zND>F3Ifk+~675Zv=FY^SvdUw@iy}7#VIJevoeZ@xf5Q`r0)+o1F5GF3tMR4c)1(S3 z`s|xS3H708I?K{mlGR5R=6J7y)z|m}v%2MSv?99Bw}IhGmH1qUjb~TroVmHf&+Za$ zO@yKI6KnsoeYoyq-tqbBM_yP6M<8$hbQ_I!53Z_=rtQ;0C5nMBOFX47R=0? z!Qr{WDHfw1KtjPh30_>v;D@Dn?g2}>&VT0W|E;J%rf9zKw(|pGECHtoj3QQiF-ZEA zH!~(P!xN1PpP~&tUb(Ah&+J?c1pNf}FSF_DvQU%m?~nQSQ7_)x9^#t~8zA6&ZF91P zgKD)(1W$M98;;g&SPhAT+#MT3tK$Ieyf8;=NCoyg8SQl=M93QwSZu5Y+laA=4A&tu zMWz|ZC-})&a?Ae|*OhLzX?EyHp9R)TK<E34aDG0==tZWAYY zmQ~^|l_NR*$9wMfSKje~f)+&3h`|gmjQF|@vJG)iz9U?4GZxI6Rozt)#bgw@f{Z)y zHwx)}%TT;(q%Mk|-)mV-z5-_cQMAv2+!)7-zV=4Xbw*F#DUS}m3r3|C`+Y`3%Qb+JIt+rOB=oP$lJoLPOiG%-NX;;o;Cx{Otw^XVV#q$Lh>16RJk6=BP1%aB36EX=mpnY*v8@v zSKm2{oyG^Fw~1uoLmj&J&Zh)MmpzGqiazYbUNeb`LWz+NMSB-AxA_r9&*-ny=+Dxm z@wM|$yg5xJ665pU4tan3{56jbHV0Lu5j(ZS`0E;vRn}CRf=fsFahJc-DJlMOiRD&x zyn0st{glOe-7MS`hhCg1uQ>4(t<9Sr4%dd}zv*EtG>uKf_;qM7S8m-TJ^U^8w#){7 z8yYN?q#oS&-$g4;_o0B`f0PZgN9D({s?5AmW)4tj(Y4|UmwsT$_3Hoh0o$Cv<7vNn zHM|O(R3-ATVf5HivJ+hOCX`=xk*=U)&A-B_w-);lo`4Zv_G zD7@eADjWL*J{r)1b&RVJg2M=fl3}aJo)$PXCO2yywa)ImYUamJVOr(`n`IG>1HqfN zh%TFHLbp>6uVv((&B@a`r>7AKodc{8{XNV1kh#}0uYMLS_h^r||LR}^SypJa+hX6E ztmX29iiH1tFy`>>!59uLmN?Y-N8uQEa|){5xX@8>f7);i08)A$@MPeCc8Y_|DQ2dpD503ilu@b<@GOhtyS7FQAPHIj7&!3&Gt z@2})pEj2&?{3==6MRZd=|8aU^Un>^09LTR1k(b@{rb#ETS;Q-gar|Qj!n_EVE8fUt z#39}eXxnuh!6S1(sbCQ4nrlM{wmGyZHvqjF`Xa zbTY-aQvNY2Ui_+jtMyf>*UO^`;))6r;7MN8b=Ah!(ZQBaOEu^73|&cs2@fufPT`B& z48ExfzOP;4;fWo#d+yver81870Ve&_qRi>|c)>KPTS`9q+AcFKlYuW zfpOw5JP41=gujfn=`stZBS$l7vWH^_yO}-2Xw$I{x__6a%EpMl{M(Xva@b<5K5Rd{ zHLB}Si*Il{fT4Ybcnhmxi;Vlft3pOrkBLU{o?S{o7#;Hrmf%ym-*f68TzWXZMB2t> zcxfy;EWGvqAnot(J9v;_duHaBCgUJFIZwf-{D?&FtxqNt*d zPZlM070y#TqBfW3B&3~*M$Pe;CJ4Yt)O)gCrE4Wkddv8AVU3)2@#Ou}+Qn}r$BGwQ zC0bD7lO9;i}5sC*ZY1>BS z5WA1)jvx_O!=RBU`Hv?HYc<^I$nXp`jZ)u=nA=fCHhnOVMqG09M8f zQ$7e&U1}ufw4pU!NgCuD-%L^|4~}NeHe67(lNzjs4(k6GSNbry0T37P{EUDM1WjiB zEt(o~+EnY0oCTJ}=rrL{{>$Kc!i>VN)7hEIsyEpW{FC(?M(^p-Qj)D6Onm-aHDsqB;QvXE!xlU@sFp~u`Z4Y!jd`hoj1(f#3iLJPEUJbeN) zAlD<+gP7?m0GqHcUnusbjBMnRmphy*tIF!NwSS3jPSyCc>Oi|&A4l2hMVmC@FNe0a zKo#+AkFhDbE_7=9sbdy$)UnsK+I%?fGZ&YzWRO{SukWi}KJQ|ROvzs5Ip4@y&n_XN z;#r(Zi3t&0IsDAUhz7huTHNL0)%l4xioI!x>KgDIn?|YI;!oA|!x)>>NYCkd38!Cw zm*VFagqy>@mUU6}Sk$#Vf(=#L#M=?^}CQSWvr>guJh{k=yh6|YqqIR__fh<(3*ukOL`Ef^LdS7ae+GD9ZF&l z33xo6!d$6;o(7jIS$~lZoor1iaNBSL^lCH=^Z6=#!2});Uu-~*>{hZ$n*3#k#Z-mL(dQ=UeBOIZ!sl zIf3nU(qwUbX=X7K_U=Zib$2uP%alRPE7|#oQCeWt*dU|JkNP~#?cJ?m#mLqTbg>7)1rW(fWzJ^m31L4DY*HHO5K3P8+j<$?BXmib721SGKWF}M za2?OxXsEV`{*sh&T=*&YNmRCM9f9`?W9JERYaMTEol2YUvQJ&F7IgWyP;Zk`rWjkd zx3&=_;+r-zVa(xlGvf}~nY2ZSfQ}BfrF4P%N9vVwSbs0!QOgTS(R>5aT*IC)sseJ~ zt;6T{S_#dr>aKhLibaT>j{lrlZi%+@+nI|&=Rz+&i$S_q7+-{pau(T;LBz%yC{<2F zOSo2rB&!2oX>|ks+0=!gYPs@wkV*N%iJKD-5Bc3)uU%{Wix3lQO=uzCuAH zds$X)`VHSG);=MEeT0s?NFN~~@jVI&@^BEVpO8RPW=tfDC?VEXH+=A~@C7#-`y>7FFnM^?AhTjiz>u7sO4)BfXl!#&{!G z-(tr~@F!#)j^j?$Et`vo`b)!|IHJAel6c^Zb>}f4f}Iwk_!yLR`6;l_Q&cBv6|jCy zgP`QFYpd@vXxs43?lQpU9ng=(Dej_Q_s523@*RyU;4*s5EYZHsvOQ_zDPOAtdENyJ z0T(;;;j9Zc`>Gk5EXP)b`CZ5DgVaXJoY5C7{iC-`Tlo&o!CxZ)kLrauj4k!Lr`^IM znJzHcJ-zf(b&^2uL~Gw*o8F9(ZtPAnL$iZ*Z`$zjL=sUV3{rI9=A{d)DDm=%I!P#k zG%S6A+VOZ5WzF!!8pFA|M8xG?8HM%jCoO^o+VWqO-qZ3sRr?30!^`*eBom!1u5?0R z1TVUUsKy~BW#2O{PlV8&{ENyeN)LoBHg8M#?uy?<&g57!q--N5ozY^YFA7@Zz~V>5 zM-IqgG6*sdtD31L$cstXU}#`PvErlP8I=LBG$2%<+a?-XJxXBGC92#`@sdG~w~f*~ zu#J%yk6a^YJ5P8Yzj2T78sJW~l@Z}J5AiPQ<25cn-JE8~FDC6<)SE4ynh2egJjJVL zd~fG--W^yq(5h@vYdRlStMgfO=ze-sIuBc_g7R5ORXUU~J3d_XxP1ytLo9og8s=Xe zvP}w_Ib&eU2>FefG&U57nE?WA28dY*2A$Bel-fugO@BBxOvkMkY?LcksL7ms%%`fl zGWG~uTNft(yWu~Kil{rB0VU>@0-aZbk-gm$N!NZQ7w5WUtIK-S`U!-_7An=1*@v;d zd~m8OEYdL_gGltd_yO1uU^QV-mzgG`M4hXMejI6LTYQae*hc># z0UPkmyCqwEiyv!m-SfGE*0h$56)d-u$O@MbWyx;39yPWE7WEN7^0o)P4cP&wJ@%DN zFq8KNoJ)b*I>`P`minE;CCkY4tFfcW5RMopR#heE!pla1E-t9#MUz+wGYp+lPG>XFIE ztG??(-lZ5G%8#hDnQx_9JBieBeR|qAXfblT>aDP?J!3b@^AeuyupL@x)5loj$EkA7vy@M$Ej3K9aa?(Wg_K4PED4rphYbT&ZzF6>3VOliuuPV z2*!BlC%Rd#K%?M80gYm4knw61!kl0;aO>K2YX`iMerny{Ayg<9>(>Rmf*f%%mFf__ zm$}Vxcer@gZEzqtpZ$P*%!lVSj%(&rN;F>L8Of=Ne4xUYs(giWl%w z>UR-uP*}GQ>BqB^HaD48M+k}>k(Qoy?xm%RwEeA>1g~l73;xfDrW^WF(4F{sH9RBU z0rMHMv7StVCm+cq_)qyXT@fdHDb>HA#Z%g}v zg!r1Sbol!=1rrsBb=dLO@&VT`&%D6%|wZo6Xipx#y7vS0zz(Iols!7cOHj()@Ub2V+ zoF+Joiv9{PSbr@@x!}gO`!z&kyjf2(9AW!8TWpCfXu=ll$_&1&Gw3C|MwLeVfet1; zrAs%f>`g&02!oPAYh(5~E*b9nXi*t+;$<^@ra7)e`j1h(aFNRd^=DqBxmmOlJ>J!aVo1ut8GRhO`Ex@^M) zj>t>NMoQBL8oHs}TSW`m?V){8|TjYxc6-j5ofz>r?7W z;kX~33KwI?#?1wft+5h&>8W-51C&xB3z*=gP_Ys{P>tj8QSnRy`nhgl9s>d-vLmUn z^fZ1pzWk~{wsyfyg@pV!{SR2?G!#5NurQ>VFIdJj73lj_O*^hKBq6s~)XJS_cd~iv zDmu96#yhF+3Goi~&*Q>E5ZmUmJD%F;#}A0*eAEdSXEoH@2pYlVOzX%hBrV4Ceq^ZH zz34)E40@v^PC^ONAOy^cl28W=D!>KiV1Nq3rw7v?LK?9ivM%Ln`GAt&ggZf54uR#z1r8baXd{M;U&|L z2+jxOv>e72fx1TLdaT3@1$Em>aD4^Ns5(-H&56DCG@@IxsgVG2vJXPE+0{Zp`C&Th z9O@dmDp;YmN2?uBA<}}DkpC&EFNHk?cQ^JlKnDGi+*hChW9^JtK{jj_>nN`c>D;|Y zGqayB^%z##zPN!2?rJ(QIN7p#)?ZmpFvP>aaeW@bmPNp+wSX|2IAGiaXv~26!K+); z0+P_>dNDz?;2M)ApEJ7xK^qLK(i$dEz~nDw2$n{qRS=xo^CcdbT3XmJgzW;Hst8Y{_;nRcP?7ZM({NWSYfuJI8gr+;0k=>1gX8r&+2 zrH$Rnu}LM45!@)Y=37+-R8z!X3hHXq;EXGrQ5U5Q%aeLF=tQg4gp*9nP8ZF}a)qD* z_GI3NJupV7qjYG_GU%0XzCadW{wJBS(?c3&$BZj9BI1C1Rnxs38Qzc0!E%DS@h?zS z_^kfF4pJChk?|OQ?BgWBYY~VuYv=}GH&d4^`EIHTFPtyx_yhMDOxnObshIeoCEW<+&u zZU%N*B3GP@Bbt|@NH0@NSW2W!u@EL`6S^&M=wFZ97S`0>-IV{XnYK(q7&RGBEp}JE zW%}Y`cCo#Kn)ERp8^Y647I9IdRWjoFp;kHIb4tzm5i zOm5PK7s+JnHW%T;@TrZt5?K8csxl(O5ZjvcWT=uOMh3I^2eyCFCKWm~-QBEz1forf z?Mr*;3q>#WE&_={f;U6BEUEa;qiNGt z2*2VU&UtoOs{54UZgs$Bldg3niI9N+cq-?fv%6%hwM{|2Gtv;z6z%|i+AIzb!T&5 zS0>E)NoCB@d;9W*Z#6|=9{p_&z|nh!k3Hn{L~vbX;ltpj#yv4bFeZM+8sH+DFsu*T z@-vYl{3$)RhI256t{y@_1!={vv5lMoy#Y&Y2f0k375io;v^}BMRUhJIB>^!Un4U+w zI(q4p>Vumd;yZ`TL3~aWq+4f68(#S9^sb2`e1W}SppCXc%DI|#5RBR0JZ0c z5r*&xi+Gl)*<~QW{Q4^krHaATjV1H~C3aq_ z{!dTIZT$MH23i?uBaR)^UDQE7A$}YI3GS}VG|2JE29}o+Kk&ij0biNSH_yzbRr|`t z1;I||&N@+}$HXTcrl0G(Szt~*)~MLy1`Me^I!waNTLE+96YHsazGtYT<6?8ZduX(n zV;*~D2pU=a1`IfVlpL=q9`-oH6r?eba!h@yV$VuKW;j3jLf}FsSizL zpJN5+YPS_Rf3C8XIcW}c_JUHc%i3!0ai+8~HJUdwb@qa|9Xj0^nM>g5#-@tGX(*UZu0-An4{AKCWWVkh(-hjzXWMFRI^ ze%;M-bw00!9I;RNXqG(}4W5ig60>_XtQEgr2Opff_NB_d)UMPs23qPjhCP@vosSu; zrjXX#ZH2U?M5am@S_^qFUpJ_uBze%nfybGT`mSREhyDc?Wm(VI#(N%FfWwNAPi=&= zOjMl*l)TrO-Xq`Mgukjyz!VfeR=r!eMs32f8e1>ICn7Z+2^L1{wZ1=vLBU#?e z*n&xfeM#bg{+Z?qATz~;8@;x0b6PCRfz`y%cpH!s%Z@BEtZy!Z2_(rZ5J zMw8mGv9!X!bHsZ+d1BB8H)^d`wE1J8gErJ|BSMdj2a0Lb5Pz;{js(`vfNBZMAX72} zz2sB=h|I6XOt$deo7z5rW+ix`%`vUv{iESqbiW$Nj9J7{_ zy=r%q36|tNL)LykIUIw4N2R5SN

&?lV%&lDT`#-Hq zAQBCS?mtamlp652+BE5ml|1JSp1Qs_@vCnz#QSO~cFfuFeM`2u&Rti{Fk4Geo~l_J z_m)bYC^W&98L1Ubqz|Oggi@|W$Tbm8i(E%GR@!U*uy^Pn2Ui6n3Gg6_i3~VEI0ElU zq^JJ>=I_cln^dxHRyyWUDsaRj*z&^!zH=8yPij%Oydr zDx33ITZ96{EEIiRwK3q&95tIO0n#MChDgzazYROcT#4`q*ckTu)CN7J;3VsY0}TuC z0=zt!7Ik);e@f^>AQO&EQNW+YKcY;Y^2+|P3jIJTqCxxq$ffWr@+>ciOG}e&pmTKS zTB)n_C+%ze_DT}5zD~>-5vDVB=tPDe1ba{c_y* zO|#Zm8`ht5h)aAT)rNb6Mq0Vj9jm!d< z5SCY>CYHb@1Rih+5uIy-OMVZJsl17TuV<##(JaEj1s1>0@KM9e%;cP>!y%Ra41uMj4T#fU>b1jOMvR%|BRp6?_iP zRBcqtljm(7*wIXu2-g(w@4DmjD`1a*-4^k(pLN?r3VtVW1O6-`~Eb7gmd%BSpp zT$rcRp8eg}XN`UrpLiCq4#0E0*-=IfNfH^sgt!ob9C2XwVNgn0wED;AY=X%0L`=r1 zgcRh!a6<$3)9~H1Hn0px{yM?h5Dx|Dgdm_3tU+nGt>7gz$FT|v#H>L(?iaBt$1+#m z@A~Y9!eurxfenvgAvzzdXI&-S#nB5C>gUqFk_6r~+S0i^=QCI4?3cZ|7I`G6Y;V-Z z5yOjwzI7_`W_dM*?L$$)8wm(<109sAE0!Hr)&6+JjUkXTumk?Tg@K{aA^X?OIu)=m zFjVU*4V{6}M6L|f&wo(!hqS;))aTcG-@!2L3SJ6o>?7E_m9m!ETO@SOGxA}gQk?Hb z>GzIJn1bTsLU6nhC7}uxltT&x5P)*2=AQd|5W#w&qAtn!@A=!qPKgjfWtCYN6!igz z{$&qo8E~$reL*=Odq^9+Bz$XuP{MKww=5CY0n6j6YQq|cS!)|=9UpkM7P#(=KN&h) z1Vs=hS*cu|3_13M5lu{$e32?-pK)8*tWTWijjSersxrNI=Dpn^kWv)t1 zZq-)&VVB0dir*79>e{qz7OF_tvat@93L+>(I2EBFSJ!dPWWtL5vcDVCu(JDe&aR8& zGGX!TKxFbY(^vaFFRep$;>(k|dD~njd0=E()@;m32J%wB(~q||o@-y;75)~N{>{tL z=-a1!zm1#&r|;hERNOM$Y{jAg3t-1Yfr*Mck-pho;KNAE#konA^bSds1fUFnv5sg; z(5B>IV1;!c^4FO;g%00;-2kY8&dg!zbsW!07R*IgCg!u;QgIFJWjEo|#GJM1uPbY8 zo4r%)^mcxbQunM&IGz@2{Xlvq7Lxyq(3O&~QB8KYh&2nFcxQDMHBfrZPE@_!p-`C)yg2Sjg*IEZ04V{f!V)!U6}nLqU8VquV$4EDqd4FR z6}T~gJ}DyOE$1X;iBh}#SaJ$xLzOD^hYWK+J)P9!*`|Y?bw=li^+O}J=39dW2Skf{sWtmPG4YLE3~Y{DkH(inzF{u#}kqi36pj zJXG^;wi;yCvcD@7nz>Zf_nUDbqH!fAZYSWMADA_Xzk?D2b{dd&e{3_y!Scn%%?vyS zuRZrYrKRcIfk3@B=slvk+g2TXg#J{wHS#5wmbI)bR(Hd+&GvE9zz>vSCM~`3qyE_B zi8X!J<{OiQVln_BRBDuP9oeafyAMIB-UEYtD*R{oTWNkBz|IBI$w#o+s;D9)&$5hEP8*SGMok#dh__R}5SvrcnkK=^L8noDV|>tpYTkJTe{dapsF*G$ zX|jnQ%xQ!9X~JO+jN@ZPA!|L3m^LExj9Lm$Qti%$t@_y2V+qFQS+fAwX<}V_hf4Kr zh_ee_mhZ;ONQsIv?GyB3XXYF72QyirgwiyRpK4r1S_N9!j4C$vEtsv2rRUF@Z!sVx z8Ix%B*e%rA7$2Kxzj6CGCZwFLJ~f>bg9IGL6x{9nqIj6~xwk2c&?u>pZsdnMG-T{= zoMRlmH$}NohDPfVbgyb#FLfE5?i=kG$REY4|Kq%s_gipwq zaOOJ^0p-a4@nfC6e0fcO^G$__pNRDd1jqK>nSCYG^eXNb5ySS1#RWZgmX|SJq&cS> zdw)wEX-{T!gvd`K`PA%uB6uTQuxkS-4|R1#tn%+kDXWoUL7Z+_e@(=TKbVOK?O-0d zgS&n98m$G>)F=eWVRE`wdtgsPCmyQ~0_w{4p*_|@Om^7OVc&aMeXY+%^}GsDg{Q4z zMpn}_B)G{pwBN|@XHaCj1!`d%i>5cohNj9sbPsB!C0Xuek&s+0t5Eb-BWGj8!qRB_ zpfDlzcDjPFZYlPr#+Lw&Y}$nf&s=#begn$bGiq`1@t?`S({VlmC(}gQ)1hnXfi>b2SL#vNaoPPIu~R5Uy1*fda|9e8?dN8#xV5|bj+(Yfp3kT6d4jJ!h1uVAY{r1^ zGB;GMhfAtKyV@at2x({#K|0wp)a9F3XJH3)E+-z&{DWmR)uDW?wVO5Yz|BPtsFUdUyuwN+TK z;N0jOs%YFNIKP}L?FNT`A7U-Xp!=P##X0U_qd?kGX@Px>UY8KS!B%@P@#CV)i3@pX zqEeYEH+GCs-TYf@CyocRG4Eu|-j;8rwf-8_g6-bypk%=|xl)OPwe~7!Nxhxtia8#1 zC7pf;eWV&By!Vrp+`b&3KoYI;CoPJv6(b7nPQKDS+mI~$dVPKRWby-(k|k%D3b(VR z{IPx*0`2MaiI zzlgS^N7#apGp_9c5!|9zboJtqy>t<6RAEoam%ms^M2PSjmoon+R>#Vu+a+QtOc=K-K@w~TiZ4Tya9z2 zHH#cP{qkk8PkQZN-JBrDeC?!JUi_`U=5eg9mt=rZg1~#UfP=)&f$K#206*0w5*k`T zsm&Je(IC#Ds{Z4nugyY@EALTEekk-j$u`V<1k{Yh1qF9HkSxQY25TS@qecRtd=elL zjZpjjFKanR(XmWK2Wy$eH5kY^Fk!Qw=)4XpVGi~FdOifIuQ_FgT^}7!m@hZfBb+++v>2^jaX?jXzV1`nr{i`=;jpFxikq1n~&!R-`wZDH`EK z2XnOU9;YcwFHHifU|LiHCt|xm=WYkJnIIY_{emjYEGN1pTI=z6=di;l`QONo^u{q| z!4rAIZytu#H^zDrNO=(DFJR$a_}NQFrS-3J^)>u?X%u61MC|kiW~bRmMnM2IbztK zDF|=E{A0UG)V;k8!~^1-Z76?AMqR<@C|w*xqfSJf=b$QP>90A`FSFT7)0tK>VlNo# zz}(T7V}-M}h&3r~Z=*!60`KVN-zw3GgwA~gb!lM7c5I!Fg@t9v1Cv9_4~Yl`&nxji zviKcPlw0%NFhx*e5TBSNe)S{YCQ>LS*K|wkCN~=nH=jZ|Q2%nqgmRVXF7Yq6{FZ^$ zY-#x^)3BGx%785lj}rx*+I1a92Ipw@8?3TbqjI#Q49O}-Du~_B4w~m&6p)8ktIX^z zFr2S0dgpkkswI<Wm_=yJ& z3$D9L>OWfQfr=J32!~J!aC_`pLG}MWm!z$lreN6n&^)q7R;4zf*xfWV>apjTk<$p% z{kY$avYLIw+c5kH_Euqr+5-wW6aRJrh7?8llDpf&QCP$2m+(pkIKxIY=^{gj;FMQ7 zCQVL)v165ETwr1_!tcuBCAz9h* zr0R1Kn?$`wS1qX{AsmiA$?|^zM^~S`yyRc52{;ngB`JP_E|O#QvHR@fui^wfLtRO? zOxOMOILdwh&3^B+v6kB&o;;x5JAcw8&}qFAG;%`RS^YrL;E)s=$%34N1T4#>LW*uF zld5SKc~Uq(3&)sNG*2?@$l!NC{@fz(hoK@BgMf{5`YhGaZ(I@v3D3)6B)K#89{xld zW^_@Bwx@(fMf#T@p!oYF!e&U&b_A|Sy`v$B;~!Hlvug_MrP;d>1lc~u0R&pUb%mE# zsrjn4pfr}<9v!+VFi{u)1(j-3%`g0F~tf`3jZ=C@OR>XprfJg#En@4O0iR_*2(KBi)7(0AK zp7?%DNpzTt53Lsj0wHHA@;72hLKJcH1XTw8K?Hx|!J-7Iqnw}Zk1Zo1WANON@uEcY zq@hoPn1H<2gu|^SLV8kx#rcbT!-Jw;oSM8ytr&Y&494cG_HTEIsg}B9)8YF51C~Ut zGJ6dIUZ$+1tzfRE0#VK{KWl$>(Toig?VrSgLktAo)1J~eo^{yAd*jb&_sz#kz0bFI$?-Zj5)t=L0>zy zyyhhY4#1J^36~RGA6AyS&=^w~CVwIH6Drc;?n|M=bU$-`FP&sIkYG(>v>&#%RH?<> z3&{W6O=O{9+y#PnZIMO(kKTmE1J(n!s1Yzcp9E3f8GBM(`x2A>ZAkjac8NE06_Gl6 zNZKS!HX{JlpK>;bYk{yUIaoEEkPq}UVg#)RDqEofMaf{1aID_Rn!c}>IW*FVpjtYT zB8M?cxMc>NYDZk$vVtvXzQPNtc&~sOp}+3TxKKt4ELz1c1s-Ihvf6d5!g$X^fxXgj zbAntBp#y}0=HV>Fxzhp3a0vFNRG2ql&9#DK*q*Y0qxx6$f94Ek9i#y;3vRQq$wKWR zV*NCnbVoC#zg1dt>O*P9cm35v1NdXl%Xa62C~>*>i=Rm<+^oX>=w9 zS)GA2x!_BER;--BuJCj>uq~Qv&_~da#YuG8>D_9@BIJ@DJAR2n<)?(~Pn6i7cbxq% zZ(DEOP2m)M9fWwDn{L5D;nj%6rjb_uY^IouEpP?m8%oG-|4j9l396Z+-f+9fUK4IU zp|QhM2^$#0AtwTIGX|38RvwmX0_`2SnV4g4o$CB8$>7nIQje{^NwA+hG+C^&x7IvM zRpP>;1fvD1Mqi8B`Zb?n#XIqXsPEx|A_J(T_y!7!joFkj{-tqb01e)*%uK351l|cY zxE>7r4zJ<5G<<_5#LEOEW(>Wr(9RLe27{nxgw8IYznJY0wswhzXAjqu4 zn#98Z3e5x0H+ra6;EhE4AJl)12ErW0f!9T5mw0ne2*O-|@N!;%;AU|<`AW}aLy7B? zKwBt#pcdv*;&_QK!O443w%eDNR|Y@)Sy=D6UGlt;b!kb~9}yPyp80Fgc%A-erXT;8 zVY8|=Re96gIi;pev;ZW|>_pFUY0!QPewu$H3z;*UZSX0dxrgeL3Nut95>~!mZ@fys zjJxd~r7uJj5)c2D_y4HSD?^-YHeXSGn*CFrD?=%)(KXA7%jpAMZxT-s7n=DkdskK6 zlohS|2qh4N1brbWbTpyFVvKkJEU-pwZoFbr8xtRt_GT6~S`qUkZ#3*d38_0X ziAS{`G{1C*!N59+!^ZTZ|E^&u0>C5U|CQ(*t_gy17BF>r3%q@xO=L!dJa{Ue2v-QI z1RwmZ;my$_H{a#8bEG%2(_e#IW-rd9dVcfyf=yRp&{u!Fmc zF_oI*-m0l{MXo>6O%m_#Z!eq-DLU-lGuJ%qv;8#OLoRpymw2s{kn`LJt0b=Ty?usg zsd#-*z1+Ek(p_FyvghBBY&H=Q!x#*>E=z@UrNdfh!Yib8N5=rvC*J*b>R7=Wi}@?qo|(`44UuFBjZYr}1M%H*+U0 zZyx1H1aR&3X_T@1kxmpP{EQzrftyOsypMxyu1`BUlE$?k^#kbA#DCB~nzuxC1{(-s zRcVZh_C~PXs*^poi;&b)0qFkxOXaUmlzq+dBXo`wH2QrhjQinQopY<3x#v7%DJS10 zAszDc>+OF)uauJx1bXX!4LM2Go_V5M$0+?ZgKq=o(0o)B?C>DY<+Pw!0O0GG%Qa1i zP*aUMPQ0n#75=)%=bb|Y$M-5PmOwT$0}KucXQpo-j|^n6oR2c}9@6@G69iezMX?I$ zHAHcD<4##Ok<|w1KRQk|b*-ZVF#dp?!{tW!AWB&!5dm}*G&f2X!(nJ==JMM&>-RPD zQ~pdVDE|&c2X^YM`F;KGC794pMvLBz#$Gk59AN2$h(kU_j!EZF`bG6Rx((rlhU&55 z6+x6Onz7VMwxrke^VbahjmcA9`zC1mjgB*;YONd#9>}4NNVL`BuqIzRW|-2-yD8KM z%(omJwK2g2NdP#KvS{A~@+{;2C0(%X`eBG7QA&u9v$B!&jvYZQdgQ1USmQXzERzAf z*mWjY?hYnillsxdbikn!^Z&_I|BxB71oeDTrOr-pf69g1-xC7HT(tbK)qX^hh2MeV z)&2I&2(jp!_=ZX4IY!=kBq8IYTn|S?Y|7=)NaB^ICo ztr2cfXF(AC@+%`cE`MzGn8C{6W0Lmb`sY-=_iI>xB*3Hu9}W^>-bmEH7IWS*8HAu> zrG!XhmdxvQs|yq5GU=IY9(7Nv^-c~m!Nf8|J9Itj9*O!}5(I~sSd4EXOvFZ)+ysX5 zYZsf)*ML#lRs%MmwZ1syQ-^+JQWfGj*V=573+^96H*JpE{_?1YJF48Q0I&N|eE2;% zTPXRnoNB&UG~@e>il{T&KMAv|G5}FTO9`RMjAh9H#}R)mMEW6=6OCS)H3pJFel94K zS^OIdI-oS{4`Hp`5R0kG=*5*v0CRNzb4lvmdH;jkUHST2yoC?R+NS~AJx0%|)4sRV zGO)YMh6-2In1xo(cLW`2HEkDuSk>XZ3n9}Gklg)OX5}5(mO71FnQ~dY@Kz^=($aO{ z+P|%riF$@eh2dfsi$S)u;_UcJ!^N94Ht?3X1o$Z#q!Ejo58SE0n~a>CPs}|dF|dNZ zQFUz5qGv25Ji{GQ@pVy7xL;v7=mW?gDgy}}>~B8&tzBWPQNL2#$)4hXwJVIZ1m@v4 zbd#4y-uK<+xlQZN(eA%abGk9|UP z`nggbtO_I*V#ywzIcQTJ3rmrUqyV#s(>aS@VBljv#W)d^_8nnF zAli6*l0^G*7T|M_X4;>`yze0)92}L=k4pkB3y`1^i#GA`Vlfel2Qetnzih6EP0M?7 zF6^{C-5@s^dhDEjux3mQfA@H9_mi@1d8` zjIT1nf{TM$$}aG*?b?!Y;HLZ=`_)WQ-_knC2or#@UoGI?iU5z^lB)6|-4El)9oc*J z-SvfbPUj0ISFth#inirt2e{LZFr2~>8mp`|lEs2-G#Of?T1enC=hB^bmXQ(+up$GpK)b3TL*S?Rw)HZwCN zcWWlkOE6R%&G1V9s}e+adB-pgH47o8Sdf(%CsQt{Mq z4|pX1@p5Lxks27f9n`0=LTc%$V>Qs{JiON-M3D%<#$V6vaJsmIwK?X z4=^kOdrH#?RvP61NzFa7iJ#E@5Dasr|KSj%zSP8H zIu@GW9D)P{w#5`D7T$2#c@fSq{>d!kv-$<>NuS;Y91_-uXy)gL9g7|CmPSGOg@ZtF zT#G{#FwI*|k9fS(f={2*`NRKds#JOa_|taoMiO)6J;PJrvb|U_{E) zbd6`_nfeF+S@3eHv{Hw_qhkT9Y}xmW~PyK6fiHJU#bI#)I}bJXRkD z>wvoW^sB(rOlsvrMZp!!&eZ=`(<^rC2QZ307DCv}Oo!u4BkY~(i#_uuzH41GjrN6s zk9Bu0I;@iYC5A6PI5x~aqN`;4r#D(uc*q*3%16MjgRL`G?X|7A`u{QnOIAC#$YF1Y<|%y8nqh3 zW^POkbmh|L+KI)M>p|A(tR$6>pN=VzX2dWWh&c_Et5Xru9qj8!|7BMvEj!CizOfj{_TBfk18v%u8Q6XU8Nto$lz3qkfbrG=dP2El>EZ6LI<{pDDD63mj#9k%81<8s0W5$7nInAu>FV(Y%uHl2bw}g=*uPp352R@ zn>@YstN=Tkf1ysH-b-w2jrZ*5rw)D_o6^pDNIlmV$BY!7PWC5s18X@}9tG12$xP$Y zRg{Q}Ux%RUYFY}>ATj><5DE$bq)$gFAg1&^D8#=z)Q}j72FvNzenKb+i2Grn_kNJL zDv6_e3R$nUK%?0?-f~{y+s!6oe24LIqE}RxPv}9!#+%FTC>(W#>Ov40&22 z4@Bp$=YUx<%RKFq=s6Wmv4*%aqR3(+4djlS=fHoFs$_tLQ0Q&dfgc8?@rwx4m&uB5 z==vpIhpIXUe3{eq1K!;7eoQT@c7n~5vL-RU5-K?wMzRM(j}|DDd;K#34wST!EN>ZdIIg3#Me%(@&NJkaRwoGi(5`hgK^ zu{VJ-@|kc+yJksbsI~;glqXc-=hfL!p4bA>iL!MQt)R8C9aaxWqO-&|oVIiYL~$|@ zDK56c8W=w%B<%!5P?*tNLqcW)VhJ2-HF`wvloAn`SZLC579OyiMB(*6TX!f1DEkUN zXA3BPS1!1qlvfBvci!UiJrg^lnnb@F;5<=dcmB?ECSHefr22I&qsyf%g(LQQ<__}% zWCp~3W&%t!NQ<=;-QD__&0czHj3) zlTcTad_$*3&}K@417#t-Vyf)}4(tEh6-I(W#aI}!;M8EJ(z=Xk_+`VN)cb(%A$-$vgGBBWdD1$ca#2u(FZq(gCBJlNWJTx z?7)Y6`72bS@i}i*Q04D!;HR7lT$v_J%aw^qF4vCvAL@rJ!E-K5*i!1XL$O6m>vF)U>t;V*|*v8%G`|dqG_xE1=dB$4rnByIuFZT9Z)sS2EH5_K@HMdp; zpAT*-0dGaV@MlEoc5c>12u6TCYxp$YN7)PQdyf7k*&O%I#^?j*R{%Q%rDm?wZw=5m zmEsd;Xy5d@Xy|WI1)?oN7j1?nau(+J-%+tm19ty!`5p$}-M|fH!I}EE{I+L840P`q zMAMP~P^#gBlQYk3T3hydz}B@msZPZktBWG6z5b*3ce?V&smLQk!u}t(_eTeDaw%)Y zAhiS`QiSJb&g)HDE`vLGr7F414zOHK?GVnc*fz?>u6|hGyHHP_L3F3`E^p9v^qn+L z`;SFfu${-%SpP6Pfu`!hEi62!y*RI*rV*N}^F>%6SyQzVB@u#B`iz%uz#x^cy-0Vm z7^K?7cBeOoz2ht>wRL%`a5$PdV2KY2O_8-<_|^$9+B)7y+`zZH2(qV?cr98IeUx0e zj4t-?=&RsiA3-M8Jo-!+n5~!%qEj+Ij|6iknW{yj(FUo>D^`gS|OG1nQrl7aLv8dPO-NC|%PFZr^eUf+v*S7 z&<^wfugTh3tP=er@obsptX4!nOW4j4Z%g;&c;*!&&}pE+9zvT1eg}hDZpF9n`W#m6 zupk=iFiv9F#<6l$K}Wl7-A9e%gx^h&#xSC}R;=!eRMCokMn zQIEF^RK(!>fc-w&L!7B?j_d012Ti4IJzLB>kFQ7N)=f9YRZdsq*jb)t*-SnLn-_rb z?fr{<4FC&F8bg3ZEAW$kN<9zZ*%>v2o?5i;>9>9ztNbo&cmio;C78qB@{6!w#P0tV z+~-!{NzOY^pz3V2f% z)%191NUe`A?w&wCao!ud>R>sHOz*e3{r(|rX(oLHVDcxIpG}y2ESr?xe-%{{ZS=U0 z7f5S})D|G}cbkEk*_1r)uD=?QCwjh4;>6kn=?3lB)hFgcVHCJ#JEO)$erR4gXcdZ$ z_7s?#>w;u{t?(*W=G(G7CGBo#l5#gw;}hn}IT}pG498o|NV5szNyjRA%O-CV&;G93 z*YS(3s(Wd-9h>8YsV6 zx@+@`{JzQ^`<*Dr$=d7%!|Z~ zM5^u%W}aMqoDq>0P10IPC8+QoB>Mb@nzdR0ue6*)OEeOVfYJ*Pj{nzX_Ax%3m8Hjj zLG0MulZt$BwmTkX#k+gJV#w?6vUh=KaKtw6^X|e3CdrN?;;PCyQ+}r0pw3SdFWvb21a1#Lz1)|h&-#rc*cc{IhoQbQtkGc zM3I`sRu!;{&1!Pm<`j|{0j396l7O-+RY~CZ?r{EgOC5V7!>QWN42^%O8@j5L@`9!a z7tEtAIdfSbR(C;80=eMHITR`2ZoPsz?xA~F8G&(v{+lq{9gJ&@L&02Vx$DotlX^U! zxS=u=YA7tcdKq$a1NhL=HI)A}T?L=(|C8tXgU!MrVd*;M>X>#|#`M|pb&iy7V ztkXkrSWIk`s3|$Ky@Sqr2A{o)k&df&a=h#ZqH2jwp#2G1(z|8s(SmCPf7VuMxaPdo z(yWi}^0jA&@*qK#>L2%2i8Co_%<}u`#Iz5Z-z3r|>`2}*!$QujPu zznS%4IpgO<@0?gDYe@6K!wojNp>JkQGu+T6PzkB}0o=q4)*&tJ#!V?L^ShaL1(T;4 z&XCVEJb1C#dx}oKX_Ec9IgiXF(d;G+{b_x*d2*VdDVB`Ah%d_mxb*dSx%6uekneNt zSytB!T%k-w?o+`NGj#Rx;v zI{ZO+dyv63%Di-I?#2)kC6liBuVWhI)D3{nR@>_4%}+|%S|c37?G1%{oAFUcOn^|lB|CT zj3@>H@NVb{ErQ3BCk_56UvZp9!fnpSxzv(ef!z!J^c@jmuiHOvI~}cBw{3bsV!izB zRm3@k4W+RTzi-GuD7#%azv&em#4cL2wup~s70%>qBO|&g%!@Rj8)bw|1fb-*ZR3&hy%EReYpT$FzUZxt7*>-UJc*nr#mTg%fyREHG zhkS1E=tM8aZ7{+UN)5g+3W~=+2UZl@%YEzpe+uB)xRAWnY^NH7ZB>Nlo?RRu=C?M4 z7iBwFrXUfZ4X!r2dC=y!%audAQKoC;wCE!;=vIQb75#}l;E#U0svzO_slfg|d=o{^ z*Jgv|*---Y5TrKd6)TLfqJ44PN#~JjIo$1I!@{a=4R-hn*GYaynmaMU{49`WV7UX& zE)&=jRX{od$KyUZ7-Ic5Ff~+P?xh#by6gNYb}#@PYvF_P0QQr^#0#uuB#h)L60P+Q z9u1Efs_j-(X7diHRes0=v0H|RR3*_@YZ_mUdPu)M~@j8Q~- zjMv1&dRh}54f|(#I}_v+@vimy;vs5}g)+8zW6<&67#OS_QK7M+f+*F6B62xNmgEpS zMqKU*nv;WrP7Dkw&aiblDeaD=hM^(eU+RdDz9nw&HB4jLX=8LjkXq;S?=8a#wP+%- z{cq=GP;M!>P%z=K7fJZos)7*8OtwGqjUfz7KC5FYv4ubJ1(n*ynkbt&owDin{M_EM zF@0y-f!_zDJL&0>eDIyz#kr^o-}*pd=;GSu-f}8$dJhqYk8*Lm3}I?eYvR7aP@V1Q z-U)rGqIm@UL&w0a*6$4fq#Yr1He?_q9fu>hK!jMhC_xK1{J(jV28t~u^VVR5eXmsB zor@BADX&6F=s!W45BuP#v5hQj5EEd2uY+0B|kjdj-W9XR+W#N;s67&xd0XUNBu;xqYO5o zpZ!n^iedIPbu!ByoxibPX?VX?UaXq>rrbjlTr6ud;NvMqz#7S?q9tT(;DvN&t&7*? zl<0CCF^NgJQFjHz}?=Al!_}N=|7; zF$Ows5n}~`3k%VTZ5JD(1BQcE*ORRGX?~`iwGQ#ELHCy%HQqER(Rv7(w5y@}*v&N< zux%%L0Mn?2vpRaw=&t>2Z;bqFsH06krVh~z$BM%s*7_0Tty7IbK)6pzi_(Y_(b%sl zuxwbbKvk?IiGN9Oei*Z+Anpq44_W9g+`&0%wPH-z_E<3J`i!%XsEDc;Ic}g1TI({A z|5xH5m{9rj3Wam}50<6cKUUBN(4gf+7!VyZMghL5d?;6x5s<(nJq$2O5Ai|? zA0j~W<^qYMvIp$l+ijXxOk~E+~!Bx~po6gVnu+AZe4KaaUiE<_eN#Vb$xU8X)z|T?dv0jk9#zdYh@BCh>66=pn1?x`MCVB= zApow)w`};hpN3(yeXmot&T8FFRN3||OC?GAC(7*tfl%Gs&S^|o&$JOnYVfe8_PJd# zPl^2$uUnaG-S5MG$ArBLpKmYEZxO;3T9`XlcS?%Y{TaR^)LYU^zqtDPYDpI_J0 zBt!lpo+C>-sn)l9+q_Q{?NswCeK^pUa}Nx9LKSMiPO`CQrC95yS=l6)ZgR8{;mKq? zNA>&k+#9O%239%6!)lpWKT z8@wY!JKWPeZ@lRcktQAa)tLJX!P;g5*`C#PwZCj`llCigk&yk+=|N$?jY zoIEjr7prk*f42$XuviDf(yp8M*5QQp-z=>8)k2=UR}h>RLTC+55nt)h7NWjNxsPHD zW6u}0?E=)_wIV3+8*t3wZCs|F06zko#ON^%$ zmEf&Yy z7Ir~e1(R4CSz=Z4(R3%FP{agRql#~g?KN{-HIgSFWJhq5=%4|AGOBjkZaZyPFDEjE z?t>d*o|Dd)1d)c)kK=(crNuduB`(S^rE?Fe;N4scX(fC{GVH>d?Cnp_qC%YRSYmA02^ zT5Czo<2@3rAB5W(!kd&O`#k<}_`^6?jdbrkfVeXeyF53=g9pgXMv8%XQ~i?DPb3GH z(F(b0WpKweER7J`>V+G{sC&5Hn(MTe&Y80--x8m<^Z_J}Slg$NhW=MdcyQqXy)$T> zpn6^UZM(jD((m64G;rL43A!EJIR8CgK5sWXXAYlgD?3TeQBPuQb_o+)SefhcIK2cb zPa+xq=c!wph@&^MTyOUtBjp7;x8_;`3ak@z8)=vwrAT(Np z^p0?ZbwyOv#leo#W(AA$av?gOExKIYyMwXZ!ZwrN!OGw0v_JlwC{ftfD(EuG(42K63q$&QU4yR^ z{A$dHt5cylb#?JbnQ4_$BWY_OjdKxY-dTGd;O+GXAzCms$d= zBmtVv0*2faY^lCb>Bf`S9a3%cdcaY7lc=`_hw4r4N2*!nj8S0uHXH)>L7wLy2M_73 zL%oeI9MG|S;v3it2?=lJ|4H+Rohi}hXrg4|7El0u;FZq1hUYQ3Zj2Ga4xCv^!zIeyJgn$UTs@@^;Kwhkx)q8&uOMm(#}e!)1N&;kkZ-b zb=dl-N$o2e!3B@qybM&Jwu(__tLMT(mx7ojUW#MGxgFYSrX;x}ii|9Rr_XNOBFR$= zQg2S7$dw~OVB9H+w{RF!6rZa~-*$O0Bm*+`BlsjS5kz6oh?vn<$ZHD{=wI%GIXy;s z(^w!;1OmTYn{){gEQd;@7?XkcSf*3{_9^i0d+_#g(Vu*4$QZEK)c3F_q6)hWb0My= zeS)BNrYY`Wn`DUOw~fN(id_x0Asd4LZrv@j@3GVx!4zPI?(IgO_4F%3YN6B+%EaRV zhdF%pVeST%(Y`1`qEE@<7k>|M@bH7&$3N~A+*^le8~p`1PTF^XP(M*i>>v^$++_gZ z151zyUv5rCxpDLX`S%=}Q_s&pKh=~Y=XU6dljL7BVWgA7<>Eeq(X?isd5BDujv-f4 zSED(z67hR&I<`WJ_fhs4n)jZnA=OD2q_D;s!go|VB?s4*cG>bkXsc1>Tb9Ai!OKLm z(N_mr9GM!JLTA+3`1-K|joQlF2RVCpT*I?Z=ENnsjjwJt$rN^BuAva6P6|cH6tPT5 zt7>Bq;^d*kUz26SZQ~0x5^q40Wgx;z2*s{K{kCuNQxcl;K!#%LgI$0K3PD($=%8sG zpM%!o|>W{5yYQNPs5D~a1(pG>Svh26ndPR32DkxQq& zWf&a!@ zPAQ7kA1}Zb{I+VpInt`ndxxhjzf}E|xO!cszJp%~n&Z3Wwl+Vy^hd%#vZ2W*3;}G= z2~kk=2Vy<`$A%0l=Pe;DPk(8!zX~a6%TEnT0I215s4-zXix{i?TsVk!dDk-_oBV)= z6k6swaEzVZq0I5SL^t)5o|pYK{GEz=r2A*{M>N-m+7K07F)^$}KeZ}TkrmxWA5DSp zw_ByijIPPmHC|m+d1jM;ny(M{ZcdfeViwXJP?W|T6z>Z@^4%J@2*=;*r1n*K(%y6z zd(iD%rKA(*Gds($8CVvqzZ)hHRuVW5E5E~N4=r+lRQr9l zBWn983Z3KOaAHkveO|l~le|Db)wlVzB zLs8QL-ok_)h`s>FpG}oCnYK%@9ZLy39bLixD&_Q=5*1J><$+2Wss~ic<1A7sVmy6n z9ihheP93b)HobNH)1c9&g6a>08qeEPBgs3GhgC&Kfa5dE7+fw zc)4O2q&&1kl>}ih_E9WUd_Q?cs#&=TR8~S`Be(0Te@5;243>?#Q%#Tvjz|V!+;% zg_dylIRA%i0tNOk`y0tG=+Dc?xfcyr>#p+luN^e11}(d%FJApTyN(DNaiDoYkXqQa z^tTY;Gi5WWE8oylmH&-lT|(0cXhJ^AmEp$LOn;N(BKQBMA%$~dPS3ipigs>-OgN2q z%J<8!LMB+RsxaQE{U92}n?@yY^-iC7#OsR3vxFT?X3%-3?!8s~q~1ZkP&iG+=RAu0 zs$-DJpxR#4Ql#!G zq7(xyv>1%K9v^d=J@9aK{c{1W(XPTY&ci$3K{FuQWn+8%yk=aUP|y6wwjyC=QD>hI zwTsnYt>Kobj9iF>!)67qc)Lm*3Y&0|72nF?cJ)qFGM%#p~%kB48fu695slw{qgv!V$7DKXT9N|qVokhdntfP!I^32FQreZ4P=KyIRA}nGy z?5e|K_tl_zgM{>c&L+X~Z(78Sz^U4jy!LMf1+@lW+7Zf$zES&`NT+F%u=On9|Mh`| ztRyB-JId38fIhIYzR1KkLkRaf6T!`RLUhQ0X5_+(TYPdw_!|m_<@iJgK0a_MmY*eN zOi*5`2w_}I1cWD8`N1iX@Mk&&z@^=f?T_OM`j;QK;{v`P&jJEIzK?SoejhJu8@mF2 zuLl>W$S}aZU^$d%b$p1HUE-gGoG=c9LjH6}V8V_DBMu0X^z>IhCR;Qi5u|C-r0LwE z`!J#ZN@}Po;fT^vzUvQ^w1B#+8xU25%ITw)@7%uY*GGIYJ(LB`Kh~|&?J!M=^<2%e z8&s=K{9zf$gASiv1d{5AnEBa^1!Z2fefhelO;br8&CBX4gQAM9FH4Lqw~Oq6=EoE< zK(tN%0YY^R4H2cANY^c@)JwkzHiH=(k|JKa*w?*mJwdG(LrQhl*-{k&9zk#!zwHSv*_U79*xGZQ)rrQ(6){eI*Q?aP&Ro$;heh=(tU?iF)8-P+|ud-`c zs|e5Kzu5kwxGQFkUw;d|vIphg$6j2~AVgC8Ed`$_nsOMLlM5(bEV6@>w}0XucqIN- zVW1fRkSrvvJ`}}jeBxUbZtYpUW* zaGS!|wuA8eBHJfA*Zvk!2&r6Ix@8X&r^QO{`&x&S({t;BqtB$G+R`Rk=kGo4@1RMP zU4C7m2=m23F&}wlXC|>v4fE}JdWi8IX(F2$j3Z8U>T@$$c=vA)@wj4*< zL1b;|9(>TcgHuApkM0jSzY6bXXM|JNB_e@kPR9KunOV2vH&8J@qUc}X_=sZK zeG6iR6srl6G6GPszrdH@@aoDQrsNxWlJK4p#Jq~zcb>_5z_(2{HknOPEM32e^{JUt zB03pzN+TSf?rnoQCNE0%J%@^1XuoGG{;_VGR%xah|GEM4kk&T+oznOuMSmaR51!F@ zvWpH~K)_p=9f;87M5-U>iG(HdQ_mqPf;D!!=o@}`W!vJ#eT>k1du3^ku)2(Fpoqu& zr}{zH;#7UvzCft_rG%3wxy6&wm(n0RD5?#5|MFcL zRZImi#t~f(FxMmkW=CB9zm5W6C2t2BIk{&IiV{Vqbdj-DVeU22H`1a1Bx95B-`aeD5rbE8zR}na#9ug@FMiKi4^_@j9v~} zdU_Lm!$A!mvnVekZvUe1j1XUz34v0cbQX(kZxPc%`C=kJ+AP~id zU&Ik+!y7=P^UM|D2r!C;@M&n02+SQ3LH~Xe&b1j72#h0NrpbT4i8+l%szZu}%r5;q zHpGxJxaO^nj_4>HEzVgB?ZWpniUbm>h@|v9mF?z~GHoFtIZRwIC)`c&+!}zN^|qe5vnokhaK}X$##tHd*)q=# z+4KGrq35sV+$~e0QpyO#Xk$D@3Qk3(fp?pt*$|cytVyualI-f)%mBhUn7lK=5cJ2t z77M%_$x$FT{30m8%D*5_P^`5LLRIuTTIumHv45n)Ro)6g#bBv}qz2R0D7Cma*d&%; z@$Dr9i-Fdn6GaWlMY)4<=hTA9H%cY$=|v3TzR#))S!YHaDIZdH)5@oc{IO3EiAjvdu@0b!R)lHUCL4` zbq{d_`O2Ag&JD(tzm-u^J9MR7X5@Mzw_k8frYg1{Y2B0ivSz#;vClbRF`IgqBtp4_ zRrHqqb9nzf_^J&!Z1=kw>Q~#IsmjtwSH@X z#ni^I0Uj6bPWG+q^(1uO%pC4M-AmLviJQwULR0GFaH=kTH;6-mebdQQlj6DoxZHW_ zJcno`4k9iDr7W(LQ}ZKWeF^4)`f1Kt0{|fr;nnEVJzJ`(8k6Emr*4|q00GsC(&6ud zj=Nuz6$h4G^&{bsU94b9<#YG6>|#pcLzB&Y$16fU%#8|h$|erJ%v@ZF0blOm(tSmw z)d4Mei?b;=^P84pwSB#fK|i%Dynu;eJ#8*~%J3|!LfU0pwZ`ub4~nzqWfJ*={{(>t z+^Qdd{4QkiR?yhceEfqGv@s5Q;ap_6QK3>fn+9v!rsz}J)PRU(zQ`E=6BU&7 zPMQJfWazH{pIU13)*aYH2?8hJ_GvHyR7HMq@W>yXK zhBG}LK0X+t*bbd%!GEDTpam^_vn^vaJjsM%0%@{9`~bnXsimJ#WniG!8H zoL=>830;)aM)V1Ps?rI1TGw*K#2!OE=8yYs$~a%RSaNO&f4p>sSZY=FPL;aV&uEtN zN~S!8Jj(XNj+TRC&B$kZsf2?4)yNfvmIxm|Q{ZZ;t3ifmtu7g@Zzew$1<3Fij?E#jlQV?NyGzR*7Z5x9-97)wo0ALk3r zCWwv5wkH((7^Wd8{L@w$ueTtzYM)a>!0CYDceA0LKA!ySHFtHfaZ_;{SG1S*`tyk4 zgd-<@xr{%^e@fF)l2aQWZFd*okibbkFi1kefCLNcC^@3S0rinZH1d;4^O;1(nbAya zJA!=NBU|(#;THJFf6AoZ+`E9Q#sLx$pyWhA$*YpT6NQ8@I|seMO`^qBeb>i0!9QLKBI$|!Y^f;MdX=)^2GhTIQnBno1x zEV!6rQbMg@XF=Euo5fyW?DY904Ok{OI@Gr_+JF+*;v z(5uFI1RywK*tDj+kxZf@XojIuIA<^-qtx?*CJm6v8F)AccgN<9I!z}QB~_hkjUQ^Z z=VffZr0wdSE5c{x=4!BFP;is&)z&?5D%1o8e0Pe=u*d~p>d6o$ z_x@wI4Y_$gt{Oew{zulxk{D8i8Gz_d67r86I=zk~>*ee7`&QKSMZnEc;TsoL7C4wt zp+Pmqsc}xUd^h(GdKc^d<8>sRB@0%{|-i-vGTH9PFk=}%C)O2xFzM^iTlNv1z= z%?{FchYzXxzN#8{>wl^Uw(M0 zAh3!WpTIqWm<6&MloDQk6k77#Iy{)_v~NSfsg|co>s;K{ER(4XihCit{=&s=y=x93 zYV43eM0Qt*LCmy(0`gt{^(U8<^CvIdKh6>)GY(7aun#di*WlGbe03gPm@cBU~k?S_J zk0SL(TZ)p1kT|hxchpHz#YIu<=qk6Qbv&rO0d2RLU7@B5gMdM{h^!L zg_9+hSR~P}&{kd9O)Z19@s`LmG;kDo~1j3GiSt zUFq$nN2=YXc1qBWro?I$b~ql&jeG}O?8{4n|5f4GeMMqR>IPzOIkc;VH_yHv#U0Oy z0lW^N#1{a-dYDX^c9rxLB9P{7``AbwG7Raz`3TC_Fdu=&OIV7kng#qEiz@muM(n(*O*enwWRUvir4 ztf%X~L5z@5{?WL#=9-#wF$H!Z-ik;R&5d)b+-g<{nNHIv7R9URI~>bkstFw4aW4yd z8X25(g*lNG>?wTDLb_zl(_Wi7hi#kLu__@8>c{Guccp1xXAh|zvCyzR)mOB3xxwIE za@}^H&n_oMQK+KF*p(QkBGutXl}k_%ZSf}UJ3vPz$zj?zg@WMz0--fh&l>-k7;H&6 z%zt%sh7vbU^)IO0K~J&Xq@G`&2T*{njc+X-&$NQ7BEs)WW|L1 z`T70IR#$4qi0>$~cQ!6VlW^Et@mj^Cmx#|eZM%zOLR4BO&6~}30b?la2t>#wrr`m| zR3T&N0j2gEO}fq4kPO2&r-p?bwaA4Fze@@Wf$Mwt%MIktGmwC9M(V(wa{}86aHDzUgHDhtDHj_i<*d zM_K+kwnjm^D@xH8AJ%jn%|Xj30YhRaWcaMa#gB2&RW;Pj2YLIaH#I6>T4V8hV+}<) zF4cBC0E2p#`rHfQGkd2`#edZFu|%%QU7l|Wrb^C6%CEI6U$ipjuSq>SA@c(&QkrS#n_k$MGMq}-;l{*ctnwTM2Islr}N%z*Npznb4Kn<~; zkIkdh(SlI?Xw_QorL}s&TI6cCTxna)A+%Cb?C=%vi3r^cz}M!hWlaNC#jB@tMkQ{{ z1BZ(X*a%Ro|AbRoa+B)Jq3)!|hEKa-pRj^YlEBx~n@a7&rxZ6paE1wT{VL$D{_`L9 zTHr~KJ#J(r_=gehd#le%hkASDwr3@Gd>at?&I zGWjF6xo7tBoh=cmA4scy&3?Lbv?2DQ;uM2g(vOZycp_bSom%{2C+lkjLTf7?Yz>4q z0~K`@pb5wfbzHx-hh62(?DtKGHZo3qgYLzYPMBVr6Aoi5 zn&KgZEy{(?fQ4r54a?H?rjhNze+6gE_)9}N*1;CyZ&a^2HzO`uQxx-$g;_*!GaXKk zSfGP)iMvT1ZQ9+odCK9tPpsamW#G`3@A?9$m9rr+uKAV@eh)<{1X3i73*k@-TyF=8 zFAWi77cXv2L8?QCDmN=F+M*5=1`RbYnL3{wnFVLgqYSIQM*)1OAZh$~C~A%sxr1KB z&cdT8jIQJ$uBx)8I=& z|0y*P5)g>qX>*5@0HeQQ0}Z#kT#E+`PXr|qgJYpzw$sMG5N4;!x>f;ZhKM-jbkwm( z4c;kZ5;;zp(s_?%#W2T;&R2}!+yjC$e6tn=LfymshqAM%zzWFkURMa8#Dnt5#~(Y_ zI5HdI4aAWq0|}L!bY^`~=p-HU5=gF&1pmpb{G6LX1-?1iKW~2c4+fbL3$Va9HwM1> zI4oqL0b&zK2EY!y>}D|e5m#Fvcp!pq0~>qeC!(>jI`5_Ny!^9?Tu$Yown##Ajm z93Z*$-&B$%Sre}A*=uW_-s0Z4+}oIVKYyi@TZxD7Tot&o zeNN?kr{GCB6?P7Z_o^HCrqN@;(I8C|G2GI#W|LDrSJOqf!#1B z?ZkUGLUr_%J5d~^%`m4SPqyfCtYe>BGpe#*vu7JC^fI1^bKDQC+L# zTCE84oA3NmzL(m5P1hC`j0md#62`|E;P?pP+UxiF7Swrz!gt4_z<3hh{e15HZmfc^ zL7w?>?kqy0fs1ZY%u+9`_a#*z0 zYxNya7xN+dY{`1@VrMgeR7QZRTt&iN!*d)|E8&|^NFH-p0Jk-e{Ll*5-y}} zp2XwKn=>2~Hw}i!b^~1qA}Lnwt_GJl&LA2cZu@0PAlDb`h~~x{5iHl(g;879-MOLa z0MI_Yin$Ive>g})i0ApX#=Rxz zT(E32PqIU{g=KYG9)--I)xG~P8f#^YzB61fy7^81A(kq>(>U{tV9(_8C$SfvCk6Ny zO!!?U6H9XA8fy4A@@Q{jr4>ggDzCp8uTU0(diOVNlS`mU-$mFt0h4(KW#$~o%^@Oo4T#R(CqC%j&J-sY?qRb?v&MaK^r|$Zrd<(+#8w~6 z69C7yRhM{v1h3_ANk(CCtX2PmH<;tpL0q@2+2_HV&P2EueC>f| zm}w;^Ve~)qicPH%tKiH{KbG--K0gzKVoyrN!OFK8#xm!6*5zJt$|!4GNEA>@CSpPt zrxIX0%5(o^@}A|L!r_`hDWd)3GuZ*8C=7TnMtQROezKhaxc*Rw*~{$x%Zt5l4Xsat zZO4UV8&{tvXRmb`#BK!7*mtj1RIyYhtkatokhP^1{Su zRGY&P*PAH1I4Dc|gbU-?N4&<4*zHmPr|qg065y|Y(T0jA*!6kS9(Wasg%Tnk#3>Tv`%)`#NUNv@Z37^N50rckllfU9B>xz=jd!iX*%foR{s?T&Un8I7 z0}lOlm0ig*QET`nkvLCmJEYpGqpyuaAw|aA9~vY$a(*a8*)4t4|~xUwV6n z$Du_~94ZBg3BRKJ6FK)tfq??2>}+dVeJyGn%YB?rr%hvddkiCK5dwNhtEGT_4x*j( z?tA2PnuIqv@cEey^N3)Fz_Hvp;3e`PD^Pps5dZSvOYKh=R@hN%OEf4hT(GDlGTbjT z$OG&iJ&Br1@m9?st)S$wToY9LTT4=Rt8i2&=;Qr$)D@G^UQ3NHh4S|7$fk)N<&~!e zkQVZo&T(rxm;T#xvopE2Z1=L4C)xy8wp!yxfBcI<7dh_Z=q`z z>O@p-d+sY$x_|X5N(;OYIaMAzG0Dqf$1#Y!mxeAmZ3}c_ov<`byi&uMKzh5|Dvpf8 zOeuR7G~~khnh5+5K?f!YvVm6bTP}f>6F+Lu?L=ImCrapdhN>Sq4NvTz#jv=s>0&i0ejRT)%@E3-G zz#5eHMJ>-hqT(eSV`n^l?$RHul#@VOn(MJjrhgEgv~5{YvS*NER7Q6J+xSfQY{gtu zB?FScFsREf+(KYYOpvNfsC2O(RCOa(3MSe9gxTDI04neZJrvB8kgJ|m!8}Mo*gfHv z{4t-`H0@G|d6CK3J6VEW3jN|G@9KS7kADLl{B>nLo(Sp9-zeAw!JNlF^7(nXQS zgLl3smP8fb>lBLK16){=B}wC*_8%A=vVx_C$sWAsc5Tw;N~lGSv4US1mi`k5)^j_> z>^JV?2H_(H()Z1PjHIi7G3ZIu;cD)tKW`C>@tu%ciES`aI%liyB3>zniR{Pvll>Tq)gk}!wRMD8A}BZBffWR|BtjgDcQnMxSM`*##WMhNTXDBn zAnrgfYk%3aFX<5-S^_Higu4C+eRrUP#;!d65td0l)jTlJ0j~ac^{aO@3~!8v6Z!uK z19;ORDb6N_Yy<*Mhc1d}pD7+J$=ZktVGY`psTL{o7xGq7a>8L*k35)20Q_XU0b;7{ zf1)c%f)()_?fMv?aVA0AIc_qA1NuqnPR2dPI)Md-t1(y(CfkBTmiLa0w9aa5AF8cr z!koHE#xXk9CIB1Y`R%b|O zb9a>kt4?)t%d<}bA{~3_`dm6o^Q!r%23Ds|67W{Jx8<54IU17hD`Ng_uRg)47z{|{5&7+h!fz1;>)8nv+-HMX5JcGB2rZ1Y5oZQHha zV%xTDG=5L}`#O!>55Wst^{s6veB(Tg@z>1qUsXoCMg zsj)b-K~f9;mfE{-FdJj2o4<6JB(X|>=!MMD`0EmIzwQILgHFS*tK;R~d2IuI=ez-G zSImfyh3ao-WJINLkc|Mn>Umihxc>@OM+K?n$_cBnc!l zDEMKGjX|$LZb-cgQQi8dbc#*)&A{3-qx8winl{G-J^5z-4gNu!T7;d8pIa+Yu*HuT zw2ojDXC9Zzafy}DxEOM?T3iD(<+J*27{nb`1V>j{gG@@@vGFDQYa@f5FK;J6&zNPl zYT`#l3|GB^Q)kG8Unwg=Pb@31iU^CV@dsxfEwoyaKfkK(hHhs7bKnS?ecK;#!r#fDfQ%oo{5EshZR4-7JBJz`^5ggfSF zs9cUd?-bG|KUQRE zGhvNy>wNxIrW;QK^(EQRg7dM(_D;v~jn$+5g;T|Mc1W+ezAVKJzu#8F_!LR1&ikF6 z12@Y{PItsU>uMMtbqR+=>376dGJ7<5O5`J6aoK_SY5lRGHtlr12CuR^Y4KT3%C4xM z-5+B*gF9Opo0tJ852agpM+XJ+`sZiNa2m0W{n^5XzKPJRTabJL2bXN!Q`gyFgH#U3 zZH+HwE1AY1VW%ggj1;#>-&e!^M2ETQhm$$sV2rtb1RStHwk+nM7we+;nHb2Ky$rB3guzD zjnka@_K@2K89fnk#h!(KIMP}1J))ygB<5n97T(V7@?u1DxKSG}Mx2rt3gpAiAlq2(KS>fBs4Uj~tDW2Dvb$mT;7HH$&xp zl=vkU0gBqj1X2J4C6n%rR@iqy5mpvRLA?ip`24=#aHVt0j5PeyMuWE19=voJ@^*Yu z6^I=uJ}Nek)ED9?z1+R%+SQSki;8;O#9be&or1qtY^Yz326i4y9s%yWaF&kOKC{GG zz}K!iL~k>q+&i16+#d0vYhVEn>5Fq8*4x^u>{e&6((P^G$1h?9@?DkSKRGas+Gig7 zcH#aIJl|lcP4MJit?AH+3Y!XSPWy(WlGFluEirE7g>Dn?sx<)f1)?i#s*(axy!+Vk zpKDG595@g2jvRlxW*(v!nYgRgHx#xHry5hZxalF;?6?i7!$wf@>@%hm6%bpFCNQsIzDg$iuG^X$TO8KZ^n6W zZ_d}fFa0SIZ_a51s+%*WS@yPd--DH5^TvzO7`&+CTgbI0Vvr!Y^EUjTgHxM`jRk!O zbq`A~R23V&KD(TW6afeMg3)g>|9W1+Eev2v0`(>pR`Qh&E zi|pF#ZFXyQBx{DQyW(w4EosK}*uYAaz*Vg_#!6+^)WADUN{+X%b>4fkq9@K%0P**4 zMhP%$vE`26)1j7fm&GC)fAan;|BCx&uVJciG)mK$deFrrUO04J!P#c1qbfHRtVpoi z;!x!}fxL)*#nZ}VQ9el_vbi*m`3 z24`zGEX+$gZwelpvpta`y$EXBI8*Ub7aHY;#(g;RXwhjh{*zdOnAQkx z4uy=lp<)7Vel)4i$mr*_R}wb2i<}7n46m)^l-rxZwdP4R zXVui$iIu0v3#z2(qo?-lL-={enC5-!ftuH4{s)P#FQT!`@h z#D>gA$o4a-srrt^DwjwmZTr_qBwM~a-=(~G;iQXOIn0?XiYjY40Q3y(jDMnsWllAL zZhk)IKW9raldCmf=59XHF5wVF4MV%?_dAv%19D}36^~}V>z7o5a^7v7O(;k3XVgxT z%6UuWbQM@rbvx9tos|z(=EgigJazBN8pqYw6U;sn{gp>+DAwUd8?N&G1Abp>6V*t_ zkexiDwP0w{mV*dcZATU{f`O88Pav>4=SI#!#0Zij1aXjto)j~REm^lGh*)ICMw`!J z0dyR2C-JK8`B~OTlmx048QUhF=e$dOb=}E-ZQ7#K*zPB_S22gEE#s7gph*$n^+r{$ zKt;1Scmm=UT4p4PR2eeQS@HX0X)!+XLLaenmb5qu=w-0z9+Lz5@AO@%>_1En$5p-v z31RGm35Gh-biz9P3pWw~KaRsZ7>D2CCgHmu$HgfL^lnldhml4|nrz_qT4I;kr2tBR z`#ubWW@R`krDzR?^Ridex7R{ej1PV^wp--1(2p+!ALlS{3G)|LG2RbPDh4n{M z7TfGAGHSJ}vhm4QjkX=WtlhxLskWv5gZ!!D;?58C z;=Y;YkA(J^(`I=o{4({ss9nDZJdY!qrNqjddQMmg+&JqzNYgahW43NN4{MH`Kq>kA z0~xT%jpEj$rbWxbl5>>gnUzxJl+x{tW<>Z;v!338Wr6Qa|wDvp=d zwDh5K83GKowQ&&Wkzg!YK!p-1P@!y0)oU!!4RXFJ z2P;zb`HW&lz z?_YppdsPGDFR7#cAvEC}E~|f^Y0BY)sVG{H&6so26BUAHx@+q@`rI^{%PZW!xi))P z>p>b&bd?6mwL%FBs3Vy64k?@n3xWq7Si0pAindf8SY{@T z8fNL`ELd(>f23Hx@7FTYD<2US6-Q!_^H zr`AxjNS>+nNI0GAmsQJg)yM1Q@(d0T7DI9E>fQFvqIrZoz3Z>%b$;s^Itla%6N0zf zvv9S#|Caqy4X0w(Iz4zOpkD3_w~(i?8aZkr!h_MAloRT*eqfQ%97#n7f#ZC@R%++ycyTiOzT63pWY`LdtC=RujQyz} z=&9R4t3)R{%-iEtx>!)>0mr|2=kr(UVv_H&lao2NHDj!9^XI11s_jK$U z;6sl{=6*62$%doNR-s%-e=*DmidObI?<*7_jmA*J*2^sVdUx{5qIV5rH@^6C`qDsl zS*T-G!zU5y(PG4{7SU0c$RpX_#y@et+=(N2c}cBYu8f7qXeZFZ6MvzsygiISWw`K# zViBCPi1grhEA4!6sT)-MmiR=O&fFIVR$l9CQQ(l3aJJ(fHFGqU3N;9c@dIf-G~Z4B zSWg&q5M|fyNN*sAc4D{wRAzpXEdD8LmkqQ|6>=mdyFtFaHmQ~P7hv%L<*5mzKM)nU z!mgOA8A;W`eFR`})V97G`U#I5-X~u3@3QTK@&$Vl0<#evDdJWb+>e40Mub+|iIs>W zqwY5dybCKgAe48cYD|6@_U_2hGu2#n@jb9@UE)2*p<~;#=5qYu>Cct3%wJwO0wOW> z@_4FC;py3V;jn2FZr=CE6v2han`oGT&iU~pLW42qzs=tP;FOk#SGt|@Uf%i3E1Ul zpYkhTV7gEk;pMRPKx3!eTfzZk-tM*ICKs*{?fy~^>7E#P$6fPpA8E)64x$1bPs}G&MNC$0Ru34O^2mOI znWx_Rhn9!x&b#Q9ym#Z|Xm%Q2n`9+W=V!i)ySAhz#dBogI_AM5Ez_G-S670zsJ{l3 z$<>~Ot<_W8?eEo1AF~{|MK_!TT!Zdf*CL7IEKtGSD1XtE3(_xEa<%=`f)uT|i~OXN zklACxJ9pEJ=P0dzRGXcap!EH9WpNt~tlV+7PU~#z0NHxbyv~;R?WG2Y^r3y1b?1en z*H}J;{o-;2o+)l}0uX^vJqa&+9yKzgi^olUD%q*&4QgfW-t5;4w ziU4!rSF!2SOs~mAA|LLq)UV0B2*G!lCKO?St~~(@Kx3=z$r^zP(>iRt7e_uiCvBTj z2#DMVP6^s?#q|m9pAU4LVm-x8=Of**CO11)qQ>#olaNL(dOd!$bVa^@A}_MU6WBEd zXU?jGTzn(q3eQK+lwii%W?mgj8Oc~SIO8)T;gr>3J@#)MlNY3~(|w0GzVb~zh_EjR z4D~t!U&1|JySWYBmPCU#QXc-SrnZzY-Zz^HHfk>~;`uH|*8}Ijf|f8iR|LiP>qC$r zpP(y=?B~gk*&VSH=Lac~)Tb-oaPC9yXpWL#Zn-@}T5b*Nn%ob7hXMJgC)brUXZl$0 z&RyH<9?V?`LG4m{G<-&2)-9MJ0tecqk>aPQ#mjt4~3pQE?{jA4M0D_7*|KB}d@H-a1>Jh}iTv z6Wayji);4z%oq{Sx@@?l)1FY{O6pMFX3E+9FV_0cY~SVX(GbMCW8HqAOc&u+xS5_| zjdI0yRVVwKy^g@0_?DedU?dDD%no{h>WeK?fd!^5wsftA$I2oB}{ zFY{5&#t^pn8eRuc2^DE&^vem_d*{)W9e^f@Z-zZ%Q!vLOO>11J+8-&oGdwa&B{*i! zf&Ri{v#4!!QfxIanE^;6rF8tQ=7Bqo9LHN+eb=;)?xpCl<=DL+Rm2oQ1ZS#}FJeMP zO*H7VdPte$ElK6AL*H!`+5ZKG{dAr=Vw6A`w={Bxy=yHa!bc+3uTN%SU46W(dXqVSI)6Xpvyh62@F1{rQQ4q25%d*h0lb<07+YsQW6)dGp2-eeO5;2; zoF@-H<{>wF!ajL1=i7<&8ra+$fIjKI%HIl8QbieCt3J%Tf}6y{T-i1>UT^5mPv7uk zXx&v>{oqAT;+y91)GM&&LD=jQuT#TJUq|fwHr^D}CSE-olwGQKA>Y|Qg)Wp*#lXB$ z3fY^`lrIQnLH=K2`*23?sL6l%OYj3pHg}9y(18&H9Z7?m$a-iDoFoq1DSvf*^~RfH zNUw5nKojBqnUEZh=MprKCfr|4#BZ^`?mB=%ATFTc?T7gWr$8a=pnN%VPBs@Hiry>b`QR@rF#fh%0y{ikfe3Dkb+M`F6-racuw7t z{aH`0be_kY0Rs?-&%z2Vo3C3dI-V8NM}?ytr?d_2c0*XfD49&daJh?iWc$k3I;)R^ zY}Ki4IP8DOtMc6<6&v>eGzUir2pHaDuNMU)t|89a=2HYW?RNw|YIvU5R~ zg&dcjx7u&Y=fG#r`03&H*O(el%iT9-@Tj*Uf5Nx(+Rl!_=X=1nw^>hDw7TtR);Tw03{jOlWP23+g71i2G+#gAhPJG`xBZEG&DiNe;3~LTr7JvL_E95cs$pU@G)s7 zTq36k8LkLd%7vWMt-C=}8_wW-MDfZQh`igUYGIjHtX0P{)bA+$XktH_SxYJ|Qk2#` zOso3_XmMB*@KrutpWzM1djPYzL%2W9IDQ?6OH^mR!-K;(z5PHX4&|eO@@cUp2|x%J zR?;x;QtRlSUb-qQ0?KI${v_cZa!O|L;5R7kPerHHD2eT|CGQ;>dU|(g2uSvYc0Lfo ztD=a|!`de8?|uBFlI-ts@I)M8yR5ZQK~fn9XG6~p^FNfva1u1Q8WKDRn$y?rf~AS& z!O!S%F|6BPp^%{7BI>~;4ek7A@TF$gvMB19r=51yXUh!ub(`bvanTeNEep97VD=|% zlcrI0N1bkk8FWbQzU$?GHHc7xZ@#LVQ`IgLzF|qJ6E?SB`!QzDhDKZI%GLUVW}QWA zYS$WBI5T8x1D3sw$2Zu<{h3{xiW5~vsXr$t3EP+gmA6~wO}n+@XUMfCf9knX6<&+Y z5E7y?)n}SOMbaIes*I2;$tBX{_*X5BT$#1d zc<1rLsT_Xy4;cadq0VUVZSRykOtuNPWrjFS);oxUn%aWJyCmn+6hJ)%9I@lC)o_X2joJnS~GAylJcQsgaMDbo1dCn@(M z_zGs`I<@^|OK|i1s^&cup1f|m+dCu(=;1$Uty_;NPe@P3lweOx{)UvXtIP z7OiW#(5h3rY=bXTPD#0an6TbMdM+w`R4|%nd5Ygr6pf8QpMd%OhvrmTl&v<7!!i*#)l zksU>y#=;<8zrj|eFnjrzHwhjC*LdHxmXw+=;c;E9gR>Za;+*J@nMs-K%A6$a6sa25 z3oVV1&Kyr9za-d(?+c#+TsMS)A%ul)N=-G9kXg!=U!fr->^#x-J&=U`GwL-BgUBksW5BjgQ)5}-L^|To0L8G1~jR*?z#w1+?BOXBvXK1${>T?wo zFBg8ZVjTm3r}cPZ^!*gd&LJ^uPz@SW7Mbix{Gi2dM^HbO7>3h}sc8~y82N=4_Y`2d zs&$A6Tu=qCU}fLWT2R%qt^4>VRwgo^ZEv`_`s;LNo|apup4Uu#+In4fUU z4u@1qYuH5PQo8|=_v2J?R!%8+w?GC(e?n!0>GI_V!X#KN8-C56pk!7n+tH64>7WEq zJ;7)yeWNDd-7vpeeCOblqYC1-H?F<8F?kJlj!>U* zbyoBeQ9%6}0{bb)+Yd3oujH$anB2z?EHr$GUuDCAub>|CU+)9H0*k>wQ3Fz;mbIBE z?`78`{yi{Y9_G7O6(*rUFM?^oo5R9M(^PD*VFl}9@TetJO#V7=i4szW<gPg!u7aeB0{0+c#k79MFfD}U+jg`AjSyIh|f1T+2v zwqJ08zV9B{sSiiu7JvDCW>zM48g9K(Rn46sq7cOhfb^cBhUF>ACJa5vHvELnobz95 zK=iy399`f4JMcqCtZ;g-e@Ya5GXEFo)>WUcuo2gO$aEl95CbVlzr9D zV*DNJNNi(2nkVgJ40J((HiocoTld)=xUgRHA;kC-OMoX8poksuO}D6OEM24E&13vi zJ>Csd->VRF-*44#fK<=ZA=IOw5&Ws}$KtQdYfXbn*6$qaLg5qLPk@?|mImx+1>Wa7 zMB|@sWi~D}%scWGxB6Z*e}Zk>T+bxBI5$!fAW)OQj{n2c@Q44I33Q~=+g1R7}+tR)_#gkDC?(D?P@NJTITdBl|sG40>M=*46PkF^yB zB|w9Tfd(@|(kPbb%}dOGtM+B8l^q;%jq*j*5d3blY)(P^ev!$H;#%W1P=t6}O} z5U5v;0}=zoY%#`3sCB#r7*I5N&y%9InxKee>oN|0r6Ti=zFe_0Xh!m{$xK8IGHRf_ zvw{3K{H26UCusQ2-@|KzhTlim$d>3;l;)!zY)yZ&Bu%o@SR($B2qU(Ex_e5=7@@)A z{UKStP@??^d6L#Dwf#kXtLbb#t!ZJGzl~ykF+qFH{nxC^WZ`%bnYu+94P*MJq|nz% z)sW@Uwz(4EJ(ys=gWcN{`6sZzvNhK5pSA^3%=Sl!x4kGH2C3pCtbD>!W7cG|tmqvS_mWYU0SjxP6y{5N$-Lf->JB7qNj7 zBCXV!y`AI~N&V8C+k;v#Fe4ttVmmXcghACrZzk|-e06sLBRUeuFCma{{jvkIq8jt!z1$%LK^SiV1hhSo zjgIjEhyo1TY5>}wMYxvK;6C0yQqA~2E-Vy{?t)6E_>3u7gCgl-G=grjGUu^$T;-<0 z9rBlC(U_GVe?(Utmzx~hD`wnYXo5-Tm$NBaBxEk_q^e56dVPGv*Y@nz>=z@nSJ5on z5jb>ed;fkdYtiZ~AVmH`)uCOO-oqWXZ*xx>*X7t|kjg=*VC``*Th*Qm#6-9s+f0^5 zgc!Q>Gr`WT{J>NUEr?3(&O=PFaz|odE%FxpXoT!q*8uwBU+6A74>EiS2{tS;Hfp~$ z>Z@wMZS(+bwgTSHRGOO!Oz=&-GHiLP9tjp`_5CJ1{tSa@BUKh*X6nu_KfH}k^K9K0 z%|O-x$kHhqr`#*>NJ8fd4|(ST`iT0kW`UvHQe~d9Qq-uYCkdDA$xEA^-3d`Bo#`H! zLESCsIcdMZm8?dYhb7-q_(vmbt|v}<-M3dPl7V-38XhBShdnQAZa}B|BavU?uOl$~ zdYq~($<2~)HwdVpi#zFPn(}ClXG(Zg?L)%<(9#~>?T?K(j?mmZMu__wzAnAuT6t7~ zLBVG{%PA=zPN4zo!61WKG zCv-+17%%naRv!Ci8=RiT`lVe9$R4QJz;AYHkWfa`_e+|aeDEB1;`(OGW~^m^Q!%q; z2hJe=<59fe7iAcwSir=#UGTR7l%)_Ag063`$@_@I*JMU6y{mMzF%$@=r@ihPV!{7e ziGPLtgnaY|bj4_pnYibThv~WJ1weh$GNGWk6p!hab0p*)#CBZKe|b1g$PvJP4)v*= zp>nOG1s+Dd%Q&}09O>HRRnKa9*z~x(bhtx04k+2XtYjyf<5r|Vl#`Hcf!JYlSYP*2 z&l}<#@m*zNv5J8)hJ63wyXi&+qszvZB|jTQ%O@Q%P&1%xsNL%f__ArQ=$^*+F;^hW zl5a8o98c#^q3)Y})|a#nY1aeREq}LMQe)agszjmRNl$Qz(Tlp)2p{$o9@N%`o1U>V z`aT^)!ic5-X$~!M1`GTdz!ho;In~3`0a^1mvkAI#cbZ$vc2c39nlHJA>-_#FC`a7o zLmLvGFRlw|?24!D&$O_q?gsx^;&Vbv0qhO6sh<(l6jqN@fN4nlRjcs1u8ahhhJpmhy`MDQ!sD4b>T(q{jx=-q4aE4WeVRw^aaabQ zmYp7nE}j6-K<*RPdmJ?M8JV(2O+R7bE1!x~UY$uD-l2Ep8?0FQ6s=Tgb-&I6UFmiZ zvky&8g!iqeyGNQjR?IUz2CRv73hz9XuffJ&Z^_hzke|5#kJMyTE6~J5t#_$!f67E{ z=D*tKN zn;R3PVN8&QudDdA+1HG3**2js{6Sl@ojHT)zV_LjbtHtj8Q}?^L6R;+2a+#E>tE(r z&OjVZhAnn|JmyJAYwP*+i+F7!Vz;M-TNUSjzIJ{m)LXTo+_dV|Rua_?9Y$}MGD+~8Owh2-s|jSZa_MNQ)_-R6%cvU*o*fUS>L ztZijPSBRzo*jJ`xSZ8rqRBgP9BeKdRq$=AyvZRA9Q;HrfbvcB34qu5(@NO=Ih=DBl zQ??IDj!)#8qFWfCb~+b5RaKgj;=!?*u}~ zT6|Fk*9gS=%&)Mm(UF;&1j)|ynkJ@3FHvu&_`EB>@_3Mr+g;n3i)ep4-kKnZK z=C$Jw$5$D})5|}cYR!&DN$XH4-E=#&H!8{I){j;V%Pbor_LRZvrya0SMNoCf|%@!lJ-@wv5mMC-h9l z+!bF^eY<>?j5xVBm*oFRUyy#s)L3{I3z9xPu+nG(xm+aATR<8MJp zdr6vT$%42|9_fkzcr#a+ioO-6p8({tcd&nfvKruT1N2K1`#{s4=K2hOFQV)aGpdG0 z#T^A97_k7h6Su!2v==4qPTZnK@Gv}2Yx4f_^@)c7+_x6SpN zQjpClwF7YmOa1<@IbXC4a#0O7DEvh>-x}Vfe}?=2x;N_+d_q>ZPD! z$5+^ZJQz*qaPNMcm$`XLv6)N`LsE z{Dd{o#~QoDTH$=y$6nH^(+5Udf#EdltH_6n!Y>%5j;}7)xP<_;pW0t(=mXS)_iHiI>M zti8sm{MZ@j?$vtJNSKJl`8p*t2mXgxJ(75XYf#q}`qidH`F#47G{Jtfp3|D--Lm&n zx9KOP{!(`u88!D#zaat81`f=RR%lK1*EwHx-&cUe_Z1Bn3oic}&V^RR>GK=<8{-Cq zf5;T#Xeks*3Z)DPE2t!g`6GTX7libzF}YJ7o5!svZk|A|=~UTxoR zumDFewxHGaS{^N5^})q>G>h@9W4m5Y%{ZPtI^G*{q12%kS=~Tq5H?D9T5euzhXD8A zw!I9YZIN;zvmc7#%MoCEPEoO_|2ZtLbAc?#f#qp@U=Fp*$sA{-FHK9qtd#9q1aVRSoE{xb#4BD>juPZJhuDV3S*0$DK z_FQBNkfK)Q+QP2ED|=#e$mQ~}VjlAOkhoO&G)q=ZM!P3?+eXS&gUBf0lpaBw8M|g{ zrgrMI86MtLeMj0 zxc1JnxJ;<0K}-&gOq{BlOGXsc6i~c_(zz9tT4m+uen@5P_ioxNLHQ+UkbR5hLdPgs z?j$qZ^p+NnG6QCz66r-=o2nD~os54-vbG+cSETL7t;h*U%h_cZ1w2D?c|^Z7cLJR%*p z^%`g@>K2p(W(GB=@$c2+(M!OYT<3V`x1a(bo{KGPsjd$+(tBN6o*&AZJ-4L~_YOXI z%-{vIF1n!)o!L~fTJqdM0;q@G^oD@4T7njXmk#hyl7cuY*f;wVDDfen`+8GX1y)1t1A4J3575 zHiciEVi?eff$=w9Y8|Cxu(cLqBnIF0Bs`uN-z8w7zmt!O=soT!kz$`d>P49j6CBj8 z9i`eKc<_-XSlV4ubKUlOnVm>$cK`6*#i1d}WUxfUbJD+FDkaK(`8+L6Qctqs#>))B z<62}siH7}s9H?z0Yyv)e*NS;1^YR#=Jk}4a;XY9}!d|_Z*)emvdSDqUUdC}H-ZzG{ zswsww(>?8JfG@o?PWe)(q0L*^ls5N*GX!}1CFcR=^ySx}@GtlT&Y1NAWRvON7WbRh zmcuz~#@-6vj{J_Ze@PX(LiQsn#d|s9oc>Gmd&(iM`=LtFkcqQl#I0bxe|VuWeG4@6 zEzrybgE={q)3&VR=ut7_LuBNzZJw=gQ=aRoy(pK`02`rO(kPxsgE2eRK3iTnXZx8v z73k3hYB@_99nF-^p7jjKDkifrY~5aAq2!Ei&itG?(>PnKl^;agyWE#J4kh=CW?c>1ND1pH>_^~yGOk2dT z(K_)8gdd=+IT1IzjQ$Ewn4NyX-dcE(1QMQ*10;N)brmCOl5}<8yY}P; zv{U94%@t>vl6G|87(0c2Mx{~CFULuXlv1M1@%i0glt2`bF|E+2s6S(MowS>C#uD08 zJ0!Sq9#`HI|$|}fEfS+Hf zGMmi(W^0-~hL3QFUe7cK=X4^1r5Jm^4RZDiXJ%UBj^ClR_3p}G5gs;*uztJ2c{8!4 z6rb&aKR~N1yMe>S3J>RQC?dUNW@2VXQ5CArlK~Tt->eZo#VwNbs$wwO{0|9WP;Vq! zEhaVTexLS=eh_S}dG{IMCPm{6?d9_w8iC&n+C4s3s53U``|-gKBOZ-}u)o#q2>Px4 z;-rwnqC#x}Js##M(>44jJUTqoCQ=H*hlt=ht`3I!)C1sC6}lOj{ke*;6o&R9=zQW0 z46;>6hH&gEg>r)jx02Kgjyd@o1~%Tq8T9+KS8A*+Ubend@rU* z?<~v;uYwFrp+^h)lcr{&-$Qu*Q%l0tF0ypp@=A#p-dwbW@+XmKcl#(u7@>@1c$W%U zc77(+y0G84IS4`=mwS>%kTF+fy%U-8Ns?mZ)adFCyn-i)Wz@ZLV()YH0Db2+G)}m! zH5<$jlfDZEiewT_oivfsQmAzp>)&;nG?dxK)l}I2y-pT#lh8{&acf4Jb(hXugGmM8 zix%PGLAgABT4K{oM)8}>orC7tO1^c-nZXKs4L(H6insAP%L+&U>stS4cLDx8O^+#) zo-bQWkMiPSv(pBa4k}t}Ue8$*c2~iy(dtK|#Rh8cw;YV)O`OE|&!6C51TRPElS_p~ z{!r3euKrk>FJ)zlo170JQ1`Ke@~1naYq&6Ejr#p{pIn=Qn;5X;5QnZlKSy@JlPg$? z@?lmoeT0$Q-AbPx88A_|Xbqns0`41Jef7&#}Yx^=)~chaOOm zo|GsHlfA}c9cnZ$p^R43PcV|e^E&ko%g_<>`$WtADLV#@oV;sEC_Db=`L%&L@FrqB z%|7}tlJ{TwRMnkVO*Lmq>(2>>cFseeshchF(A)%hXy6E zr`DX-rTl7JoxZbkay1_j37qY&ci@1{tje9|SRHd~RKfil+7l~Cl_F>; zlnS!BqaF&4A+9%d9j=ONcG>Mk1ldWej(C@Q&F%{*e0Kk1=PJ&;io<<`N zyUH1qy@z8sre6{LU(J1uNXa$Ur8PhBWTlo`iHQ8}6$CfuW;v;w4aNcs8Y^}yM%YHZ z<0c)O7r&W7UT3DWl=Z~jBWAVI#?(?w=jx}^ekI!N485E|9=RXly3L{M88RZ&aEbWO z$%I2^8*7l8D_o`Qc@6_Q*y{lc{i%kR#B$Ma?{v!GlH;FtkwGxyX`L1E z@fX{;*}@b@>T~>D`Xf9l`G^|Xnv(Uqi$>F=(-RP;5MThjJYu(UoXB$mA1Uyvxve^P zZx9IzB4RsALREUF10nsM@w7-j!mj4RAboZw(6U3MDG>SFjkG-)Jj@9hIxI4l`ASNG z#V6gEnjXC3f>KC6E2c(B*!hLvfsE5lzQ3TFeEZQqC&lAtTuAhgYF3alq zU*OQ#kY-#4r5acF;Qk?`lg=>H*NAvYxw)Tclqlz@6GEzuJdH?MHAL|c`5!ydE~^LF zDX+gpr=Tl@iU@TWW|4^_1_&K|F1la09J4|`ZNkTfL| zG|MiAj(D{2)6o+u4L@uWxw5-s;c(&8R4NeJ)FIkisYi`fWFVi0k=fr=QR8%EaNO!V zGeRTl(da0v17XwBt`WG5!_>6bcW7DHR2CuvdrtZKlU87J%I%6ieWPM<%I%Ly?N&&L zUpG*;8Lk?sO!GK9jznkB7g{xn6RWniVtVvS!_r08_%$61N$C(-YOec#@FFeu7e7lm z8ypf90*x%Lj#0C&VC#g)ncvaEs-^R@fe^$yhizb^Xgu8+Id#Z9)C9re`2 ziWW5t;2O~XX-(^@dVI;TAp7~e_B4Dg6#KDgGf9w3bujEVo)4+~w+b zY83cc`bYX%>WZ-#95A-~=9#ohsvyCR5w4GJH|`LOpF+~mm(Tp$(bjxOUbh`WQ3rCN zTx>!tG1f+f6c~4neq!=~z?(CXDvsEp5Fy6E%boJ0IE>PoK)h_WlQ>N8)SQ*G#^;t| zv?%0+M|B`)VR#)wm^Dv1fnm#u-6zck<-Al*8)l0m<=g=_h86CGmEzTB%iAXGUe;F2)&DB^MnLn)uk2=XiY4TrkU(K1befTT(9=#r5C=y;Bh=Ij zI7F|G$iP?BXZR}(;f-y$4_NRQOTAIV8W7}Aalz{kid7ZcYS#t?N77svX_MJUTqu?5 zhD!9iW~YWO-Jn@F2+fXkt3E1lss0H2Q`7YPbT#j9G-oH#AMPCq$+AEy@m78JA|x08 zJ#!iTl^qM)l$|F6#KnTVn8M~|Zh*`p|&AX7Ak^(q7E<3~(*M3bGw^|ri< zTYhuRMD7bOpP}QEYYELrlBAx*3%q&L+cU1lj!D3mn=dO9pN<77=u|8JSNvH$6GIH2 z@;JHBzI{ZVuM%%k7f<+^uE1@<;CCFO$Dg4Q*E+OHq2KnIUpl|*=Vh*_D*087buQulZIbl>e@w*5`6uvc9>9&%WHI9PU+ip5<9J*k%MIClA{6_`yc;JA8H zgjK5wx3tPqS72TXsz+wX)qw3sj-{0} za<+fh0>?bvPR|*sFLuk0GdLl^OD=RJ>{jKj+FT@=Sy@PBiKCC)d#=Keq_}{veith7|yfH~+@~WNC3?v7Q9I{Y=k28+LQ}b2#Roi62dWDtew))NOI-fcp)W9-OOnnv+>+?r--i|E z^NzwC9E1{EA?;CDj)Vz5k44J!4$J$Vp=}{M{yirNFERzVJBkD{!dQMag%*+9?tZ&x z{Mm4Ov$>yqKIa*<`C46$CKF6M7uP4-lL~lwkYROhF_O7!&1AhP*h|Ax4no?l%pONw z)#7wWAaeTfDt?4fEQ4d(og47j5hidbmRP^_IxeS4m7H`twCJduuYX?$BBNx}2Eg^@ z4f<~KKf>O_#K8#j(6cumv_b@I+w^ldZc5Rw8T51fVIUaRNYGA`^w>1=aZxB8FGzId z`l0NNb!iX#a|Umc3#rG96%n6Iv7eeVwrvtP{w5{#8q)c=+6wtnpA4{#z+76ehw^I2 zvbAt9yl7O*4Xb$UUI=0q3)td@Yh$S-JdU>^u`yL&h334x+fA-BpykStOsy4^;2Ftb zzl025IYShJ$8~U5BDK*hYp(jtb<7M~tL9({D^C*zt#L>V0P#k;5#zjtswtUR@t*^0 zYRa{E)xiTuo5Sj*0j6ohO@#fi7&=ls`V_WXa7xk%Ge zx)kP0?t)OBK=EMUa%_Rzj6@fY;#GQA*8rmd9~gHwmhv+QRZ2_pCKWB(mD~cvjBq$* zLWU;mLZ#9&N)1U}Vb6ps0*`L+pY@>}Y4hfU$w>V@1e}Sv-SXK>_@YWeZQrM68AY{7 zxo6fBJ4?YQP8?cFZ}{ecSs3m)EXIrZid$B(9}2z{o*OLL8~8A$9gNR|e_@zLC9uICR34X&L4{p&?fd%7Sx@LN7hLD7oUwS%^r}U&mVl^ z5Caj?Ju2hQjRz&AMAwx%z_0&0p4cmtNfaj^P|(n2nXy8I0_ORR|Tf%Qv+jR zRYVoDg_$E1PU&T{|0VxU9zo)*mQhd-ZyD~@Z(q(Ts-Ur_;-ksm2Dqz#MK?QOB_Zzv z*Zz!eRu_zbF_F)5V;8q$H407lR@$a^&O_doYt#7hHyduMQ>Km4sMGNIL=f@NqQWNB zN{sB>RMkQ)e9i=OWZxIp0@^+6vvBqCuP>bDq-9aBtrECHIyX>In+u4`;r9jNz^iN0 z3};c8gVb>VKxb#W=DT-SRak}kEyR0X2k)Bm*+%NT1%kVy76#C&b+X!o`6heq>1vl& z?K5)|=ic{bc;g96&(T}8D0ixOHlx}^jgM-M3seoq*Z#qMP7!WCaz+&v(6nBs57qa= zl}QYo0z0E&s}jo?u^9X3!b?YrWf#TGMR!dN-9z0rQa`tdLKhc1RnR}^b90q4aBF;B zJln` z%MtT$Al=v1-V(8w>xijP7YZvO0C?&L>LuX>+pWh`SW0w}7BMM;)P`@C*hr7A?5KmA zjz~DU%;L;oLX;;nv08+7M@9?~xiW(>lQ`ngW@ugj{!_v;-HScA%J(7bI-%J$YzA?C zcu`_Tb9eI;^jlOW7Vs1_Pe}cKwWkNvWJj_!0*3P~hmT0bZkYnKvhv5@gcbUDUYQuZ zyfQmi@;4&ki70fpIrWe@gg2~1a2!WV8q%qip3Ng_!ciq%Sya0w#}!mLE8{KyJQ$h! zN+<{&Mz)YY%HW$TQtEf!SVx(qct ztL3@DM4V?$GsR{QP(%xI&iuaya8W{XlkEAUpp8R@!@T~>^+UudU+7ZQwpQK)W*#5{ z&7?-MIVoU_Y=`AGVKD378C$$LowruJ{sP)gRAvKjb5TRq=RfBp#{p1Wbln3KmMZM9 z$&d(p@SGhBWhhx=saoVDRKR4dVuT6gDU^1UTwz&*J!tM8h^^5J=Sn!&-mVMh2*aOb z{Z|X0U95#=-eE>6Hb!lkD$^HV+na)Grgo3n&wMyGSxS4`CG1Y-M~YqA{Q_MvNXs_X ztQ|;ZSG>ITG@K54^RMU1x#~F>Rli05DUYl@!kV@j)k%?1dOKsNkTNIo;-F8oI`)#$ z6VN6~LsokbuYE`4F~*9noP$W~dMHWv5<*a^T4ppsQsHhd>2$L2AqM)J};S%5$7mh z{`ar-jPKos=l}dikXzN=PF9r@&5{ruNmlxkcCjF<)J$?KJ?AXzdyT+|7Hizj{Xl%q zE^8$!<9wIAW64^1;aA7V$Fanw{m23#31}5^wRm$mVp87R7j-~uev`3>sAoSvz;YP% ztr0e{nZCeOlgepa(J8V%H8SUrE!AYKPiyEbbtVDH5jdO)+t+Vm$ZYX1JhH4|!2Oft z9iK}Wa_t>vWY@2ujypcACed}$cE0b9S9W@MK8`M)7IZuShQxcB(giCo9v&Mu`zF^D zmX0D~Itpo{ek(9U4O^sE`1qP>>g2&O2Dsy^Yys%_8wJ7{xjGw-;Yi|+mxnoW>r zJd1Ml_FwMR`!C%CtZFwp*Daik)l_8o+$qonobc;N*}ms}zd$J&QANM5>sjcK4wRfI zk#JnOD;*zjQ^f$?^B?yJaI%5pcGN92F|G;wZxN=45@>*DRmIJop5!=uC^Xszyq}4N z6;4SJ-D>PGVkv62ykRO@@oV9|nA8cYn2_kJfBSg}K=Qe(J>6uhxzQ}Yfyl~AGfZ7= z0fGEltU#d@g(G@6Rv8}QQ&_5elit3%!P36$wlbIBURE3wxqqRz^t?R&aqrfaux!zs zOv*Oje|ofGZy~d<>T3D=>m{*4Z0dZOP zpF)fz2teZA#dk*nf|X(QKagi(6AD-grJ0Nx0kE1op{jzP|!B^5C2kOba* zFbMV4-+XGX5#Pi@bRbBvS4{f#IjWvK(~4_MNY)o*Ala64{R?#Uq^Yt#Yd_MTfo_Pv z+-yWh>He^Jp*ce_;zuFr?F@6u(QO+6-T(zdMw!!p$3H{+?-d;89b03I5XG2{+8G{@ zmo?3bNN%W%))0W)(A+P<1Oz~pCVM}8dk9pLa3)n)4fXlgdWs7Be^lqg+40(J_{mza z3CeQZOmmijw8oKCKbZJHuaZa?9^1YM+s+m_k!eK^JX>j6u`(RW3Jfcc3&9w-{Bky}Stcg!s5a?~#>(#EJdWKO#cRncY zzOYX_C>5V|eOE$faX9YC__!tnJ5jd}`yflA$o`X?e|%7lph|G!F0^dZ16Y0-YOESo z0%*Bu@&~BU<#O%1>3;I=bm&;Y&lvpbqlSZ-Sd)o&MRdDNb|dwr}G#R59kFPAWn&nL4OQ$l#N+qtHxIthfM#ZqR6`{Dm<+~A!gcfxS~JsrBw zXBYA!SN=_@;%6;o-YByalBvwCqNZo%L7|zKlU8I z8=N9|IzQTY5C34!VAxHX72pB4FcIFkd_%IdA%+`=rz~$lqO=iugI`NGo2WsTmI?&B z$Rm7!J5VD4cPl~`cMf-r zPwbx6dolGjK?KdB6gz~zxs!`VrMnjil|#5n*|iIr*kK4!MSP+a&m+{;VL}gZrOj0} zBm3Dl2l96_LaLNcereUs`G0~fWN|8NEabHt0z-q^`kP1YhJV-}n#GsU=%cnHy-}0M!r4v!R$vODv*;tPxYiibe$~v?} z=Gj%8*IDM0bD~2=r6z7*Y;{%?8~4R_p8SaL^99zZHlv zcXSLff$*7;s zk@LKbkkeZvNOLjL`z&$dgj0W7bj&8GL$fWdBq=Evv5g*PKH#8h7IWkAB?cEucFCs1 zAGuT>xmNB5rC3~W`ag@*Km~W=v69F&U6PcEq*`O~?1(NPB#Z(z!HcqgZ;~P{-<^=p zgfGa-d@@aNh7Z!Qa9ZMg0|P?`Ww^kdZ!h(W{9kTR%O}h^kwCWZ?yb+E=jmVBrJB=) zyeu}yr=#>x$`zEjH!`wVw~UL7OfqUfp}Umy5Y%fqb3B3t$_2d!5lcXK74lr}z&B!8 zfhQA4(Ut$Z2cFhEJ_gLYBMR1j$wuPg)mR?d!Rmw=n~~8I7kIutmuA zzOUxA(D0@D=L$9Kd-&d~iwvVwERiYrKh0YUfVedebvWfry1LJsbh;&9=|tr;og()f zkxj}JbcoM|3f~hQab(A#eyG>%SJ{e5*oAU`d4sXx=i!R*n)i)6LdW~;1)V)g;(GB0 zc{!(jrw2sgi+2m7eicnG;-2ymZ9t>G9}ysptIm3njd@96c4zXXxeNcR*K~LKaP$}p zhG$S0dM7TBe~eD^g0G)7r57{!erQgA^#>GhC+1q9J^m-vu%975r}!3ZO5gITlZT(% zqgV2^7qmeRQBC*%>E!se;eu(_^!P=v{PHX603rsRAm4K6&dn zd|Vxv9)TUoGlJyJ>4)A^+gAu0WAmYfBTsOQ88GEsW43Na41n)s4y5x4 z>ojyhRli;s<4VWj>lq#ewcwBi3wa10Pa26L4_iRye7*qmS6ioO=u&o?WE5@41f@76 zL`)t@t>$wkDK{KRl-K400}ZdyWyNOu@QYqmsnw04QJ^EE8OB=TCP?ERmC0|Oq7yj_ zCG1qdf!5jkgY~BXy0>*5)Pe1G=b~e~ra5B@+Fk9u{X9#+%V_w4;i|V7CU_VA7Sktp z>Q=qtdM*C2y`Lbp=Wtr|`r5lfY?0P5Tf`;Gx*6oyKTxMPZCSi9m{Og=AnVEd{N-vK z((y=OM&KUssSlBAspF0PWDl{d5`F@T7%YlWNDtFHWypv5LOrR^zAphn0L&Tz=rX&v z1XfptnV;SLKh@dt>_N4px!Jhsng?<3eGeI{$P&j?ql(uC>GX`okfuQsr-h&QcLsZ# zysO7yW>VSbR=W8g(QcYn9jE=&86e$fV`WX+_f*1_EA=j#!Ig=OFLkpTj{TWcdtlaY z)~j-^@3=`D&_HJMdDp|I{=bPO30r0qTni&=m=CjehEV2C^&Dj;TZqWdA%i86WxIJ? zqowFa6oz?t{?|OkFv3XuS`K3UNL+D$ZZtUP1gEXDSN|Dn#Yfga0@~B!6%`eDZvB48 zgeGP&;108EQ-ldfJ@!zhsFt2c>QEWxytx0L99cZt1Nmv}i#x-L!3g1wTzufk6T|=!ZRfPertURj|%Sp>2rB%BpjCOBi~KW)pDM?I>(|vx@lLJM=Pr*yf8HvZ5b{u=Des<%3r@U z1cl|vFZx#Dm*kUK-xo%nV?F<`!y8zZp#8J&O($UTQik9avW8gPHTKnx7NQ&i`0Ev$ zj_Aqj7{V^sokzFvni}1wH8w+`)%>3|?i4f)N+zM!#7&dhqaY>ikSYvGMY~)NONsZ{ zTB~n7R|AA?wOO3?>iz6`fS?rpdU>Qj7|(@pn)L2?me4SGQj@wVW9)LK$etjF~myfxl5egIb=aXx5;-b!)Q| zP2s?_WT>37b=I?9U3cN+a1x;uSenQ%es`bDICS_X5a7{B>x8h{Zp!O^`;xRcn4ps( z#goR}og>E(^hSgcqnW}Z*>*c{K0Q~UUh7wO zM3o$G*&J(5fu89+_(a#y;rVzo4J*|Q)h!=K=A_U`a8EZqS~PcP=lJR%SkG{3DjYR; zvn72J)K<<`DT%hU`$s6El3QKJyWj`(1DLY6tx<=zre;nCx~w1o(v52;H>^jF*su9r z;)XEU|4=vGkC>Sbx(a;I2}o9u`>zz^wcg5Zzc}T|ut}Wjuc+`_LdwFzUZ)P#+s$)o zmxXmk9v$wVr=rhj_GgeewcB2^O0t6esdZcVg?WFThNXBhn@u_<1|hVieuCe@VK>9A zE@t)SCDeF-q_a#fk+~5#N`*X?eW&+4m0%y4hCxa?@%W+#hcz>m329U@5*fdO22Q%f zw3OT%UnJ2cd#w(`&u{Mjzv~YK%gx+?c6V98XF^W7oPmT+(z;y@QbR|)~up(Lw!129@dmdS%C8#W^o<3_L3?1Fd$wi@!yZvMro$`$pe<&BsR2S6MM}s_X&v)on~Z;bStn27Bb*6!mPy zH)q>3oQla&vJ&uHwTS$CYxb4G^gj=Q`Wo!ie&-_sOttAF(K2y6N_vy zWMM(BEH6*S%lRs5PX7fOg-0fcdNoa)mj(5(a2FCQ1ReTMaoScQUN@E7-gm3o(vMi* zaL)Omw*>t&^A*wbv9Y~z<->p(v-^#DrUGtrmU8(Mr8AY;Rtt6_i<5$k7_(mq9J1=a z)>+(LuZ2b{)7Oniv{q_K@21ycSg!;Y_N0{R|Eu5-Xw|6uj7g~jGkxtSchG%g!tKjH z{N=Ds>dE#pi%MYi&lJ>pHs|#9K*0c^<{LcC;xC zHL#p|8FMDvo?ztH4u4R5gi&|pv3?d+6XnksRcoXEFob9JqT?_9v-BDb7sxe^leZqS zApy-YTqsXgJ;=D=W04@N5+0o+Ag|aH{f4K1DK!Cp?&TJD*<}tiO9r@UTib6v%%=(} z;v7M-NXJW?M=xzsN*k0}YKDhWMha9*8{Q_Pnd1N(wXBW-SKSAw%6TOehs zyDQ7#Yqi`}xNg-1UXQQ2Z1FEO<=}n_Dk_hz%SAZXUr+J2H3HawNNe^Jsmy~$C8%xJsP!5K?;7VMAVj;dan`hQ+s+5Cu$B=7UxAW z)1daXn6>fU!7b)PzK40~;tcFrUHZ*DH&jtO?Q@PMTJ%?E>ndl@=UVUKKv;-lC zeAt7c__d8Qj=H2NRdsii1HDC%L|WjYI*TsNP5A$)tEXzR5NA5dkk7>*2y@U*L^plQ zgkCMMF^(ldIxA1#U#E<8Q;&vd8FLa8J5(|=dX|2MP#Sg4=|C5{p)iFbm}RY^ik?EI zH7yJZoBfcGL~1%!OR)JDZ=US?wCwwZI1OeH5F^6-zfW=f_+#XUY|WhMe6U3xDzT;c(?Jx(Lk>|JCth zC7r4Z4w(Z4F#@+$F@D{3vnl*Ws@iE9O?8qMD+{BMNQnJDJIWNm%|X6iRwJIacg#n; z!NYcAG+kx-{wu2*_%F}r{qNl zz|?#k*R6>DhG2B^@m~JXCu{5A)kUIC_CXozz!Xt zEL5peNTzWW^_T0on?q@9MMrDz6&*1I% zzZk4tpFhprxKY$jA?dsdOiZG5ZDE)}$&l~)9+KKnKdPtlIeB)eIGn9MfJe3eKaWkn zg*|-m1|V}(1Uf^}w8_$ZUz*YPB@-LSQ7^~qN3uBXj>^oiv!VIN^2tg`!+fep!F;lO z66}*xJqXb_a`2AV82gBWfP%3|yz@27{vTY$@9XNGavuwx%}DQE^*eJRSD5n#kW&7Da z0m7Y&pPq-yX$ZFt=rxpvb!V#*tJb+dozeU<4q5EL4JvGe%c0PirZhkSJhi`gC8fh1 z=56|Ib;sG+g?i1yk-7)dF@HL)ZhEjX-6#)q?=e^?3HLT(a`3=L&}wrO*m*!Z}WG=f4Y@&Pk}Dcv$AX6gHz?lZ0Fv%sc_qqw}u6guG;G z2xC4_ng|WK?u;df`4AylV}})V$v$8CyPZJ+hxZD*8-j|vpBDoIoP{*vuYv~QA*0(| z0#1u|-v=%my|oX=7e;`Oe5{7L$c!X63~<=~P|P-x8uTE~z(m1mITm{Ow@NOR6gDd7v%nDae)df|`sl_lB{>WIE((h8Nfx_A zKjADLxL{d6XR4C{iTlkMw(MpocWX6dMB6a`yEkwxD-Cz9sQ@P_m^LPCJWzj&L>pYN z&nVX+@ zokQ%Q1xkaeQa@*9=l*?7Bk9rG(S7Fz!f)97BB1!AOIXb^DtsLj@8(p;GhQ zwRMmtOEe*-$u6<+X6a?Na!_Z{#}S*s8SPCGQZpg5>)VI)YAZ`~B(b`mcOc866LE^+ z?+{j*#eo3@u>`f*{8*6%{f5N{{x6W^%X-M{pz!snO4pNN&lPiyqU+;9yz~!jxwk|72yxv0GOL;N{?H;- z)lfeQOqwE-JcjFCgb8mUNtm^|K1r%dQ$Jq#5B4_7kCc;hi#PUaZQl1SP?Hkv(fnI~ zglUW#@i1#WPIr@p*t^yx-!(@>XB-6}QjBTHu&p~ivmo-Y^l@4tvRi3$4s=0Ukzby_ zdj+(#1owR@zzthyp)@QDV`m3Q z!)T;(5OJK6yzw<;cod}ZC4MmI7(P37M=`mA#%++hlt#M1K=;`u7zkG~bwMY-W*J%i9W|d^qZku1e}mN*Zf{?)tm{U&3y4hrNJ)e7N0) z5$TLSy*3-@yuKI8 zN5)M+c^`7t?ti!KrSg__dNX|U*N~pe=Sp*pl=`#C6V0wR9@tHP>1M0UlnH-|bpi?3hVdyw1THd2{Lly2xN zuouz&81(NN!#!<`zEqxcSaRy#%7)cLM_(^jSmspBSAJE(REft`A>CFL$E=E{14aE?#UVDhi;E&S+k9GR z(`$8viF*W@1FI=FIHQ>yWh*;Jt@aT7g-=rPB_^7X=gPI2{%iqA;7l|sTUOe)D-5~x z@gt$b+sO@wF3A@(R?joZ4!m!Ci4}bFV5zi2`83`ppbY0DXAL1~(Z@7jPJceA_;cjd z;%dGd#GnAK#9OCe?zx;uQh|o`ThuV8Td|UOQ!S^&_vgcmk4N!4);$70`G}`i+2A<* z0S5Ox1a`BU+WAUrhghpaNC*mtEk#F;gV}X{{1MQ~HxxH%-mNTWZV*0>8#_Hm7=qfb z81Rud7OBi^q2}bC*(LBHYR$~%$E+p08xh{iP&wl7Vw>Rbv77PUeUCOg@gJ#t=dFM; za;xx<(ailj{T?Ft!{%e<8Ti}5n?u)MfUE}NYT0-VEcu)~$#quBW)3e|1a zl;4zjN~O-G@GLo>fvxrha0!e$))5RM7LDXmF$g^qGd$|n<93iD3Jaf(^NS~R=tLaO zWHL+kpwugj$u=z(xh6X-R^+1Ky$G-zcW~Q0t+sfFSR)26Cya`sgRyrX1z{ams}Xi= z-JX{A^wkwam2Lvi_++Y@EbLr0ERdB*T-6L6W#`d)8oG|Ri%fmf{$N!k0gv6$_O$5T z6`qevN$)6r<_Q3!Pu`Luq;LhHIfr^de@lwi4MK*=oo=Pq5L0;S%flDf51^R)X3Jk~ zdviW?8$WEFy6-x*ejtHC4cdr+E&cjIy1g7?f}6?mTF>=t67LZ}0QBwDF%MGKJr5%O z`>PQ+EAdSnV9xCj}98EjQ$-|Xy2H|K=8CQw7zpu9{V8u)IqnvSI zY-7aGXZC%z02iDpE2szMhK{NOWqh`v@)&wdU&NlWv6sd}V`5dT+R?X1?Ms?Uzoh#8 z-n;A1YkqPOBkft^CJ(Rr3+v7F?!iu>{w7`|~uReES zHB?PLtLKaJh@PG~GH?C@w$Ie(2giKc)907_=-srP`O3T_n+wvl`oebwt3O~qwMTbs zH|ej0fA8WuSr{+)CV+dzOZG;4v;OvC5T0P1UKWeI&dvjTZxJch<$O2`Uf5ek7%b?e zm)BCfrA8~G81d<^<~qM3q{HtF9GYREWBBFz*bAv_mR$g5rM6R$u*kHGfRiue5G%JU z{J@{v3-ib?24`!*``Z9>&P#*_&BFiatB9E-?lXKEI5Ibl@Jq)8(BO)<)(DH{O8kkPZ&}Podq7(_JZP^BGj1=~|!jV_gqW zc~$-MywkaNgg4iRb%(X(`Cs@i*{t$0qb=t1_shIbSDy^xScYKP`Q!Lc!%mC>iP^k& z+A@Ibo_CCR#JYb@h)^C0t$rwNZ1qx-eC3JDkVi@8Zq5 zyKD(d{&6oSP7m%>)fbob3s?8jKw;i8Eh1U(0-nuqL)bvM(zRyo>i(U5|RO#V`uTOt9M9td@IZK_eSr9-13oC(xk3 z`R-%xO89dWg|rQ}_qU!Y3d~ms(}}QxihbM2LoV9dlCNGuKLgBNWoCg{X>4al%u~-0 zq7unCL`QFlUO^HbKWYHJsFT>scttzlbMHTB65uHB_oJ#U{Z2$6lIq^85J-w4gHBZW z!oouktFA8*$l5izwOcvK*X;WQKp;nDnRL3d0^p?`SUJAx?EF**Vz8q1lz&d7+U_bw zma_VN?exHB%)&}DzF{on>~~m&<@L1{-fo}05CXIh??C5h38$`4WV7 z6Dm33?;o}a;F4&}uwnbvDp&CdrUWWl=v>IT&>+OmRsrI^|CZ8~LcvYTM$boC(eWy+Sv_%6;OTRQkf&O) zgBI_&7I}XDK7wZ~;gC6?m z%;|x_gBfe2A@$sFsYAh+KL@7C%rr1%WScqzG1lQyTd2~=`d;3)`RisVxDkG{)elCN zZnJ0SN?*xZH0OsKwduUqFzk#ae%#s#cD1?{&tRlTUQbSUB5CyUVQxJq(~Nho@($$0 zT)=p|uzYcT5(hR3uiE+jJh%pm$8^d!VF+T!RjVlChlO4Zxg`l;j*lPZxUKKt22uvb z#9oYpP6M^fjz|^7;j}Yz%Tb=3M6^2Lhhq_`n*6L~%nnNOcK$u0CG$DbLCZ`z0CMUMdAXAl zdA(Q!QK#qCi3rd9VH@ay3~iw*E!fSCJd(uI(Hc+ZvE@+{1xpQAybLW_UcjtV~9nkRa-Dw|x^yj_C;p2Zd zhIuE{xI)(?eyYWJjlomi5Dd7fsNkosj7v3CmFWd5)xCZ}= z5MOZiH63DaE`+nQj;?+lk+~J-WF7egc$u|F1-(VHW&!|J&&BS02~T(*=dwM(YyltR z;4VB7n1NwoJh21w6M2(w?qBGgn;}e~qX=Y9bnZ-4`lD=_=f1W}NOfQdDspA(t1aLD zW>qi$@_o#t2xyv#zNYgHl(jV)7LFiGy{KtpGnDCvV>84@bJ7L2L>prpZiUhu+u#n? zCKnLVzLGY$J(~^&rPBH=moRG^|3g|PfISy3l03tR6T3Vl^vd}rjn?^F=(U{&+tbCb zvC|KH?REOjHw#_802q|K@PN<;eLRj`>(;iG0b6Blh9-n-B;_&t=SC=0~G-Hc&@Smc~kJiO>J4 z;a^?gSw!x0+sn#l<2e?D_hdXSs6h1uWhVw%UlG(UtVkn#x@Hu*d6{eT2k7uu;foCI(7{w}C?E3o1N=BFV8WYAFJCf^ z<2|fO<;NK$C0PcmpRx!-&{m0kQVU}!JRrI;5FmHl1orxVOq#D>+(NiD%*RUZE8N_U z9uPZaltI9QsE&h1`PK#L+hm!8*vZcXp6fP}OEuT0xC~g`+1*+S0R@(wBk!XR*2w~3 z2GeTOCfWo~9vxK-9O^2V+dU&kgu40XOTm*(4)lb-!%Z`S1< z-sY+?$8$E?%DW)Y4|=f2Kcuam2lo8Y|Ijd5anoWC=m4g7vZX za?n0e@M`+-u>|ok_E=>)_D=NV?VSo3;A=9NopSxEmpt;cwbj4!IGV8fG!UF*tw`-% zY|WY28*DwlUM&i(OZ&y_ly^+)-Mm?DO<`)|9K1E-X7o`94__^sxqartv3W)rBrLrP zb$r&f`eJ7UWv)RHeYJ9YJfgO}{B=}&`Pe$k%lmQGg?sCasVwZR4*RLz!*9_pQ7yf| z2x;uF^Mh;kY8_oyTrY)~CCJY#wU{cY!)T%WP%-F6@x{Q_&csu}&-`0CzPj>65KoIG zW(N&7j$@OxOY!B+u5z!T7|Emyz8Y@ik^W2%3joCi<=v(|wwtJ!bhSkqPt*PPEPf6| zP9v6%LpsH)(c=sKyf{;xwxrVMMEYfT&$#!y%EllWo;j#pzZ)>*_rUnmHy z_C{}|9C4>u)>gTr9&a2SAl!u8Sv7793?v%(fCac<5wN`uL^KYJX@!N*;^*UwA*}%% zGh!p`-t9)Ph}^t-sSW_qG4Ef+tc&wfj{I`2U$L^R_IjPIuY68e-hRGxShB75T77IY zmOC8FRtlWhZ#uq1DXN-zkZ#C_Ei9@!8U9UIa!bwqFOCgVsGXUd@0y#R7sJ!p&lhb( zH=8M_k0^55TI`m{#+$gYRQ2Vx&)b(;^HOj!%fohPfN3Nzl=GmS>TZYSJ~4XB$)kbP zgX;*gaW|Z4yFnkpN<9vu@qhVD9*0#f@rVkV0Dat&W;J0(F!in~{x>9%y$3R^C|gOk zzdnSr=ESspUC+F&5RAUVLQ>8Xw2E%l^XWotdh+dTWNhN?-|)5ymKq<$paCLY9u~a& zz$p>PP!AvoV;92&comszt!yZLZ%Ge5!Gr@>%fh<{rIQo^7ecOw+Fc-N*V+=3GPRYb zmgmP9Z91)R9!N8eiNQ)J4#}P{++@{SP{l{3w;!(I;0+O2Yw3HzST(mI zN_oh3J_S89->LUS8?j_y%0w|Jd8VzH=b8$e``*{e6J&ly*B@_u7jz-Ko^_-&HJ4^nfU$GT|BSQ z`dqnB- zZus08eT7l9Ewj5s@p2v;^$CN%ZZZUQR89Q8s3N_j2d%%xh2VPzgmP`(zueXpo7vsN zl9_X!fOg44yumRa&&!B$zPC{L7*daYcyqecm;F(om7tbp?*i-E#Im51r+>)JUF?R; zt{~4sf};c8snGgQpt}5Ro-!1!v52FoF zv-BNJF6cx$YD&gR6wZRs(@k(uet~GnvUZdEMJ&U!@rA|GdvhVg%wG+D&74Pl1b0{N z;favKJwkk0Ut1 z-O&)AadJiOgk&k*MVku&-C8u?RTVB5;w%$2kD9g0!ySJUOfB6=YvZsoUMpinlZZ6Bx0vjOBUYc_~Tr^{xmMmxx$ta*9lXnbkyy zYpijLF7c|goJG1G2}xaBY8(lu;I_W+dRc7;V-a}}-858RLmYcoZ6|pOxfB^hv0pX0 zA1<670fR0r1g&16h^?ZAlJ0FPAUss|Z?5l7_T^g9}w|4E6&oNW2Z)Hn6GVFMfUj@!cvvi&3r zz|LzLW|G&m1VotG`fC}@2b?r$I`JZ;sI6OQffl=_LErc!kucNP8^Oo8fkYn_M{S3J zM?(bTfMNQzAj1SklI=iK1S6?IIuwGdW)NDq07f;NggCe>s%rnP3aIHX7D##W&v*ZF zdy-otzibB<6K&;ia097w&!KDt?|x(~d|JqtFcarO2Itcfp8VLiAHU>uNm!W#kN|kU zMKG01T1M&J1gN zp(8}g2rbX_y69HuO5$)|J-L){qr&zO`T#Z@&WzIoo`R#{#OL$!Bon zKpGyFK-lx!vP^_4nLa}3VQWMCU0WfjvBf$SFM^c9de*yxh}aEp8k3UCXUEmx!97h# zUSkB{jqA?tTHUgv&B-7USescmGGDt2b&bAy;=~z`7buD5?(0^YH;O3DtLb-i*;iF?aHPX?q^^RgomzJ&9eqZSmvnbwP+o6H$vA|mz-QmB9 zG-tDDF{gJeq`HDPT1`F}O*jTJ2}2_W@|&CorZ9S#L8flriJ(m!R`XckdL)pB?r6Qc zK5oxjEL!!2`)VpSDzXwNdoJdEzt?G92Aa3 zp>O-Dg5xe`nZY_ej_c5}>-#H5$>$jDs?g(hhx(qT8@_yanK0@)geX~(7TIA;$V!Uu(SIx@bR`069hugsq1am^HuJJ+_|V^W}e_Q?>ldfp{^|;nR-#jXptVNdoO8PeaFy{ksI|3PJK)>lVVg zs*l95IJnLHeN~}gVT){iD8$J94QSGEP~h8^ zZ6|M^`|dq`e%2Us@3GdL_06jK3X4lzBu-mPL;!e}r*xPo^1SlfQVyI972NG(S-<)o zuxr`8UiV=-_jnBgBAg7{7hq-pJI=Woe~8eNC>7G|PlwFRI7#0G;op376Dm9ne;`n6 zdRl^ozQZ)POcPWc=9v_^b42)2kaEG-#|QG3ON*sfF$q-5R##bqv}!hX{c^(UE_;5c z4G~ZoGApNWO9HKb4I8{}$FTq?kn(6H#BC)6?GZ}~1^hro)lP^*P6(=q$ZrUjN)9EO zM;?P5FXz%XPhSv>n>Zyu@F5)_gZX;^alhk9fd@beJOELl2w*GD{S#<>nYK8m@1AfE zXFOjH+WK1KiQO0N27Cu{uFoYdQ20y4sX(7x9=?2j+!sN2oj3=XQY-N(tO@J%%<^f$ ztCa&jGlX*aPC`Gj9>K|s+P2k0Sirh`TROF=*7I7i z@zd4I9K20SwFvqjzMH7Ya^PokeK&4XZe`{hbX70;M+sDMvVA$1cqsDjPt4pyxmcaxiKT51+C6g$yE4F1=iFmXpj?X5(>1MSI( zG~T1~1>hZF$oz#`l&V7#6F8&B5;O$SI{6*IiNjBL|h>&j51Ml2=fcVVHF$p^rF^70+l3o>Tn5r=eXce)q zP_t;&5I^dO6HK=&g4&=_#uNNfh^hlZUd^X~O9cLUbj&f-B&|)tk%kPiDtDNX2jtUz(a+Sb`0=IWjGc`oic zZsIln@)dp9<`5CJu~JW)9Nkp(*)0;Pi>7nmxZ)~t$(O9c?Sh5W^_wZHvd*f ztfL?WTzFK;#AX@*E1a)0xs|-<9>nQmM9M|bb|Q+mxd$qbnBQ>U4=Cq`^Hc*3Re2oY z2~&+q`bkf;Z*ObcaBe(^ydOwNmKk`CsZX3*wuZstP;cD4*=!iPHJyeUw`T<-5%5DG zA(E63h7MHH4n{&qLST$bsz1VUXuLw-9vgkuahGg7kQlZ+zck_-D1kOuz+djv3l~Ph z!5Rh{X!o!3!agYir;VkM9TXU#iC5N-e~h8Twz`hfvOHfOCIReum~&-?E6w2`H&Aru z+v9tFRik{#5AReG{T+~s8i8s0gJp;$W@d*tJOs$PVYZ0;w7SU^O*_1$v{WaaO&FA+ zns(2Z{lgRB^`wGp+Lu$u+)MWD@BaPni#G$_0A~N(0B~hbeWPafd5VGB81Qr>_9{H3 z3;K`&3eGJ@Xdf@}0aYaP7g1tP;LTxnVBhE$q^lPu&mv`R^3sr1!yjV#3ese7S&#vG zP`zjCF7z(3?asxsg?Vg%yRfu^<)AHiPQhn2HD8gq#Bw4bFo7iN%NAH< z?I@bDR3O8lMo+psT20FiMj<9@1?Lgv^(2ISW(ilQ{kEREGAjRN6 z8`%H_q!_?75~2Ku$dS5PWeX^!4KX3z`*t{y)UkscRTm|{UFVL8ZpS(nw>*ISy+^<} zR|4-=R=|Px2(*a8rz8Y17a>ZRCIY2njV0Blu>+(?H>vbzh#)kIi^&HpQh}pLb>^ zwgBo;nV&iI$gZ}uT9Ig6}nH1cK8HFx5g=vMB8b7QuB4=6OF%F5P`V+ z{IrM-fDq{HwLL)iCe0K?UP78{Cy99JJJ*4u*RVddwhd1N`=?^d(A##Q--&;6?_!3k zs+2BnU5L>9Aw>%RnCBvzN!SoAd}*59<3Vq*K8VWMlfu`=lJ$;Kp;A~b_+VB`N7$@< zvE&edg)0Ro8!TdYuJGO0gRPZ+aP<9HbngS5;<1>cm7i?n-97U_CBZJ)SaNVj8G0y@ z$&{-4mM4Y=1@JK;K_z?fpO`xwv6a7*tu^N)u1`b?$L2CDS+6# z1&Z%Oo}p)y_cT=A@IpR9n$zZsTdqXSTeQP^HQZ`Hk5>UsayM^_1(!cHDLm%}p$i3Q zoa-*cM*5v?gy*Uvi+8UWUP$8bj%Qc7OtjxnTuiG`bL-AV>1t>@L<-(;N)2_RsUPcof6qd|K?h_ts%I- z)KlUgwdQJ;8YHc?n+wOB6t7grN~5Co-hyViD=8{$t^)cYU4d={D%f*ZB7W*mYge>H zv7s(ltte@8#y5Fi8^Pc^t9zk{a;(|Nc{r*nT?zYpA*m89Lxny2c!@{$vclK#j5zyj zboofyh=?F@qDL%c;1aOE(R7LHJlt{P0-SOv`n*z`|6J}zT^sCPzCNWK->Z!s{P4$R z^a4AldkAar54f&9@wXn?6WXRp57P(-!A)?tho~1pHQ3x=y(4&D);;?$Qzz?P){UE` zKe|$X@5{qw^Y`8DZy3;NEeuPG>Ime0g1c2Q!E_uC>zp15eg8)H2ojkDEsY`iV=@-E-J97TN zZ;|AX`gYuy_6B?lDFq?FIr$SIa{gB8uhQ{I-OS>PKM8*oa#9y)kM1j}BG1l2X1ocA zeoxE4KDmLl%e;t$Uz9DiB|&aei2H>hk6Nfnxc%TBY#?Qoin{4#{)^f3(+|%s+&$0E zfz5z_5a#t*H0T|j;;fj%fS(NdRYl{_9N)n`_xt`cW>~SPk|XB4G1>ygyyZ0-r($MJ z>|b*vi`(bpVco~KKmbTa* zRDq*>>+n1j-SGFOcrn=m5^0YgOWKauD_Ml%jgah?yVm;UO65YmmSA2`Y}GlAb923G z7LV{rSsAsT$$o-ePmm8OF5^f{!xy;Ch=k+Fh7-jcKluiMQg14K0d10aQ^24oZY{?s(-4U+1Ik1O zdGt;p%sbVVVkYB%Ua=E*$jifeh-ZN)SQmZio#l?$gOi$_7)OcAu?#$CY7Mk*Q6d>o z^TjEEIgzt2qqD>FR@c%rGtFdGcxLrnF_*@y;ZF-WeH@nm@T}aFXk(!L$;6q2NgcYcwCBvB8fFP+V0a9evcX$bV z0|AeC2ExH$P%1ij2`U4Dq+w%n3ruBags(JTk;>Cm-0_wq6;%bJ^l9nf|Klgt#xM|e zHZk}CZy|LlHM?&^sGai4dJZZZbhduGZM))e$w%O=cN_wxHk9xduuXyUGp&gX-Cm(o zU}zcMEg9#7$v?e-N%}U6pthp*3W7!0&xGeSc3yUakjY3ZU^&QkseXs41AVVJ7Mt8q zM!T9x8&`8Y{`{TA`mD!89hzZ+7UBrK1)*c-tJL_8cLEK>BjwB>%H@q!e81ao#v2_{ zhZIxZ%ZQYzM70iBfj15pQmO0K|ofU?|l-4VbssQ z0gj0?=z}>yn>%iiTqcag&5Tx|e*iymIybtuLdfl#TmMdmdby<^y%sBP3mv$4W|cSW zHh|J#f(65CHH>f8NRHGH13We{cWm?y>1CeaATd!Q@1Bw{jRbVyWY-8n3?Bl9{$TvS z?q==+iign>riVP9;%_NQa@oK|I7kBJ*Mcyq1|2?Yz?I;7aT_cmAotZTsQ5znb#^BA zL=hu@>C-t$Tt;RG32j|jTs*NsSUBPjxZ#DrJbcewmEarE47gYmu5n;~aFJ1_hIj~25?Uk*AcQ`xGtn45q(v0!jZhRyHB)4at>;2tyTmhTsrXN* z7{pl@bGA~4SSAeHS4Di9>p|2hoX_hn2W;u3c%#mCW)(hmPHR1?S&-*evFfgLJ;zj; zL@mG_?}ZyMzIqI)gW{@h)zAU7Xv>*sLJlkCI6n-HVpnOI?_}WKb*;~5m0Et8Zp82e zxx&E+@LY)`(y9(H(Gi#!)rc%C`-S-xs=WRl6T7N;gl<;LsAYq=A1LKD$04d>D?5*! z)Wjbye|5+;Ht!V~m?K7>-5-0W8erD8{i~l46}X+EF4mopKntL%Hlroq8TYZ6#)?tm zQt-k^;@VfUKS_l~3hCpPA9mC4u8biMVjgfl_gj2u!O+G8I3AgM+awbYkj`1@z`{y@ zSK`9v%isU}x-9zk4u5!Q%HhjT^7N{L^2W1>x6mrz= zgYPf2kL;damm8m7fzWo+4(^t_7ZQS+`8ZODHiIiBeLNz|0?93Eg9+YH2JqCL%>y=V zSLmgcR13uD64F1D4)Aqh>*eo<`B)Z(_=Kl;GUe#y zFM$5AA1WZ;vC5t%DaoPW&E=p`2R5N4rx?f+8p|+eZvDsJ4B-O*!8(8+xS>DMwY=+9 zEd;Yz&ya%JoPl+dV9ROfzI9nuGz*rH)~&_SH_}ZJyPIVNiDNJD?tCn)dgaXV`X4ZD zU?kQaEJxKC;!v$oA!qMgiH(!_?>(QYpd={^?UmUs)K!%+Cg<6<6LWWuMV<^AtPQq?$JbAdMt)W8F4wezh_e8Dc-xc_~vh>IZxwV|)w(|qeh-U;tA`zLio#IgP z1M6tP@I_f^4lqn>p=pM0dGr<7fY`N;1tY@r{V##KetKHlC|Q3zr*EfJ`8Y~4|Vwqm~LDpv+0vA>zQ2E6FcS5qf0 zHOjS1aR}oGeHWwZDLF>^ms{`)@RF8jQk zF-uPzjn|QcUM!feZME{{6e%InL6Zl5o%%DbM)6FO`IR1eGq|xOqK9|Jaljf_=&s?p{AL?tip{ zY}*hLEV}_v@s(+t%O`U36*~Dm)~MFSOCotOzmAm4(HwvD@o!k2>ayP#}KqrtyVlz_p-6of-kT3$3JrhrN))+1xjy0FAE|s_ceSZ|qUMPbhtm~MyKX^0M zKw(IObj?N4uvDV=C~v~45)*DH;4EUgY1R`W%sp;1#$b`X-jntD_*#cioiI`t&cB-| z!dyfTY3rePg(Ia8^(p&~MenIQ@-n263I4?85sb6}M@9{sg6g+-Dg_RzF@pH>>hknX zD}V->)G>U_B+nLc1Fk}_l&s_68AYCKF&)!!RdQ@3pxo}AY9K}E7!rK>Y zbo~LwzyeU*YxJ_{19&>y^Y76FD)!qDfA1}2=ODD@#$Ytyy;Y{z7p|lLI65q0NYO@z zS1fgT0jbUpCC5477}orWm~=u>kpwO=k$@V~k_9%mD1yU2&81~e6@q%(2*^PcQff(D zUNh?r{Jpoaq&WKs#g3I1&n<*F94TiMLyF61nVLW$Xd4~ zi1+X%mPt946km}z12W%;dHv7-fO9VH`Dgx9pu&MJ`DXwdF0f7CK2^=GR;!K+1{`IW zhqi@(*dyi?=08doQ$R6NT}kne(uJD&pgT~K^9%NpErA8%=C6ZrA{kEa_utn37FTd! zMStoI&Q6gPKy-zkBDC9Jq7rwSC1xG)6(X&e1FLXhkF!E37Wo*&n(*ggk`S#!@9pXY(0UVM%$|@G5-D3zwV{#R5(bV_AfM*VYiJG)dXqk18+&dr`wFE%(%A!O2v-JxkBk(mm4ygi*=XJaccby1kZNcoc_) zOB07016sUSY%nf*@x&AY9793dk9(;|h?8O|cv6@Gg3ChjyL~v3*Cj3HIR%6aa1kZM z9ip<*AO74&B3?6l&?P>Ok1hjo410&Xn_j`b{b;2ZKJU(|>(%VYxq+e~eVlOxlJ-Jd ztSzKTj9UGRt+f#kSyMjws&InphQDH;-Ap419JJr!^hkY1?5~AmfRfZ3@__c0bPWp% zXXI%>eL$oXKC@%|kb>q^{RmQB%M<8dqHlz2C-iM)2db=pm+;5r0cl)kg#+k9ro@yO zYjZAFi*n9~{1YqWA{wXDfSXU=;VjN=vLk9Nt`i~y1#}Yy6<#>3)vTCot}{L=g=GC8D1a zr%aORq(4PrnSh;&*wq;UDk@(G1$9%*x74x@TcZB+tc0Av@gpltUx3f*Cjxv{0b;H^ zkZ?0uP}G?< zJRS+eH>*D#D+r!ec_pQMQOOxiFE4ExfhnZEF^@M(T}#2*IJb7`-{IAb^jAeW5yA0B8{Lp>9|Mimjz`<5bFq~6Wz6$;?xDx8^W&L`Aij3gGDnja%*mc zQR%qQEL~7emxQyHC!PiiT2Oq*pE`XENgSl^rGzl*X zr(T%eK5UVE!y0$bqO>o#rZa~ek$e>DcLraJc(71@9PpShRud%~J z{&L6^{f`UShztA+YfRpSZTtCr6Gv1F9mOp_3wVD|*k(#1KVI?CoCnSIV)L6M&JQ!z z)*T*BNnKEukM*$}7G|JqhJlh`N$gHVRf5x0U#2N7 zVtR-m9|0z*GalP57fM=pm`M!U$zO=)0)$I|5HBg_;)zk6w~`g2$xqxh6J;rii_ayOTJly<+H>si{3!*G8fYOe!#p`w>#qf%k_2;Mk)nv1a&gn5F zSx0v4uW%_O>(%o-2n=*ZcSlo+3bDdc(~_h^q#<$ctJjT_)V9pWadubRg{&c}`!6-S zB-e^Df~(6F55O8mv-YqB8}0`|oGA-}44xQuJSbu*a7<;4!WFuoLqy&3xD%G{snQPF zulrG)Qx<>eS1@bDa^7yXa$w05N5elVvO-7HkQn_6A5p`QqxH<~U8KWY$K`(`t?d8c z@)-PRe1h-3W|0uaQ15Ss1GBRB8phuHLYONy118vZxS=z za^A3r-f|&Ez7-_lsnlcql0*A3bv>RzYM>vNAFhj%fud)ATJ0483Ls|8G zCzp$-?R#Q9r?FNMSKg7RvZo;ud5(ce!%ICz%O&?^R`bzAHA1!~Dja&C_l7E$g#D4P z=cA4V9inEMU8SKc0Y6l#k^pzh3ma2M-Lu9PEknC6ovS5a>eotx-2KS*(Vp%Wr*MU{ z3mwSV_jx7UBN6w7s48(qD!kJ|z8||_OQC-Y2?UwN2^6)p2!x#7a3?8yd#Lz#xa%?s zhT-e%bI>CNSj!y5VhO8As&UQkY4}P7w)qFE&~JX`ezt`Mv-Tz~;@CauoqvnC`eVrH z15&uL`LtyagR$bc22%vluN!YfeDZYuy!TuVQJ9m=3VvW@r zS)t-8vV4Q?Z|c?1m^sy%R8y)`=q(OKEfSncTVrWpYE$Sz4q`?ci}T_7DzgG#%F*r8 zuqsOX^mPwf!}9+rMRoY{*F1jX9!uL<8N&ve95ZPPy%(PTk2gpss31K_K!=_AX?by7 zxyz||q6%cNu|@cGU1R4@^B`87Je~1unhhJG@HYkom8s#^pPq8l{fcwqcq`Zfvs4&T zu8{$s0+OpZ;DPBQg$b5v^nhSGV=PNRd(EeMd4d7X&=UjKezshe&gTW&J37QRXZjdG zlYdQ%S8GLSYc_j_*jhbOG|iW2f{b_1$0>M+WW00x7bT_T#DuTq5o<8KF&N%s5& zWj()m{|3TWGw~1TOUVzwyy>vGB0zYXWTw}iA7CckTD-TXvgMg{AUgQ*qP}U*epA72 zyf=|W(mZoA&}8pjw<1&e%aJDvPY@3&SpN3>tbQut68)Z`fFs+EJ@7E`JJdtckAynu zpcz9mMewB9v(uVZl>V-q=CS2!z)w2k(~bKYII9@#XonB zAwe2*Qe<9pjlwV>t*TuVNw=+=mjvxOy4}e%b*meE>d;+)k0(n+`n|?w$W$tiXU(>| zK=Duh$Bwg)&@uX^=U5+TlWyb+0ysgdG8edrKc=Tau-X*L+J$J;c3JZNKuL%~c?b|z z&!exAU_^T$*niUsaYYH+3LTLj^YfF;1i0j1+@=#Y6`%nr3bcHnE%_tz^IL5=VhqWH zF)Wb-m9rt81jUzMK%On%TmhNCI{QTT7uDQN|3`=jXSnveyeuh)mpr=!y?_HuuJKOM z?6VdgLhQpC{4?DSz6Tc(|hMiI3K`uYxMf9>TKE$SraKz9yK6J;`p|x|j zW%KDL7&Lyi5WnByvNPmYw;GO7Gg(i;-~dzX^8ttb{)F`jAV*;vJwLm{il^xh0! z+&3ulFxn@CT8NX9+pLVetu8dB$Omg7c46141;=7yDQ~6%EgdNEE~-w;Eo|v>&2@G< z0vVOi5KI4cO>?QemP;S6=KD*d!ygk7^<*Z%k9X0~C8T1s3{><0B_c-42&ORb?0VwE zn>!RTA$%UD=V56h!NK};(~k~v;A-K2>pSXFI8p0&R#2INVDZE*oz8z?ssktHa!l)r z@_I69QViZ%hV?p=TU{PsIGLlFJg{@A#~Ev6&pYmoy|?vsYRv%++!KMXNrxU49NEP( zi2TOk>V*pDtI;XcM-ZBq-XGRH#$K~THk!%cp$BWV<=3+MF7L4*@BbTZs`3thBIIpc z>O!drcj#V{sTdQK0^|2(FcKyBiFW*$tR9a&q*!wdmD}2jE;T$QB{wqD$F@k%X1TBprW-+TNPdPOvh5>q!Id%w)19uqB?O&xA$S9bgsj8eP;Nn5FHgf(7 zyE1|Z{h4ScM}#x;W-6o2iUOO|d@m+6p5=5B<>?TJp5Ws1@d4jI@3fIF#hmqrMS7{O z+Mbe!V=5=WL$ks3m7HK1N!k=RUwmqD3!~)=@Ua5bw!U?MEp1^0eWABD#4nWW8EdQ3 zpxuK>8+IQm(@e6@{$h+lbZDp@_@7eK6kG&ddus&zh3#RN_GCRrt%19Omm#p&(;pp)~mfCDB06#BYgk3P3@HM^wKI#zjG2`@LpMH}@GO!edfi zTmfkfkKhUT*^q{XC3C2e`;S`+PuK1Le^}f2lPb9WN^< z3bUNM;$=?>pN^_6=uQO-lf*iW{qy#;$}&6%b()V7#GIS>2QH-7=rYIJwv?`QlFdy^ zgF3+-&$K`anBlK%1a$#fdP$wIM22(J@c z81=Cq+pgN^dVlh`e@N68iN2`bZ0kHyYj3x=`0avvC-3`2u-9MkA48CCNBSAcSf|C82Gk7rdsSe=dp$3 zSFhl9CNIfAn37!U(fxI|F2v00f&mvQoT}-hZ+Aqo1=`YvAF;r7@n-XrB&`1POo#93 z=SL1N$(fBvO??XOSKqV##T&YLg z`!7=8OUhGZ9$(sH_-kOSrH4^+QCB_*I_vGHZ#vyvkzWoYbU{jsOs$C%1=nQ;(x+BM zUSg2g<2RgI!lk9N%|r$c-KoHmrw$n-$G_$mijJmJMn!};qCn_+SDpW<58wLR-XQ{J ziq=|}AANQO#g0nlucjyzoDvl&$LjMVW;iaA6T(kXS9|NSZB z*eP-%NgrhExfExoFozKSWp_QSSmPeC{3!1OYx>zBYZ9l0>81>*j*10lnEDOTVtf4A z5AHE)gvJF3;ilYoC)l2&vJ267Qg-l`0mVL+k#5jU0AiO1*(G|O#e>FG^+`29D}s_Q zr9o(rXh#Z;uxo(_CiCxfK{fCG^EqKEZzsYJ*hE}Jo1G1x4`Epp2lpcvYBg>4@|=0s zMuLI6@A1zWG90B$ZM?j=E>;Ac8RyweS{U0P61WhI(?Xl`zR5pI6IkIX;96dV<6f*9 zGb}vF6$>obffI~M6&kf{Z-`j)T*d<^>2K|(0^HSW)gh>8L`gp>72{3iTVx3(qRZCp z{%yn{bUq@y2Q1hah4P2ZE89XSDv2iSA@w88P_Xb|BKaEULlgkajh$ zW~ZKf%6OJ4@0ECe=7fB(3thkyt}-~Qpf?22s&Vc_m>ZWho=UIDwO2|OG7lQl7%{U# z0Lxfl)T*6cCN3X^8r|8n*F3KodLDJLRfc5>7^*&>;QHZ$RSTTNcoVU->c!hlt~MP8 z_e$P34o%1wH=Qdh{ic0vx+B+5bgkH$H@Yz3Z2pLLk2jlsEpVNOG~{lAAI1Go^3ola!b_`EO#=Hk7~LJ-yC)>TaG-?l<-m3=7=Ln<)%|D zfw|wL2L(^DD7r#nG zsC9XhOlNTZfclN6{{_V1*cCZRjBCITBRB8it}GD1wv05sTKkrHHtf_1F`QpMV+uFu zv_{XquZg|N0D!#?7}8%rl)xkX-z*4-+Ilo?jSz8{r$BDd1)N$m`NsO+S$>+yGqMcx z7VmEvZ^L@Fd;FX42=GrfRK22q&bKd`0lvP33!$BR=}YG%BXM0`DC=DmKi{Xion%9* zM^A5T!48w2Z+vlRK`OUV^${+d2>gEg1F9^`SvR$eRKqcCX_@9A>gVtXpP zBmN1;jtcJh^LP_Y)}y+~v^65bv;?Dyou%APT0az+uF+}$l5|?8-3ByiC|8D>pbP*!7u7;c#P^$B za}x8&;q&Tyac5-C$N<-!Vh~tYU1#OQB_CmX74GiZ<}TMg(JSXyJ>h1MWPUXN75GA5 zKKYH0=96b^-EJ%Z{yKZKtp4cU$}8WFzm&)N+p(Pb~j_XzIJm2T{**xW?ZQ>dzw zneoe&s{IAty2dP>GdWgXM^|C8;69cAX-ILbcGf4GD$KI8ogR z)es8B=?yPXf!F>sxah51k?Tv70qE|zcSP6fqU_hXf{11>Ta`?4GI*71i|DT1mkZ%M z>7!hnA(JJ6pr@-x?n0J1z&`nM+RL_&mjx@-B;q>A9ou03a8fcBWo_C&yjIN6(O~yV~8_QBE}2W=3Kznd%3V3N>+|0f0b7u^{Xt|Nk0=m zm>5_zqOY1Zf-wwS3D!GIewh`ffnWOe10sJqQMJs)bcdO`vZ2WF8XKVcKu*AiHaljK zZ6d0iBuxsO!5^6k5G7MrUKEWRjvpbmWmH|Q#mZ4I2Tn8ipE*grhikouG(TuY5q*(! z=o3^ECQIj_X5LsL;AbTDuCH)5E1X$`JTh-uU8bwQ;NJaYp1J1_fo52<0@Jo()3kub z0>l|kCi5-8jPK=b$8CVA`JSFrp+9vGoaqurJEc(o3V33V7#Pv%5(%9%h)nRmSn z6Zfq8;=pwDm63i%-~sOy8Erv8Ryy?OqW?%aB~}G>zA~{%dM$AnHCqmaIcADKr6H+q zpar4*Uys0KoA3a@8uyP!kcwqaIC_9?s4ECA>B2OE3dKG%y6VouA>7GZS%u5R#_r$d zo7K52X0->}_By(?V=7vah}8VX0X=5@XZyUGU>@c}tp0*ae|_Dr1FDNi;8qp#SlK)N zy^~7YEP(Izp*(K*X>-tKm?+{57FR}IpuOW1YVdrn!NHr0{W$@D;G?Tj@3f^QMh9Mj z*me8ivHjtAymMT^pMGr>sd{rGt@lkp!h1gkWV_XHY&7>LVTXwHvg;YRkg_x0SQ(Lzc>pYRAj}hHyequf)UoMh}QrjKjrCqAvGKoMp;NoLejPHsg&MR-gjMq zu9i}%b-0QEBZiI(cK?_)Zp&~ek?DSFE0osqc4AqG1x3j_>+);l)C4Yv*Ol_YC5D`a z0*%wlnAF(=DhqnA3~v=Glnf|_CY73;cTvrtx-TXM)JXvG^=K@*BRK+B<7^>enZn9Q zR-Ou6As6f+p_MxrlvBqQwI|t?e*H~aDM-zo zR(Z87%K*~Eo*W3&!IqW(j@xe(1}H2Tbn9V!{U&lGhFD1f$79p#@F(7@9(P*<&q`z@6*FJ58JLP z^|F_ExC6winq0-6qOI}`hBqUd{%2WBscbr6g>BgNu8CO@8nOo=vk2?AodlZ-G1^fzZ4c&WaK4tf52j5tH*_?P;!XUM*koLcHEPw*DV0uO`!jWN z?~7ldfuFVZ526`%29BM;pjY{Bb~z@6{M7i)$~lN`R{H&sqN$+=LKT8$Q5q9q(v-`B*YauT0t$9D12ex$ zQ=l75Z?7Jfux;xjPotgB_L;Qd;#(XlQ`0BnW(>uJ(Fa3f!fA_wtFXhJeL^|D z3#Lx`4LdJa@F@af=apHbI_;abZ{;`H>5&9=MCW8X&L>2@jQHrDb_>7oYUIStsbGhg>CQ6~ z4k-ks#dWH9lJKh~E)j=S3#CqLp(Y~Um&H={4jyFm#5|d%h%3oVi%4qIVQQ0N!P&K{ z`;8BR3DIHhxg#6jCb4Q@Fdq{xRv=3fUNa?M7*wnY^GoeGF#byykW(Iy3*N?PFkWPU6@&%%r%~SinLCKHZ<6B}o!t9B9bXcOf&CL=0 zaHMq)n=-3-D4b{O%@w|`!PMq55#vjGB@A0!q`512Lx<`!6uAF|&9t64{Sy0LL; zeM^;tDyd}OtQ~$b@PFp@*85z}f?2geLjHHAuKpy7ALJ6Ip8}p@jf*6Z+Il|RM&1i$ zEt5~d-6X^|lDHDao*4!)-W_C(W%Gmy?3k6Dz+e?~=R+pPi4S~x68*852~rZPXY_+F zrih#XqsIt|$Jw#O`#QGR;bHR^_d`zo!p~Qgj+#}9*^IFnNNVFr4O)dM4|v4l zmIS*oc_nh@eo#lxG_K+{YqycIck^q&8>Nevb~hH=7{BV6(#E56C3JLPnL;*BbD2k) z*U8dl@>FqGMv#&rTr>Xrp>&N61s)AfrJ0fGX6xJCh566yY1Pb@v~$Sc*-fmg&G2Dd z0t0KR)2ZX4$K5f6^UGx^AZncuSf#pP+V`kiWhs90o%05%3(m;(HA%yxEwJDc+d4G? z#r7)$3c6PlvGOe^kbffUWE>4T=0A+uEMoaHII zZ4M?69SD86(cYY9 z_mUV1^h+mya`%SWekVb8imY4aDq- zJ?Pr+i}cu`BsJRCF1CGJLiVOVSq|mglRsy##cGPzL#!8bMZA708r=s^zuZ8e{z7Ns ziQNtKem|etqstoc1?F*m3yKExrPM^^b|$xs#_EH4cZr7oxX0HFyPWmQYX4zob00~P z1YDP))5?w|3=(HC>mEW{3dNghBo7-z=~K|13H}?fMrGxZoWWFoKg;7Ht+~xVa5cIu z*kD|El4ZHNUEZc}%ZK`ue1YfJaQE|zCda;CyiR{#nwzhGj$}V-w$1T;m;!m1#(49H zV>sGyqkNV+yC72+TUE%gQu@yw#wc}yoi$OtbK9PYF>;~oDamkzV54crrQ-1 z=fKb{bOdI3?Z(o1I9UJ5@`{=#JD}9Fd?!3~Ld2rzFyTS$XFwH9g8I12BdT)z`_utS zF;iq6O;f?ZhKtf4>6`!1t>`mPp|aP?rsS~=bmpwDyEdgUC3a1XUCVaGzj*GE+6O7-TSw&Ft-l)P~*3Vlr7zqecEK?H2()bbNF285fhp zv|ZDW-P|e_C2i~7S18}}>C*nJa1=?=z&3(g8C-&cuun6&ST1FiD(k0lQ;RkqoO@l$ zeV$ZY&?b%^A+2+Yk~+t_aMULRxLQKv9qoV}?mgkW4*B?z>#`(kPy!pv(RLCtuZSgO z!+tmjX(yneCS;OE1@LSI^LUxozKIjha9VszwvSga$1}FyD|QHNA%*%2a4v4(Z&wm< zfohobKWbPkyQS<|(0jehIP*}YQp_2q7qb)1UcYd%l-6~Ef5W*3dV9fK-34n$LBy_k zX@R#BD+tH$mD7|jOuDqei+8lp`I}vY!`;+zYy8v0%9#|jF!aUNIh-aui8tY447(He zX4Io$30GV_K)e&;)Br|$!llg&kRF;G;u=TsTIy(?N>=@P5`*ju$U%}%{mz8N+A`E2ufWU%x(kB4$Jn(fFn`W-CrH5XbxmuATC=<5u zZ26y?-jG+}Jk|y&DOG%!dY^vwr5?)l_P)pN76o-tfu)1U1{2SOezGD@8 zQY9wV*-(@DnUme=w)*Vn!kC*fFZQ<{bVQs{WA@jkgL*yH?k2rO-_5AqS}10p=jU}A zaGn*WwR#$PmXk@wyAAwBuld`$=&a;)ww~7yey=8cy5ymRmyD%P0C3=6J^YZbyGqlL7s&`}LZ6oNIf_8@5jqzxTX7ip_A;#g(4azby((;d72 zP!0@={q-$>FQecDFJa;UU6&)Tv_D}MvMwLgldypgDQfFOD*Tut&9riDZuEYkGr45-IX{k0#SRysl0oYd-B>+@3QSU~H;r zq|r9?W~B|NLK@Hh3bNRxuElE>L|6u$^C{<6{?WV8i<*1L#q~6mu-KBB$>sRw2I8T{UpH0t{+R@~_KtL0ssAv3MW8pxO!G@` zv!b>`VP0+b>r_r<7p(ogid*~(^}vD}QB@Z#%)JWsRK5B~?82>IeTyWx>X*!V;yq_o z5$73}52q>M5}|+XM!;>%3w1}+OT@`l7{Oce|6}SaqvBkeZW97QgS)%CyE_Ee;2zxF z-JO91cLsNN2`&K!x8UxZ_N2C z@vKb|9MD~k(BU{fMg?0B5L{CN`T{M-miqm=HoMBEBDS4;R_FUnm&Km$7E*UT!I7{` zqx=Mm)(?U~GR9v{-xbf<=E0?dG6HwhtJ}*ql;i`G-2JQh8ofupyPOG7lB&6ymv56G z*Cc$1w4b>LVLb#X+<&}^xwS5R{c118r}zB4Q5mG|j1E+X{Q`+NwO|)&VcjgM+YZ(_ zYjBRI8WG@@X#0;~Y82&^+Kyq!=z?5h35^o^>d};Na4iT3*s-l;hQGAX;oxg?pS5)} z5HY@=WLis)IJRu(;r-<^PX`%ZPR~0sFJ|&DU2D~OF>A?joMl3S7ZdI(|(& zhB^sW!BgtPsFNBqvK>KzFT1knNDjYWQ!U~jP4i#(^`MBQbzE1Tte`piy_`DW-Ps*3 zu7LnT!wogK`&9S@ObfW|)B)C5FxK1OEF;B&no&Eed39JZw~}fvNJq3Hsz|sOOAMueKD)<7blpDS0OL@R=7a)p$^GhI?Y)|fYsqflK zoMEydj{!}&Ip{fk;%-%t;F_SvMxOsjxieDV-lzr*B;oZ%Sm;#?zklsHKdLv>K(%|) zVA@#i%&1+OI)161xkGQ)OkZJn0Lh+MFrBYg?ofSJp2f%<3s>xznKtzl59fcKMXsDx zU0J-pCPzFOY_MhhAl+P2Sw7cJLeTgi`IYEtR%7)P9Fs;LN&$hiYa5?0fQ-ax9YNZ$ zm$fQ7^!6jn@B6b;&HMWTb|YUx4WT|X1C-yqXEr|;!J+>>28Gz*629*UHDhAIzM07k zUbtw_!KjXkfQD2yeNEWy>xM0D7m@edqbd0O&+izl9Zt+%=B(a`uICLfB(yz|C0s}D?`_N*Rt z_faKDP=F8|mlCyKIqR+p?9d&3OFw)AwO+aD)EeP=?uEDc97(_X-HhVc2SNy)vQJrm zh@MuBSemM9&v-3=dfJb#PutiLx=DQ>mBe%;63!k6Lz``|Ps6W+$Vupe5Q8<+3+B*< z1G|R*aA@UGv~2TFbYr45Eef(4 z3bRVABIF?a-bI{^&-g;ovckoMX0V1529PZR3TmOzplocAh_~;BWUU#tn`-|T&gvF( z3>=oQtnIv5;iwX`?h!V!y1NS|e;{2EY0~dZdkcS&3RJ7_Am074hTlWN*SKGn3@cZu ziQ@$~xO1uBYcpnNMH8(JGhw=w#ZRUt#D?P=>9{0@jJuuma#~**uKbg8icH~}f&~>l zMs4V*D^*c(6*ke&KLtTZA#pm?1e2DK_vgC1ms3g5Mm$eEJ z%6^t5Oe5lY*0#7-%ab1aaRhH#hKE`75v@%2;-#%BFJN_kyt~~#FXD%gh%)ipmC+|E zj~COPvmhEPLJY&4lSQ|pDwE$h5AMB0yazg1aDk)~9X6jkdAV!LkZTk!i`Zcb&QRF- zR2@Sh5I>o>Y|*w!J7R1`mBVQ2N`!1h4N2%hDG%1+!xSmg_tK|WXh)ieEJ3=mGrgn~ zfxG;j^m{fbM+`k3M+xwx$EnqaA`RVM@zHb4QkF=HqynUuz$i*3-VKBPGZfxHx>StkQO& z^fbgeWlsZkPjU{OY|bq06tON^M71B6gu@thqt2sv-`#CXzGk{Bh+@KiXI2+zp`1Au zSyP`WI(bLl+S$_-<5iMdyNsU8mbD{%`r#;*AQ$%4>nY3LHM`8HIl&N4-1pR7kI#g4{Nqq^$>dY{ zY9P{GKjI&aGJh#W0BD+0Vqu>0A8=GDqa42!9mI-xiPMjKi|=$-cEVezgYpk`rpjj{ zNUZt6<;jcB#%Qs$t0X{QO6dN$nvIwM$u_4U>v>Z{N5{Lj0*yyZofJ7y83HPyGNdmQ1qGm#;h!{W!t=mp`qnms%2HUJqp>DnGct0KrqMzE_vS+j#(PED!+PZ;n_hm7NsKRPWy&VgFF72al z36@;Y=cqWRh3hQUq$;G7($!_O)vpZr6~*{6wgjor(>H(O zhhu7d?I|Y6QT4FQL7Us;&QNhf4Ej9f$fF!$bfMxV-*$|fJ$40=R9untg^jSl%g$N0{yk_#&XU= z2ss4-dV;sWj=yLqqnH&~mQp6RuZDLB@yU-rfbmyaC@gpQ;pZnAL^Vk<6Nfgw3x<$t zEl$C!WsF#CGhOt= zh?DejaOb?A2;qC&4K<=4AWpRs`{Z;Ifrvw}DOWPckVk%}=ZAcO)0Aeyyu~bYdHTon zph28YCxQ7X+i}1cpaspgOyK!zdfPM6mNYdjY9;4!d8a$HX|7xj*L&)iT(mI6ZAA&! zpMIaJ1KswKQL~1t#lzAz!mzx48GsIl#kfK(on_akh7|})`w4+wk%WcF^*@kQGHuyO z>ZU_lVkrl}Eu(_X%?rFwpQtGh#Z(xaTp^{NmuejH^%%R$6mUzkIic~@1%LVlHm6= z5V2W0amJ;{FC3V7kC=os;iWct*mwtBVdR}?urNF;!#=YbQ5}v!{z{GOW-T{B;2P$o zjgYL8$mWmig;QnK>F@V;C>i&aZr+{tiE#XD0UT0AoV$yvwI~tc*K#BFr>wEg^_O@3 z38n2IYER6f!g9J2dfy3{Z=*ZEyBUdy@v#s-_W$;yTM^lZDQRyH6t&<|if9k)t6vo+ zIr|9b$fYFR68JnG-$#!@&q$JJfI}X$FEI?EKOmu=CX-DzwB3RS6Kc-QK9m=Vfm`D> z^a)*m`IERS_vBGZd#K@!v#zk(_W5ppTn=$~;gd4CHp9c(m!$JLkbbThg^W>SYrEJ~ za^?}o_k#N-f7km}`cX|$R9fU_R=Xz4Jb7gByO$eL81_j+Oa7n2N-{o_sPtrgDUBj+ zFRBZmy?s{Je+DP2X76OWd%2^9MeoRw`ood=?AY|dI--H&8DOafK68`U^})iTA?ED( z_05Jzcybz{R8v;K%*4Q=>=+$lnPEe_3HE*Fre^QY<3VJo_!$t-OPP5wLy2G3?&D7E;XX^_U2cr=01QSbl6gbWylTn-aCrKQvgMZY!kUt_|OC*DN?1bv@H=TSzyXPim&9doft59@q*9{7kKg3-&*KX-ky< zP3(Em(i8UK{A^C$B;q{<;E;LpF<57$yzj^Baz*I!SI}rlk;<3j-G-{F!Y}@uFPiHm za0;oyQNFsi2H?_zv*im{Om#d9Xs>naK01-IC9>0Pxt+g|yiA<#U>4|bXNzPH?|`f9 z(9#nd-I~PvJ7q5I=8slNSQwP6g_M?dQA?d2VSIOGtz-_#-tAD*$cG1IuvvN>FLbv! zPxP9xhl_)YE#<{X+BV6V*QBwkdlrc?#GZ+@^hk6Xd#>L#{gex(9k-F)=W_o5z~EVn zRi9kD6&L_;GMt!^V|?Q>!mNDyHj%U`OPv>I_pX*scOlfQO|XSd&bd~04KDcI7_XJgqy z0-g;w0~UWq3Qh*OQjH!f&NeCRccOtzsofCh?*e8@5qQQ*U&F+l@xN&036@9@h{?NH ziXqHxQkN*l#_|xuv8g2eV%#yzvRL%uZMcbhwv=G2_m}rmDX`$pCgNf3Wt_ zVMfv#dMc~4B7C;WNfW_GZv_;Ptu6+Ovf-z1|LlYN#NB3c63J)_cEIBAf6c$_jyRRn zc|BS6iOUP`K*OfV(SU@*ekWQ_bRQpviV~(+!jdga(0}mCL3t<*O>a3(%ylu7 ze5LfDuovjU=*CF8tQr}ji2o#ABkhul7B7;mecKXh5;b!oA2)eIwp2?_T8XcgkFzaL zv$BP&^or0TTGC?6WLt{=J}Aqnoj%TJ`q~N|Ca?uhh15b!HUv*4zaD`G#ZEfXK}=R0 zTg8+eEs{SCvQMHXU%pD6U|>N65$O?IhYAUFY8zS$YaS& zhTvpgihuQZzE8js%bOUgg5t(X@@N%jlBW?oY7fI>wqQKxdM-);c}bkZi;NUqT=*fA zAfS7?aNO#M8(2v*>|)E6>08*1#gmZJ_F+0d-K}6Wa{|~adMKCN*M36D87{vwXh~X- zS*gVLyatKrgwtX*Sb zuwG1Uor>W&Fv=gdrF+3Hp8z1WQxwU=L7Z^>Y83i$b-A`gJguoji6GADSSI*E`(!uC zI>tEC4rmOZQZOQyF0kHop_*orHHmxY^3^Pt(j*6kw%HD)(S2THGify_Q^=3sOlj1+ zLm6d7FFB)DbL`mdOn|V-(0k=@|8Zp8gqywwg?4D2tM&_t&9>csMCK_z3i!ulowImL z7Fi#-Wwak5jFuG&i$*%3twupHR-RDL9O@LW~xE+_l|=baUeRGXfia3+GN5!##Mxlz49oJI9mG)I}8 zs{BXZqq%kU-9El%s7;!?QR>9{BCsme?Nr`$x^ zW+?|1=a>qckWCQDkm~flaB|`!`PE7Ckdx+%DnH+MWrJQ^oKcqV2sL~9_@9Wpk_PvU z=F9X92DmUJwe1FP+H-_DSc{-O&sP=u`=*qpwzh9~ewCVrj2>F!T2i+NTt&A57-fFh zjTVyd{K`fy{2s84vtPfZ-r31-Oc&ph1^mqD#Hl9Ul1Iurri8K?76rqlCLWSUDwD6a zV>wy|vEzUIyw<0Y2pm27e@szZ6YB03e zqPQu8Rx;_dx4;#^DZ32JyG+|*b9yLs#_J*@w1!_|_RTO%JuUYI zR$Bu90JulB$!Y|n?P@MB{;oj&X=I1gZ_%rDOE&E4Oi@?X9YHiv%#LRWUKUl&Bc8YK zQ2YDE5RF-{KyPM4UgGj@?flk^vrYQ(7MTl#H#@kr4vjY@S3cpMre-x#-?efH<9qoT z-{cKflP@zzDX*6ic4}tletSLn(shMaN-gPo*ryPLG)fUXb$vmyO23fA zE>$OQBWz>Zd<2Pq((dwl` z$#l7+5)dHrw3CDEzn%V?&@}v{1>bCT&SjlvHf4p{zOZhu#}>wFd@*@2QR{MyejH;8 zOSfqLp_lacT%d*b8APIKb#Rrg$BoM@H9&pz%h*J)*B9CkkQE^H^$!;=Dfo6Fi*|Xk zQMcv?k%xtqrx*Tjo3|7G;jNsb7uy&=bw0A$A%)ybSfTy2dqSx*e=B<4CwsQ-G!P&W z|2%gh61lvDFw{vDc})uo4qQo=8OZ0R|E`NCK_6L04=es< z2!Dy<#{}_zibyF3xE+T>-qnB;a^w&LENv=5;h2MOl=0d^aL6y_z1Pd>Xrk)Bde1>s zJ=$A-cr>c{hiLi@qAE;$3gnbB$Uv=&Jbe z$*;_ETr`dZ{8D##Mog1(&du^IJx4a%SX|nh?lz70-LAJGEH;6E!X57G@*S?rN&hUK z4n-V3E`~`VGk#@7YO>oFw?$4%sct7E7w?z>{YQojH{vG9x*8^e!7}7qib`El%QOv- zL77~T5U*xHWVvsckEeCkSN1BhzJS=j#;!KUT)(9MbDsrbLCh`A0%5K9dZUm88|5aU zJD@s)0)OJ9Ipav_$OWY`_LIs&#aIbtTPVmPDVS?lg+S#{*MOM7G!}OlU+J{DBP>^w zNa1^-F${w;hp*BXCr+P%mQ6Cju?v*#uy|}PpMj7~vh9wfM8lC8{NKx@a$4DiB+;`f zgT^wrX|>rZ3dOnd%Ro@vKK5=7m z5cpk=X*92$G!YI}Yr%}BAyAp`HF~FTZSYm7SH3fQf|9k;XQusTwQ#TzXhAftWl;bN$dm;IJKP>KMUT-7gRd}?V-Oxx!Cixg}s}EjvPWcOz`eYFOwYJ(l z1>M%D1!){O2F;N%A!{1@uJ5l2V|VIdv?b?l1Vof-1$^Zjt=va9=W+Z=mMQCENb4La zIqS5Fx@|4}(ku}0yGWP7&5EtY+tj5~cdR?OT7$)I$zl3jXjT91VRW`!rji@tN9q-=|wf^@VrBzVBn`w}0oCvQ^I)9snXOj706Y}vX z7_T~_=InAuIu6OifLndw2S8j=74lP{0+H!uucLM)bnBR5gJtkBWb_xud>`YRduh)^`2 zpT{>B2%95tRW$n5ZvdQ)SPFuEC8+v`ANDNRL8c`^A)I4F1%=8bx@u5x9^1DoV=Z#8 z`|uzl^~h&;CyA~jQvwj<4}T>l@Zb>n=zM=&IrCBDTB#905(_k zfW>!BjMyQQ>Gx>O`^<)4e%)jh9_#NbDfvRy0nnS&4spP05}a$M9t0H(|t;+EvW zR)y}BhVwkJckgs+{sXKNxBVU2NS5SvHAw75fiI7XRrG^)K6k3*OwipH_7#VvK{~JN z5WWg+G-k^9>{%)*>(1D27wkrZUQNe_u-(Uy1>NJcfl2c;Y_4|jT=a}rPf)kb)4nmc zs~JIhy9Jqg%srxrB0J8%nUOs#W>c(|3Qvljd4p9T@6d2VB}bcXe#J% zEAHPNaE!0Paiy9I^U3(3I7s94y?g*yPezi;ATX;ZqP&Bu-8OVq?_*!nfxdSZVt5wy zw6tQ-r^C`G3iT%FPM9$K`$bN}eIO{rnkyC@UT4sV!Uu#iLnZpjRR#O9+@He9-g${g zTSRLhULGyH;2vv(y1-dXmI`@O|)oY9jUZWDx^_jG0W5oIuBy69@Bq1<7a>_Usc-uOcfT` zcyXdwj!QcJuAhcBBvAEG%$pbpfW>Ivi?Q33>tyv=^s!BD2ga*a+S^wrhrYfhH)A0s z*|j`pEF*|<9_!jLuk{iT=Rve6fN%jBvNv8@dNg|<{IAX+Q!JOo{BVn+Lm1Vy7Ns?J zfPu;SV+N?yw}x?2rYtX?;mM6Cs_Y|tizQR~I;-V&KWWPTEVzH7&eAODp(PJh9&>cH zC@xm|UIzrTFBe8F^`H71zDir{z9Y3T>H*~f2n%QZoYjrXBL{F%F0O#R(AQCx;(|=z0hwyKm+PjNh&wD`+=5zD#5W$ zv~9#3Z1?+tkp2=FTA>S*$&hm?dRmX+tFkz4%xG}ow+>)}_#4aF#a~Is-*CJiNOQaY zN7DJhlDX^>Xm!+Y%9e-P&u&z1n;pFUk z9L#Zx5=AmZhbR*~^X2ENEZcu6ueiTl=yTa+K{StP6JKIfE@e7>n?bIUzuYZH z4qwZ)oZDX?1v~?>T;1i|?&NfcM-_HbETIPtEgbT9?fGC-B-o-m(}SAw1F#6}^h?T8 zVyt$BWV!v%hP~6pC>pC_b$Y`wG*Q}53Yj0X?P{y$55Se669$rB65ahgg?<`L!h~|; z>HNHu|Fk1Z(o*|Fm=lg9hT*XA_cs5S_IGf4V311ENFkgyGKS^1K?y>6AHL9EgP8x> zfj~tPnW4p`Oj8>kfT+UpDFQgW@j?_XuZ@g4#41h|W=(~`l}|1AIQL*gm>^{$I2G?o z3MV8Gsz1fc?qOHrZfo06TEH$>GP?3Ns>Ku(@3+!G{K#Gx8RWA@9zo5LBds2 ze0Jv24s2qg-*9H+@BIiR=|`O(I))&kjzBcqx&w~sb7;!*xBCQKY=0DP@P4O>xwHZ+ zTjp~|4rqmEicg(L)HafF{Or^s3wlkX@+tKUeg!@sH;#YLRIV~0!1kMkV%t)6Al15> zmw>s0{XE`}WLlW^rpbqG!*?$w8=a5hTNN!*Lu?!gbnkyfJwa-&QiW^@R@DiUt4}2H zUhc}~BJPwMK+^y2&xO0HLC&-N_XYqmfbLBB|LlW+xGg~*8ApHC_nF`kK?>8X7>K?r zlqDp4S62fm`%ZjpWw(ldSfXqCeUGsLd#g`qT_4f$#i>i9)%nZT^*vj>WuHHBcyQNc z7Sz#!Vev;N-(QY_UP166H1GvWFfd(>)KpzfIPB`n;G?>FZ9dTR6xwJavB)3XL-{}N zWABFz6d)B9EJ)Gsm*UZBCUkaEUiVI*JD?$F=3)@f^MppGW08nZodnObdb5{{>)73M z!+p)`>WED(A|AHXpBS3;Hpv~+tzi2*?(og`q0lv0#uEh?BX{f_M`AJ`OflC|X>yKj zjCk$rQFnhhjun&k8ou7pwLe(?>-#xOdvbEf8kNvB)s5REo1(6;8);MgN)bZT#+ogZ zJ~(a}#{btLitxlX5m(2fLRZQ{5x`L}llk4YZL%T?zB8d*?zM`yaEp8MnzWn8uQB!7 z+9yp^dE@5~JVCWo>)KZ_aTZp@3si(@{8TMFJS5~(GMH%+R$!&2EEx>qrO&VKfN+zt!`efocrMF-cDWXC|mSw>&P3k-hl2`Tq}HC`maUQn{c#{Hb}c&j?zG+h#R;1FQv&n zPeqGYww`aG7I9%DHztjEUbnAFpZd~N512;$l)f2SEfWoE=gC1?STg-{;&f#o({3qS z8n{RbJN=Y2SgnBC*+6-!#HpPl5>t_b1z{4FyVI^naHsq~K62DUY47CZ!cMB>VVTY> zF;ei*sZeA`_{`UZjL@+i6Bzi~gTt7GgF%knRv0P;vnnGO)vo~+k{OlF)aN7%UuI`s zpG{=Ph=zOfmR|?7?;_*Ot%x-tdR%j0tDfXx)+`dB{SK&D%Bf`f@(W|M_7+&PVV;5X zFCB>Gky-B?)~Nn45#oTjGd3QXJJ0{*T=$m?L@p@10Ma37(1qQP*dh=8_=jZIqWwlG z1H}1@fYyX7{pDHO>jvj%oFC^KBhl#rB1{a#0LkQ8jwvsDMaBZiA5z>*(lg z854ZE;lTLDk+m z@?kNcQ0l@h!~$%UruZL+6aCCI9VONrUH1G654|WIq@pPbZ9Q)rCQqJGKQY((mXh#U zm6UwyMc|2o*-9XqBo3zwr8`|$*8>J3k(cIA{clG~QIw^m_)=9|*0(?>W~Y%#5sf7AK z>6%W`FBS1WP(FodDHZiiUoFbxi@in72iL&lrNAQ?Gw8C-=XUq=p)L5b7mJ4u8(LM3 zT_pzBTR$A008gYVh35AmBeM?OmuC-EG#`H2DK6ScP(juviTOJSIOPrspb8XDMv1%d ztA60Q3O-!yL;6^EAx2bJAu{TfMB&)?tmJ?>$LjFQarisTD8B++cNN+brFaw_>K_Ps zFXVzAc_@JqS#slsD3nTQr~eO3Nj=0}fymSjGw1 z%yvMPPYthd4{7pUh8T$W@r-JQJrk?$47R`|R96OGx@@Dkf4m{n|tS z4oGvb$2Eqg%0wQPz(f!w36t`@9HmI5+2@Xw)x<(GR++kvTe@~fk{_-ye-JHzg_n2m zcRugnELh9208eU|%n>wMwrM^|MQ)|&c1@fGb=fMBY(LwEpr>)Dh=DVUEVRk~J?1(7 zy7S+*>IPF1IN)%I3XKGew81%lvZOf})8bXQ`DHNCz^mg$KefcII?4Z};_Jn;yJ_s9 zgjpS<94roj3%C9s@SRTtwsYMC^n$^*`@F6MBNL<&@rvw0Um&`EXPSmNsoZ#(9d)YmacctV)J4Q>kAQEp5H~&n zY8q7ogZHeuqloYgHOjq8-IrgT3S51>?`q4jU03Y!1b|3zFOmdj3Yy15Ov3-&ya0Zd zh{R!uoI^?NEP*$ga(en75(FcDTq|ybf3}5Jm1W|c0 zhTX)^qnPsufdR5)klXdVzw);^cOjAS6(h!()wp0fv7^AE6*#;t&@B^YvmG?w$lVF! zLDse%Wy<(a$Jy(e2GY6|9?*9G7tt3=vcC#oMgY4zJr~u&0SJsPHNA9{{XNxVfP(>2 z#gi7t=RrcBU$|2#KRx!6wClK;w9~_sYJhM(G^jNRC6SZsCo62ig)M_shlABFmEdGT_hbpW1cWVPD`m0hnF?l^j*BliG<~L4d>**g z*HkEy&u~@TXcY-O>=$&imTcl4YoJMPUxIeB=l~gWWi%9}$MM2PrtI~WZ?8Asr}aLk z^Ono}Pea7Eq=SSxyGTKWe%gvr61*u_CPvqn z^~(6ChID#P-r&?{a}bq*ceKi@%!Xd$G2J!=aCEJ8WL@f_`>20+-2-K?XSWEXd!aR| zZ4mXZ%IzZlGFuA*R~|ZFZ-9+nsl>Z=xT~>f-wO{5QECZkL=qs8*z@?xM zb5~Jw)6H_T*)hzBq%D>>=9F3tkN`O^Ks)Lc*$-%gGWz;|5E!C9wC8x_N_-OY;ns-Rt{Nw@4Y@d)#2LA3hNwkk3y0+kmFj5A9 zel$O6*C?@ubb?YlaeC?M?S9;Y)kzuwSV5cRYJrL)FhegT+*0t_SOOVDEAbWP=Z>54OB5zYj> zfjoVbEoV(g+L)Tj)YbVi!ybeo^tAobj8!{u)~uIo`jq@w(oQu93u}Mr6X)T9U48VC zUFo{+;?4l$sf{Q*p#@q#OHp#(GM<8^n|rFi$f2kDn=8dxt}HtU!6W2K|47M_#?AKZ zT!ANW?^zbWXh|nnoqm4I^x(VZ0ToW4pOn`y|Iw<3{rc>5X>kb#Yfa@EZz*mh)3y1) z1I*rc$?|VX$LQ*nD+@9iQk=iumb6>!yE~A#gt4o@$ZV=?#3Ve5CLYzGvXqNsODA19 zOUos(2z@UslXfLP@!LX3d;B~6q$6qH`e<2S@bIONz{4k(U?-%a*&i=-k#h;XX%z^z zW0X`*}g>Qsj0_TeY^|y`t(cL$Plt)zbz)(Gg{>ty?3xp5TYT`cIeBOc2dw#haDShi5Me>4O-3~XXy_e{j1ZQ zc|~_m@W|x_ z@dZMys@e-fKpG5TU4jf{3xKRU-i;?oYqk$gYm7a=N7}1Y9=5xmD_eu62|P3Gt%rTu zF})qk-G-0%T7nxa=}bq2+=?x6uZM;Jk*lB_^57tacaj}wL&|4R{)-$CdA(IwC;N;U znQq0jlzoXUndxo4CisW+CI6eG6l$en{F3a$*%ExQzxv?pdxNNT$qmd7@dMN}TZ<5z z_PAtnTH{_}y^(zSNgT!5gvbUsR3TVlUCRcBR3Oa*Db{3TqK8 zq|O=<{~Eb~Va7^iBHV?O)lm38Hc@0dbUB1VDEd(mc1 zyQQ2AW{Qy(ro_v6v&tEAQ*HZF=^S08C94|9vM}NIc)Isqv`(U42ZEj?@^BE%;Nj>U zuVYrhod}~<>L+U(tHu$IY{mki073Bk7Nu+!Bpm-^6Cq!Hc|-BlW$#9neRcW#W~&h! zODLLPN`IA|3jX$qkc=7-HtNZzO|Qw^e-A&#EL&g&0r7zk{Ab%g^ii0WV9w1=d5&`~ z1HLq~U>Pj$$#7Zr*kl-1jdCj2Wcp<9Buf4UR zzsI^K<2-BU3?IQ`8LNIEGQqc?;rw@SIQv^FCxYEI6#IO)uB~fC_fY~DSA?l&VKK@(2M-RhE|GyQ@5<80LUB@r5oCp?f~i0324wj<1akg|8z76E4ziz7$(YC{)O2%I^li}w1ZXCZZP?RLG7rZh=VG2gUhRFC!97lPq< z_D512bU^-5;fF7xU7H*Ru3X>U)^A?Sn>D?tKN~NH)t%Zcch{k5`3DI=6zmC#8n)KA z;r)YjagdUYemsG$-R~)1K^t=QYm+g!y_34;shE35VpBtwzvU5Jpy@};5_TOm>S;d* zQ!}w95NLg;8`}Nr-Uw*ry*hi&zp?{k${w%O`ezP83&wmFieYklTPcd40-GxWm2%TG zOCO(3G4=7xS;e?Nrn#$b<85PG1akemjy!wD5a+Tz0s@SK<4Ye@A7vfG#l_9dIrT|G z){XdKRTE9=k&Fa19$D!6Ko%kiKm63B%+y!(-gp>)Oa7<&KX%NZc-itm`eHHMlL4~SY1LhU2fRGS-Y1Ji47e3(U7tE#7wZjNmdymtv>AK(+ETIT z!epa~UUXD!4^P4E4fTddNPHPau8`GEjU*jDqDKhzRizmU{q+~N2Y5vv1gmXUwZd5i>j^ck@EgspFB%T077?SW?&{}0hGYD?dCXN|+U)1J zV!m!*amJCYonKkEi;Bk*kw<<>&O@+_XZOB)!UO0PltXqjh}+Ed^kM0(L_oTfWa%i_ zhn`LkM~9A-FaE_{Y5nRNQ;qa$on2KYfGO5K(fK$2f}X00s2*`^{Shv~#6PZF#~7iZ z7G_?mkZFpv=mf2<4hizyGjS5F>|y^wn)qYl9g(CJXRiGgX52pp2LBL&k&Be=zYP}Tc_`_9>I`{yyylX_q^)0f0mCvD_3(j^?H4@x!(@yJ5%+p zobBDwN0r>pZfHQi4)XZeJyPL*HPPegdgU(1j+JwX;PNfvQN>)+7}2j4>v(XS!QqC6 zv2SyCw_UsM?#ryz+mwB$G|^Y%oYs}M`u*;@)ta0UJoA%Agl7l(vg?>#SJXP0l#e3n z6o%pTstk-}f6u$x3W_@TysN8rb_Q6L($BNcWhX;Ft&aHJhr5&_j8%;>*yZJ$2!H>X8|VvCrB&xfXT;ky#|TY zC50-*r-5h(21fTu*w%W-YL*L|8fsc&jUDX)H5HrT$SjS(EOm!gw*P>f-4GDB%F_*8 z{eE-`RUrxsu+-p@I+9lqw?)63;mQ_fFZ5eR{%p${EcIEsOZGL+_zw3;cX39r zNOyztPwp#V3Svs}>l2JQ;cV>F4djP3{^>*gzo>F%6)Czb12wwOH@6Uy`D&BwWLX8t z#kd=<9W9q#Z)kB@Zr2k=Odn%hwqIU{+H+1jT%3}QWz}NOYCw$vsRl-3offXPDPiaB zL^adsFlYcMdEcCFuJA{v7za21f;!?}PUmfy2W`gOj?hU|2ZsH}G9m41UAwVGx>s#!_!KNvFv#w*Ss2X*INAnUOqPuI?#e0$IgjIDVqXZje-e zhdx@YSB+I?*epY0_?3%sq>=H|H7A3gq=+QvX$wb5;(NLx8YVvYhh zlGQAlvh@fW@N}SIb#%0tm670@fD=!(D5lvZ4)ro--i^{}c6X&?YXr@qCKnY3e^)NI zaMdPb#Wp=AllNqR5H4FQ9t~RcsJ^)VRfogX^t0NVEwSeOZ^wCYz|x0<2aZ_0)IiHv ziPi)g(w#RI8hes$+rxb~L=nIe_n(k^u^_~7U6t>jZ*L(G^L9Y&;h7}Eg8weZa^dUL z*E}Lb7FYeRdegR{r~*~4k=}p}Wb~Cvw(evf9Y4cX+iS|ThUyiS)!(V9UILo%i16^O z`Dg%NSgvpSIWn0XOJ${G$+_t^A6i*u0@z?_;|YZ^JzchK%nV7Br=`hF*-_sh;a~PpMz{AqCUM7!!nUr(HIs| zRmO@$$~FX?I{Rht4`&!ab&c3fDl@BV#zKat;3$sVMX0@6N_!K&z3`<{hc0~f%r;U^ z9w;#&(GFMAMxX0akfZ9ve7mk$a$bYj0_^saF{vM1?W{RdAGXaek&?{WQgK97(ZFNA zxK;~=@GBj%@vPOh45&ZG{3CjrkHSS$45kH0qK`HWya-O3_0%v{sZtVsYC+n=On57{ zI>jb*zPU3N{}&2=Kz8h4VMMp`eY(2|O1M!0I}pVuMy-%NUIb-|p8#UAhG7C$FmMncG8g3rJOnu$ZU-w_Z&V{11`p{pW zyL^59myDn-?`N=~9{aii>}&nh=g6_H_^y4%C#LERMi^Syr7Z_W z<7!WiKb>=ABBHnCw`d&)rT)1qP1cp(TD>1#I#UMb)Y0Tp<3QFXH#pa!K#@3ddf|TD zpG}}5Gtt)AkvB87mF-%NgaB~={c!#;uehU3Bpdj{5nH;EY~T+oCs^&wmboSn_?8J| zji5zoR%qyxxPadKOnY5@_N~CPZ+s@DkJPc}g+gx^9WYx7mIzr4>fbKQ&Fhhw|jI)*QtzZAT=l%t2aR#HqIrigpY6 zGp(odgmdo+qJdbSzDaMKYkoHC)OCl-BZf~R&+>5~pc^*+aQ(0%C4Kc)ROvv~ zX8~=#v^*8?k@;U%AaKgePwMEzKqY z*4@XAgAa^ndVquoWhfaRsBrUm&8U?}{|#VOb+)yiixCbr`jTu&RhuWeyXLwg(P{hK zOYhyc#PkIiw#P}YfAujBYr)~76Qen?-1uxbeOGl|CJZ4YJzP|fL?V+(1#^@(XQT(q zW-`A_g+#yn5NGz^I061?Wuzx8b)QF$o-YZ>AJCocw*9Pl>4-hj>{=wztY}u_Nih|!TRJ0ANPr)7D!3XvDqBv< z+#KytMla=mqlHe-I(H~yyV1+b(C@0B#QB%=+PK&9FEDzlEqg9u1AeMNUlxw~;Mki> zkZ7q{u#8dFPNAMz@WVqG4BW;t5iO|vwF)Fpzm~p4Ta}is>-PXn70F^`n<%gWZB)^% zSxSd7^Pf08kizHuM%c}6?yoi2by|oSW;i6xg4eE?a1y@vMe|L_ELY|2f^sA6;tI`X zcfS}2S0#V>0;wbQ{!-WEf$5wpVfr&`YGLQDW=q5-w}eKxYqxX+`31p%J+13)zx6p6 z;D#tGl5w_k<@ZRfnGXq5`|4$usT3ecLH|ug`AoTiMu-vmwnjH2$qvxQ;Z&ul-?_#w zT!q0C;ubZ8Cadm``lU}W*U$H~>!9P8_xt`$ofndpJUUP7@`9FzQ%DaVq(=YKayO!d zBvql{+C`AIT--lb_nJ+DWZicZi?|ErPa*niQ*wm!+LL|!mBeV#Q&BC_TJ+EKGT^sZ zTINt~c$?}tsx+nkFW;_`&&%~K-^;bE8LNh4X%2inISv`|PhYggLsnht{4C8iG3fYnk%!2D!ZD2f37Ssk&`1Ol+Gsw$9qG z*fk;XMJt*3_^|gzHEN+Q^|H`(Wyu^I`#*0FKGm#M+%@BgM@YCj{XeFzGOp^a=?c=_ z-QC^Y-6@J7(jna--Q6kO2axXWE-C2->25gZJ$j$(eZTSJ%bEY4*=w&^duBG`RoO&= z%4WSzq(z4Vvt3(^;|-Kougm)(j3{)=6fek5|G@R<=A{kItglztv?E z|4Dw3LXVfe>Q9|vdfu@iAJZXP;Y6TWt&DUvS%; zcm2q}6@897aXI*S{Kdy>qM+x^^OP|AUCqI|p5Y(AFCG9To*X~c)O|omNM}U}x3t%8 zQ7s)cZI8R;N~@MXO=ZIH>5X9c2G&NUQeY@hf?nsQhqU+pTYhZ;fFmd$;0WNA)yW%_ zs~zQsbOKzSo|+lOehv%y6t+deWv5u-uW`(Iav>JhIVVrO7>#Y)a3w;D@JJaNdjSae zW+Oq3*)v*hln4Ettt3Q9hJBL2=?^{E7!T&!M;;)$US;rGRE(#cs9^D`lQe1i18^o&C><{2v8$T1B>#_NNcnv zzmn6m9I`_yDk$)0wEU+YsK(Mri(Qx!I2f!~gnYp*ed#c%c?JLDw_L>dt-k8`0^o0( zjmx-jDCU=qRWWEwUAeoTTF`IQV!cC%&Q0QwmXE$(oF2FRTJ&Si_D0ednO#+L_-63K z*boYJr7o}4+mOC@9c^YqFh2qFHNH|hjzPzj~cHi?f}t&^!H^U z%_X9?HeKIU;emA&9x#i=&*ql1WecpjX*>>?dCc6Hwefi5O1O^5Fp6w2)@(Q<+IVA_ z8|J3?=F;N@y|G^f!?${!|2jwPGqDl)1B`xuKsb5_(4MaT4AxcmRLC_(F3TzkdxC}# z+&7JkZ5L^J{Q07z-U!^3EG?&p`SG`RWh9TTT`B%a-xM=vbTl%*O-9HI+;s8;!(^bh--*l*LD}=Z zUo2F8HtHN~u{dZ4_IrJk^*K%}<+M+!F8Ixi<1dwlQmC{2nVjcBvkf^b8MHfsF4@9A zaa#5|syou;D`9C9C2Lz5ZbLT*5&ugW&{{%v0F^&E$xQGPh6Tgwsw(CZz-HOtN>K=ob_QYp#lj zg|@xUwYO)|cx-F7HV_VdU+;N{bY(qNOGZMg2w1g({Gi~P6VeET8o4p~#=>TLeit^N zx+@&LNqv9`>TkkQ$Iy}PiQssfXV8t0D?M`MCu=nDs=%Uma^t7y{nzyn!p>BkJ<`;j zT6QrvVntlVhg;un=Cq7E)Wq@qEtv7e?G{~0Kh`Nf)5!HWsI!8!2r1D}okd~p?C=%I zPz6|CiUxy3eoX=lo!P*`rN}S$h+lqjYp%=>Lm8rW8?FpMF8}3Bv*3jnC%5^_ZPs$a zSLTy-SB57p--H~mhtd9=*rNmRb0xElkL3XB`vvda2A+pw->(ZBAoLUc;u#(;QcF&F zXF_190+jf*EI!b{Esya0Xkxy+>lw7X?sxWS-Bb6dso2*FF<5`84qN{NOX-*;Ed4HX zX*W`fEsaoiwBOSY$FAW$1|+N>5;7Lrdes$o);iZ(2~OXn=lDx{?(N(@Fy?ppZMJ?{-_zGT*PlKtPw4Pe z9PnKXf49S1m|J&`gB29r*ZQ(J3oZ5&7ITH$XT!xh(YD>y-fw8k>!UFSe>|dnJeQ04 z5KhP>#Xr(hCtBD7?Rl^@rd*NtR}QVv@pR>kw*3#BnY&@+RNd4|5ac5)V@%hSEs)AI zmLn8hO!zrrL5DVs*jl1BCA-M>@_(;8xX4;!s05o!sWOiy;&)5G&2f#O3!}xL0UqDU z7ywS~P6=ubrKOW5qL21ApsnKV+#5I8u$4}>+6{3<*rgf*6NTpqF}${a*f_>e+Uzh* z{1fae-Cu;J{67Qk?psS;|_XX?eue{a`g=)7F6>dl4{GM;GIM zi@r~^bUrA({NGV(E~>FuqS08y*x?xzd2VO2@( zw+(#g(J9@9w56TB3J8S=YBRY_Z{1E+P25~P`%JgyI`9g3&Gq>HoJNPtJ-UlQY%86u zBwBOCdWNFjUs5Kr_H3_f_RF4a0`@?0#|xpboxu!v6RP>EM02BBulG;bS|}fNhPN9Q zp;9UhuvA0FbUx23tVV^)jgetekM&U*seglELX3njFQ5uX=mO75zq5G#4Bq_A-!=Z_ zk`{stx10G4F5m^oFLHF7l~UaQL>rcZ(K^Q4rmykSGFd5e-98T^?Q`4{Y(U$0TY*vI3AedD=G&5c z)=!lxZwK^@t~9`t^NDm4N~jFk<8jOMgCYX3wLjKPr*0Wh(AQqX_o3*Y|3}04$_w03 zSpaTe8n(-nzlg~f`O6>thj8bJ4A)ELC6M>FsiWNO{oeFD6Rno@&C%O3P|y z@2Nbl>PApoPXfM|r>*#Bb?sTVrGz0rr2JC~YMk?AMT>Yy7yepRU-H#l?vR9-d6CdR z!E$9&B-CnHf{GLbWYBUBIa%Ctd=xQ(AK7k4npI;%14uC3`R(b;SmbIcOOJ?`SRD}Q zv&8;;YkSL2dosM&7dg6Dw!X?2dgK!1R9dXXB-234A9~d7o`oG-Pn#huL7%#ERUJe% zpw>9$ZBl1;#fiGcln1bFEv{DisNs&a*`{e;yz%wr ztpBtdQ}~hhzJb_$X$(6yj>VQKmxe<|W^xenA8mVP;Kx8)BKnqw1@0NEK~v^Nf3oG0 z9xdn&SWK6VR0ylEE;TlaaXHe^AJ^p`xsU;z$+QHWw~3+Nihk z#aF|@Ix)3>SDr|!UK4TNB5WUOC9jHRCHbvOTSMI4n8*+ou;MFva@XBtFTs-1YRhuP z(#=e@tLyirGGvkj<4?&-C%iqXyd0jifxZ6RSK>5Qq(r^*y}k=&n<{^1Yhbm$aL12& z);l$77$1m;+P0jxI`cUid$8XPT;-&cxw4=f(4`^DG2`pP7U3DayUa{UO4QG2F-6Nx zl|lvon=1k_>jHjDTAG+0%ng)e`9I5~#aKjeuE8U#8VQVgeb$J0BmD{|s)xNl+Taqq zGH0ajLU((hwKb+(iMulN8nL&@sw+F7R%cDV<0ngpS3663lIqHl=OTy@gyK+u{3x8~ z{OhD%{EwzbyseUX;i!_iGa2={$6Wmgy-7ANu%KA*F~F-WwF~88p=u@&K;zK@^3>~S zWf#RQq<#t7bh=Uib^6C$Lz>uy*t9shNhM5eknj^@G-OWQ7r)||3G;CX-sPSx#h$ip z(urG$g6{l59&5nzc=DfysQtKxvJ?}6L7eI#HAq32J?^`(Oy3zqZ~F>MF`miw!rEN^ zHlOw!=j|-OvmPzvc{+IutJ!A7FTR~gTCJv8o;`=H&GlCZ>eXI0fH{BDGMd=s@WBTs z(WZ#pL;V(>B+qG;UNZWNO-bJpec&GzMN2c1D}3n~=9Toz z=2SeAWJ+J_15h3sd1tbV!7W%mld}esT{{K?9Z2cP`^i zTEJwzp_@g`06Jbu$85NvG9%H}BiOg>uZ3Jq5{C{|ahUilx+zbzrB>6#doAgA?KwpLYWu0wXJFzZz4*PqLUERd&QYtBe7FMeAyAlCOyk=MLV~b=J@rM)n(#QFME`ur;Avk+9dJb zr%G?3dQ}+PQ_s4y7wL+<*3Wf1`3@aJ2F%Crzte`4)P(#n@XEPcZ`!lkTZ^18(4a)9 zw4Mu0?&CDev%1dJLABQg=f*j3ROBD*Qrc)6VTM#75SRAO5FNu-y0nFX1!voGo7ntb z=6`zchW)gTec!yzXwk!~2G`tv)Xdec=Bo0>DUu$&qJYDT^+A>aswSnJ@_(xm7kpKrIz!XI;!yEUmLy6c$nG*`?l+0v13)Z?bs&5Wzy zW773%w3)r+g>MoaX-4)AfLq%AZ6iBmT$lYcGp!#^b9t&XNxt5%v_l6-fB* zckgy#p~rfuOo~c_bM~R%-JLiGK6CtsH*3z`_%qU9@xgfGymK~|o1x(>xkfBUu%>i` z+R1t@p2|5YAQf7jcLTIwIV*n8EZ8(6NOQ|2pD(ziZ6{RYg|(*vBcl3+=GU36)(0~r zBg)kr@o3+u=x@XX|1er``Ko9@^o11#`c_t0q`(M(!`uiB5y#YWI6`3TT^6(t)sa|# z@<$@Vt#$Z+gTSI&hWK2{S^XRetg;Zcc+r*?&++igXB$9Z5WnzX2{g3HD@fVv=OBMY z^V~CU>{TqxwF(j>E{%^ykE~mS_y;^B>VdLoieZ?Dd9A#9uy_yP%g6_g@ez(37lipx z*UvrL_y0xyI|0D+uY7k4!v!j& zF;XjV_Q2!d#`S0b348Jcu!-`-7YKUKo1Xu#>JEXp!_`^616*}SN#A_jP*zMuk9L~5 z+DEDFR7#Rz71HifaBVQTHTZQl?bsPS3?_w6&7CmWI1w|I*AeSG#yYu@A7lNLue#zKHgeD5p|+ zg~-nb&PwSCPthU9o$Z%eeO)`<{Pl9CkL$ND)FbM!^f?nju{-LsnzN_MFokOKjxl&^-u=}vdKgP7mtt8MmcZ$YH*|~QU0Lxi zV_2(jHAtq)Gu)seAu^NZ+Q58eoQUP@j5kypn&9!4S2WSFs@zf`jE1f3i@=DfcNJ^$W;Q1>uY0fA59xU5nw5L)}1!zW8St| z=e6f@9bs(M-Tfy?Jh|yjv3m>WH9MZ+F-$l3I8m&dy~7i9vEMZ3cnq^jA7g9zHEjA! z*J1x!NI@^*+E3aNr&b67YOGv9X*YovUns5(=Ozz4XdcPhp7$46xmNp~CxM}saSr_G5a zeGbQO?;Y5Rfjg@FRMSHndM&ZPQ?$h)5YnDc6+$8X^HPd&V(O|Rejte!y_(56%K(1J zbfe^#AqHjYmR)HWFENHkEZ>1`bOqZOLheayikE-N z*QYk>nxwB1*GO6>brQoP(Z`~Omp2knc!hh+={IzG#b{BPV%>tG!PtEK78)8Og0CE3s|`V*XwryX_)Jz{eDUp5Vk zt~$M7n**;Bz1xx)m#{;zuj^`a7B9e6>W+Nmx9blhj9w7e!0u-|d|g?|-4ly{;>&v9 zMz&9{3ct7J0yMv<1lkt8T*LJ^%%VDbbvZBK)wTO>@VW-lefBC`dC57u1D!mE-(t&{ z*c}Q}lGpncDy=o7md(}JC1{U|@b95C=j+x_jH=+R zj*2j!xzZMRRBJ-2^fe$DBSg|yzr$~iB6o)$Or(9&R zB6+N83Pyy%F)o!?zDW>+{zcs!kojE`0a za8m^ww~l4Jd%GTYWZEo1xBTvVrtnPB^0?aNq4wf@F@so{s<*8x_ii&mk?~3-Kyjc$ zp(2Q-7M5OnE;MAZjfbU$k$O8&zu)WerDxVH_$2zqeEERc%~cu6itZ3PhT$AKI8_|h zm#Qilm#!yXv!%8}A^L^3EA8w+;c<)N5)#TUY@jWhRGQ&%pTjlM*YaO}w-$ zNDE_mCfg2HwOR6rRM?l=;lqGUyZVG!*Yy>mQZ_y=s>) ztl~6rZB>fu%8nyM)rv6Oi=v(OIS8J_8{_KUv7V*g0+VN|h@9!~_wL?RXmWGkgs7pP zk>>3OWMK_V?xX(^iLcNM=qLx3iP?>gE~I>Galp?&tu| z{Dk+25*33nnMPUmKtOn=7H3bh1w-Zx2DveR)u!ASg1GJg)IH|KAM{aDFoE;aC3UKU zw>y*H1*|PZUU9@ZBtN0p^q+1)GILxrK4a!!L8Z^VMhOq<80Ol;Vtu{&49a>qd(dN$ z8~1?#@DPQpJo`}ie|HGir_z`{s?O5BATVvqqf3;b+^yEc+C#_xsDvKfwIlcmQ;-|| z%fsFj)eo?c5fqT)9ss>{Q(?zZcRg6o!kFh8{j3ojpy4757C7t!n*U* z+*E6TNntbtJCV(7J}A^wsH_$XouI$jkM!@=htL)=gs-f zxNJ#=YtVvzZ8f<@E(onM5KU(jpDV}tkxSFVR-Yp4PpN$LI*E7HssE=NKYkGVl%4!T zR~qpN(Yfwa=$;F+0gM&uE%Q3du2kpBg=|gd%0?6H^~Ya>f+XV~l#PyPf4)G*PO@d< zj5`kazCQ&$R^n2zDmf{CwGQ8uW{C(Yl2@yyi-aD7no1*eBGHA;!NRU34$4ISk7cg7 zj>B9^Pr!g#rj24cvdq#QQ4_@cL!TpK=LmFKmW3)EPOe?mA&f+^AYTdZkVR%+=TD+t zVGe#OLbt?t$PF<_xx2oqE+3z|IN!OPQ}-0xIb@)Lh_oFLt?lcIa)VkGHO^*noD8&mU?z&SFCntJ;;FPh)aJVj4(ztFivFVlSP&dj8=W}n} zC&vi3(l1lFt-?FvSnS%QD5HHv5E5F=<`92ZA5D9x4$W|`P7HjFpp|59lvFy&&K&0k zt1`2{(c$G=kiPe)UCy@M0g_VSYZZ6VYTJh|5j@ncie|Cks%DiHZqB%2+bWc$nDB)R zmJHcKFZ~kE$ulxb)CXasW9!?K_hYxVRaQ{#ck7k8pRjD4!96%nWR%*%2}LaMw`5Xn zTi;dR@-~zt0Gcp4h{gN=DouP&e?9L+9zB<>6FnyXxR1SJoN@nV7(Tcoq_DvMZgH%w zuki!UW4ztHbDd=yqyd4h?`MrSyUO4;7$LIfdo6eP#7E)5GvM^ABX=4E$U{O8dcS9qVhZ`Bx3t1rG z_0+76xZmHm{rOW73t)DV0LSw#*V?7PB(wvr%!mc^fZO?6$<=h56>ekPvr%u|RntKX z?N?<6E5TfzYs67(r>y#1zYJtqzh2RwdIZ^&{P$gPMOq`wUzSZckPJrU$%C`UqnM!P zLz%9^8TN!&F>s2iWuj}pT`B=twSC?IPz$B4s7s+zOaEKhfFrrN#7KoX@XEqRB$UQt zV1ZXQx3um0;o%ZhTDngfK+Y^EjlKpTU|QoGgU~z_?Gyy=Dtoq@*QiTMT^(8g%5UVp z&v%kOhaySt;erYE;xE(2e5^RO;ghMd_HPWr-E}OdQlXK{Wh;RLpTq0&{~=;bZsgL> zV|pm5bztq+7$K6(Z|KNgJd3&PU!{U+F}{u#H@Qx; zgTI!D+MLw1#p&im%a|{fIJ_xrq3Jy_LniNI$nIyA+YeT6?BR^%}Z2XYnGhCf_86j-?1 zhxw}!uq2e&VtDq)@hR^9>G&SCG{;rq8~T{N`QsrdZV(o%SSRDan7-eA;+WDSr@_|r zm?WR@*reae4nWvXI_7 zhc$d|Y*E0K&=?JqpOsd^8pq%(+h_UiS%%0lA&DQ(w9PU9om0~vWruR~wT4u|Na=R) z>!ECL$5|HKCo7O&BkgvFZ!;MR+n}?n-2ioWh(NIEO5AjUF4LR*G8bkq`)c(6PLT(sbw{CyZN(p53Lf%v{cgP zgwf%#Ny+AwH-9nvLT%_voc`PwFlG-+9yBADf{_Z`33))Cf2n@Q_Nl<|T>M?JMDe_p z2kk=91qn~`=qbpS+V@OAIQg9@GJNDN-D-wdG|mB?xiRFQRpUqCrJ+jYq~WulGx%C} z6!{9@sg}#|Kw>zm*-s^9VCM2|WToO3e)sO=mTl0lf63({gS^INXYJh zf>~8C^!&b+D|2#w(%Nyz7LYAb1;6ciG<$j=t*E5p95nW;Onl3Em#IMZcb3UWT*OC= zE^!Ca7YIn=2+ex&v<-gDCdr;j;O4E*N(mdm^58Bz5-^k2?)k2rT!VxHwKIMX9!~=$ z{Yf{PrkUaYc}GJw8SI_p-`-I?D7^xEr(TMSN6B&LmH{*Z0)hJ(?AmjDea&f^03Svq z1}~cQ%UNz^G@Z^$BG5g$cm=nPG`zbG;*5%QneCe_F_bbp80$)k5{$GRFN&)m*dY-c z1t0bW6rTJFr+|EEnmGvJhud1eD%}714s0_%Y>bR+P>BxOiSws&nC1!tm+0bm^5U;m zk5zVM3<0MnTd-f(*rP`cpKf!LHkFMjxkbl!aK`P-%X!lM>b0StMMM1(Fxt8U>8dd{9_ zu!Wgcegc=G@QM*HrJCAYpLOT`>RoSK^%fV8XsJj@?o}79SdK)rfaQ}fu%w*6zVpOk zkA~CLk0UOFW~jb%2kV`|>PMpq``1r)Q$C|Z<>)=A;)X&>b#ys}OjEr<(&9&)lgHqu zd7?oVno;?XU(ohr|7nbHJ_0G}yZI^j0N$a^1EMjc`Lt2%mD>tMK*&6JZNCq?yRQhQ{uda%YVE3e{ z59FlT_KrKyiDWQewI)!@V>pXzF3P<79fjVD&Qsxh9Q{@D=5pS^vdS4}W**Zb=aY8r z`2#4%Shz6|Qf(tnz~NPJJ~mE&>$VZ0F6Wn8U;KLKxsQRVYNv*~d8(dwco z%c9|lzDzwVwx7H%O4ceDqZ%-oRkwO!;bnHNzp)x$g1Q+qm|!MskHv+jAoowvx)QK_ zoUSYu6V6D+-v-)Y&`AeI9K{r#Qm0UQob03jCE^M^6mP-bd(O9zhiU3RA~V!W!8|1B z7dCC2Qxx5>db?qIX?9w81-8n;0>yk5H)pw1gob@Qxnp0$y)3w5YRl>NS?Heggo!L((G z7xv?ZLghtc7LK<_JJn#HV(Evh9s1)pnDwHH$V*pq^AI$xZzQS7U{M7pd|D-t^1aNh zL?YO5NK7#>)oJ3|$%5wJt5LHfzF^(OMudsq1&ksePv17D*IdwHV!hu|3z2L=&tO}i z8>Q;BOoBI^NT`7;=QI9@X(YitxcEiOB7(txdBoX}xz#h9fIVITIA`}{qt!^?k#19r zA@nZj=qFL~yU@toS3RrY6a`x>7RR-xa5&_iNiE<8;*=JP0G*Q$SB~{KX>#;cDNj{o zSZ~z_p8`>sL!TtnKD!@j0WMFKZP%4RGf{z}j4uxz%W^+YAI3l(I`~?w);Bw`laMG# z%f!3TtOhcv2VRLuTe?@b;v8XQ^8AW8{;(A}!}M0~*@t2BjLX1+t?XUyG(so`(P;E^ z(1mQg@TD@P7kHw5km|bucu+Nl9{T@O0rcf)48hnL@*@ug_SS{-_o3BWM|9QW|5DjV^TSaN}2B-`L4eTGZyH}&mL%j5N z3;cvVodEwjRRHXBe-q-}qalAENGij{BLYOqeD$n(K7I|Lv)Am2kkg(}kxYqb{*1_5 z=|NQNgORzzWGvJPAFRWdw54VnMDtBB!Y;y&U_(l;Zdac}Dtvp@`tvt1$q<%rQFuOG zOsB$4VwUcNl~uvJgB|F-WW-s}>+$sEs$(S?l)8OmZg|W_Q_l+y*IMvDur^qt4t>?{ zgmp(dTj~{FbdIPE-kmxa4D^~y*IejzmnTrqP<-}3eoQ8H7jl`%D`F?94VGXe8nvh6 zmB2hA4z?NKMPACU(9>YWcac^<=QjGFW&F)NJY+4T3LvxS>ftL!QBaqAII+gkB-;cP zdj8^2>`lTGf~sG{^nrJ30!<<>n~sBfFtD}McB-U+l<#sP2}7$R`2T$@Ny00^Yn&fZ3*^B@0%~=*I-p=q;51d z`#Y>oQlCn5((3-HSQp?sM~)HatJ1Nw@`{8xkE4zc$*b0_F> zDA=eORI`8FA=YXKfV^cq-246^yjPVm#XXKi0;+~+Z6JX8h+@}gw+&u(+*p9*JnY}~ zPGtXzb&j{ewH{w<#$TLB9yyohqdZPIk4HLtKq%lVQUzM^8B@I6>FNnU`rHIO1vQ^X z-27Uq)Rge??$H4>4n{5I;aYyIOnptaP;UvfImi;Md~Tbe;ozQQ=lrL4)m6$fRg>pLoo=1sw*)}k zMth$J9u@!}z^w7(wdC4acGfx9yWvpQ{{5)9yA4W4IH4b*tp)rnwK2Ei&vkQg%(!c% z&6DH!S?R$SV);(LTv9Qn*8{IaAosqig~0ESqo!eO+&{hNMBMV1qO0%CLke}Ibe@zL zp^Kwyu_ObV7ZXfZPK7uFWA-l0>SgEvA0wXtw7#c8n&2aGDP|6uBUwyl;9wsN3G!YW z-#ARDynpFm*e-vU34i+7EW)K!6#Be#ttVm98Zr5Z{A~u^#g5ZC>D>@)-m4zUbUAal zA=i!QH*4oqHi;1+C}%-@;AhSk!~2|bQsqN}C!l4l#_MBFYJ*XGj_|}PnO%2#ZIQuy z1PClN5r_d2Jv3d!!2&iDhJgGyR#%n z&-Mj{1`*#|HA?R_AIUjVcpR-;w=3Yj4Ae0h>+ds6PerY40c08oL$c$7(s71?> zixeSLOLoPOqGLO(RVsxAW2un|T@O#P^B)jc5e&Ff^G09(1_DfcfVBE7cZ~t=`mE?< zUQ)rus!1~2&Gdj8UFDN3S|0F+h^xLfq8v1gbdZ+)^SN;3Oa0bys-z}Eujg(;TE;}D zhqp%A$gb?iq!g;W?-FXDA!?!^SbKF|_95{F2z?9R6oT5lTu|#97G;^K(_;R5`%V98 zbdv65GzfidW+Bn;488q0*kNFK-o2`IiM&ck(Ki zUu3PBysQ@8JpE%%dUV(wC@%4p#VtBLwsb7B>N(zq&dwVZx_W2{v5n8=L7VaX#HAuL z4=?(|u_~r<7 zSwwz>&N9=IqF0%`d1*9vI?0~w;*Ixb)1@CBJ+Mt^#ieNjHHoY4jEY~kQ@`#I1{Gd7 zO2A_~?|M>vpAC9+*{%D8-p_Oi0M9kT$1ysT&Ng58O5;9_{`ZsQtgxJuR=IwKfj>zj zNIRjh^n$!5P}!a8;Md#NsJSgj1#Mg`tZj3XOJ^pckxcWV??&(EtRq^L1?29WT;=Q; z8Z0W3kb7?Q_ec{4pN^K-cx6&$iq+hi&|I9H`b~%tgYL}B$Ul7UEr+9a4^okk`V}OO zUIbm0cJ2hHh6=r7n#4waz^jfm(0QE6NkHQsg!0$4cg9$GiK|=^p|xfs1X@u@0|ZiD z3EZXTTvG&Era3wTcV&`N{N$|Ir0s+ltjF*AUj4hiNuX{Zmt{;{$K3`wVBjI2u4sIx z5xnwK{JLOVqj_-!p8nC0BbpxmHWrw7hRVpB^$r%4oAsOYa9?cZQ1$BthOx_2$zEtN zr7=>_!JX<>!0kN^-z)GccaS+01gCRf;QdFpst4%?sah(xN<6Meaz1i2Kv-u z*~rHQN@A1ux^Xqg_`S9n3ta8G%t3DnQy6t%gjAAtl79 z_lO~;gNzviRo*IX)1UNT*y7siQ{R+zob5&(&7daL$iu}V#W*dSo8G;hfybHwztx9b z%p)){rA9_Py{`m$Y1J|};Q5Jg%H11wzKMUmF6Lb94`7~eT@sI^Up;#RCBu4eN5i09 z;0`p!doa>`~jQru2`w95oPHuFyHYlFp~obe{W?&{18ukZbB^q-g?>}C|Q81BalViUak%~xde3M4 zp%*djxM-f@0&qri*-t z^I(mi5(-el85H;a`1{OnjwBDaTWkMF@G@L60uVKJ~gPw>O1C1ELVQNW0RdF>C z@GOLU)ZIQU=Mc^EcRRuv70xKz0cMIS^e`ZelBuBbh2`PqZq?6AlFD(F$RAXYin2Db zD?G>-DmJ}lis(0E*LudCAsrM>`6gM}p`s6y2CAKS=OV1Kn}}*fD0cl7oks|>$Wg7s zS^gl}NZ-K7Tiu!Bpoj&;#8SClKMx-y?0)N1Y6v$y>>zD5o$PZKw5x9I`oBR=9vdIQ z(@_?Y0>&;9Fm?%r-BEd{Ey|7rdNzAahw^`(B_Yir^R0+53C#+tv6DoX>sfRxdehSL zBEpNez1a**K0?ZP%haILmEQrzfQ1g>)eZ-3D}_>xSq_x)_j629uL;ocA2>*g;3E^* zl0oo&{oJw+#mx-Zf1~M4Sfi+zSG!1K0SGhC!xJX6-RClKKC)jIT8S$hwvj8>UiKPDH!c7Bd~ea^c1a$N7=9yV7JP7ZK=DkoFyXQ7k*$6 zsBA~bTnXn64RB~J74C&@?oDbX{DxR@TV!GP`xt{HJ%H4INypfps#Z!YWfDqh?HmhW z+h)29NRy_JJ7%-@&`Z}?0!b3`I6|-hrT&l^uC0Lh2hNVNhs0VLhaT?Vc3$h-j|8Ue zK<2-eD2RywQZ*6o&Sps5NwMETtlGz2#Mm`K{*e44Xzpvv$o+))_+eutyxRda3evHH zy_{@4W{jr{IH`PEX`1=xaJ_ZYZ%p5=ok)uN67l<%oaLP!cIUU{P?nwGA-%1q_U(AM zzR_=%90R7Af1P-FA8!M;$p&oG@FZ3$@Nv)rRS=yBx zwoDb^Sj&UF+8Ols2etblHzM(>C}V@EQ6bSs@8mA~uy76X|IIo3&t-eZzik`-hXj2+_I| zY^{ogp$ShN6v-*@!(WiSQ36JWBBl;B5W@5x1e2y0Xld#P{blr+ws_%avzZZS^wwCs z`m-8VsX}2bOK+%;G*K#P?+VoQow^hCKTBrwwLtxBSjox{V9`!wIAQ@ZEe>_i zMCS_=EgztSzIJ=Qdry`KsUI!p>OFW_IUn}NBo}Y}=(KIC{v{v$E(=)@5v19s#a85g>JY;E`* z?UqkQ?~+`0iz&9u#6LwKLaP5S_y09szB3??1_$cQ(oJ00?|5q6zc;z&uc9IBT0UrV zdOGpm^iJ)x@%3})qK`rQJpBbcHK>YtgE-@=dB4q;euMZ8UD+kw ztYOaJt%JL_jB9gsW@|n2lK4{ct42J;2U7Db$=$Cy#Gt5W%b;Xc85 z62k^FYfwmahV`XX_pbqBjkE zHMVQe&RlJEdP!WlB((~&vnOpUIPY4{gk2C+nsZ$5hj}NuxYYZiwY+ul-ONBL zorvFJv^5z8vh|&nh6rj4c6u(X1xRuiorV077%K&o6ZnwRaeME|X?5QV0X{d1(jYVwuC$3e8z;PX^`@XQnP>Y%cd)336r5`1~ zVN%CnM>);h0KTJHg69)AuG^A2_WI?%N?F4suSM}n4V+-XmEzUe{&263Px$?B4q7X= zm-^O(0#U-}usD+JGSSbUPjYf?GyptWmy!!#-$hla zZsMSP?N$3Iq^EyHc7ct*1k^men26N8eCu{+Pb%Tqv$gl4uk%804(VpR;0G_|`}Bjp zl|1WEJ{KZgc_KUJh;1Z$(xbH!1M~d1l9cV^Lh_@I3okbW{AiZ24w6AK`{RH;Ck+BQ zRW`X661MHc3mH07X-8a9kv^P`KW#$(rYRADDamqmyo6df?LT=PeDDJ$LQ7G9V!e#| zur`J&*t%eS+DodHz9Z_zIfpy3^GUiQLj-Ye*fhMkj}v5jL3q{vDq1kE51^St+oiMI zsNCyEyS055jw~_g?A?y>_^8VMf9#_QR1kt4?uQQQ=Tt$Ma{3yJ4S{tUjsv|TzE=lO zIr@2^uAeM(7|LU_3#qjo{*Tht3*8fjXiI+yUMzk4>L z_<)MN`NOg~v@+pThsU#IIF~t=4O)ECiFS?u-r3rr#LDXMu(VkdygV@xg0RE8he6GC zyAl_{a_NXQ8~z{Wqe8PkX=kMPoO%cW-qw{AY^(eY8+T8>tD6rIg7Vf$C5F^zRGCv= zPvHGNIXg0!*<51h#+(!YgBs$L%?)MOt!yxvJRNFlvE62&_Lon@n z&fc4j@AbiwIpAMk3i9S;4j7Ks=l5sb4uJN_;E*e#Ke)~hTbowZ*eIQw4vEf=9_4lT zCp8ojB=ERn-pefH9<2-C2mK^zeXE2$Scqf$1ADjX`AuK?(n?jFb3(LeeYIccsMpuB zc$H97B@!3^n$8L_LxMwhi=5{~n6O>HzWBEr#6CYsmn+-%1qUE!-C1tASq@%m_2|7q zANT-sR9@k5+**Q)u(GBZ1hvF#>goG$()s-2EQ_V-gwCj$l*NkmocLRDYd*E_8xbcP zF_}M_p@^Ag@cmEG;M($Y?}ungveZ}@=dKsc;pv|k7b{~`>>LaPoR8c|sqriUW2ek= zXfu?z`CKd>%?(6G>;&v}dzT_v!i=kcR;@QJr0=;#Y}n9#R$- zsuK&sl|Fd<>~NOW)jt1Z2G=0cS{{AJK3?GjM4NmU`ZBUvN3{4J81_30Qe2-2L2fS~ ze|!E-GK6wi;2o7^{U_61X(l)Y{tdlm`0K!CB>>;Yq~x0ZTppWk;=i)s#iShY*SZ!^ zPOrc{)WQeVF?S<`gU{@!h2@rN*~h(?bVLz}FdpEDdu$DL)*p@#f?>es^zhjCb)hV^ zO+T)cA$KXzL7C$5!d&R*`@}!Cd_W!K4rlo;?+mZ}ndzYy({|)DZ-4~%s=2gws7*Xg zu5#3ND_6?%Y)CXolr@I>|2DRJp}eylK)$d-okWSNYdElK3?$bG(u=7Ys`N+@<9aN$5-e&5I(kXi+mJ-C znwOe;X%_jlheD)2YWIIsJ!Mo?UDF^SDc#*IDc#)-64IrFba!`$ASoq%DS<299ZGk1 zH(c_&;``wGe%-}6o3-c6%$}av>39&+^a;$iA&_OY5zqFQ8N@rQ4T!I}esP!)0W@ZZ z?qeXieh7`->K||>Tge5q_vF!XM#x5X_A+EI4jQf@C7qKkJslWQBw-Gcfr<3Yr;@Zy zQ%C;q);1^!)pHu~uXVH{bLgXWq=au5$m9+jvrUbMQIs>BDxgZHm{GGx>p}%LE|Qc= zMtO(j3O@Yu-&uAx@bd&c+UQew!}jk^a=AFTSE(e%l1=R4t>qxw307}fCbM2(&;GEp zhoJz?eJtwLY5$Asy`Q;o4JALOAGr2?5rx`pS3?0!{DHnTYAyD8rgPn92~1>(QO0QJ z;_8gF_b`Y-*(^uX#BvzZ4E#c8a{gs1c3&x9zU<~RWg_^?62V_~FUdi36a7i?blyyp zs|NSCi;k16ZreTjWL{(`alg%IWnk?d+To~!A5sSm<}JT4bw&P}MnhGGS$?t8eX!Fo zOSHDmdq@U`(YM$#YqzXx$-sQH7jI6VC*fTKSMod6DcXwsGz@*2cZE#}9+)hr+0F_b zZTk&wtwpmij8YqJZ1@W_kg5fKa7DJ|=j2i)51!jkma+80CHzN*{^TEt4T5G|*r8D+ zg}sL>P_fcOQ18|WJWk3#pC!m&a!l^}`xw|~ z=@wRZ4DgrU+~S97rgGh4#26-EiyYNA8&-wQ-;VsE3GY&Wh+N0JlwGg>^9TL!!-$JU z{&mz5dqvnQ1)uYSAT1{~+**PfSXn~0+c)lH6Yk|sJlj^|fXgbyR-((L{LH)gjjtK! z>CXC!lM@NccI}0p$t#JL0=>4zoiTSlr;Y;yr()OlzHzqD*uXmyalOHhpKsB8iH`=m zY=VlMs)`m>foK?5WgZLk#uDhB@~B@LDN++;74YdLMlsWy_aqg?Z=j@gN{3OxW`bap2*L6bdO~PoA6p{rW$jfqfW^|+e@i2Lgu{>U?# zk@l-m%e3oJb2X6=)>O@hG3yv#USF>z6xfBCC`6>+REdTjWFRBGdWwM^nMzefQCv>4&{@FL%Z=@>m#^gvuWgIMzwqgM|6( zYaaS9!WeZ(dUStDeN;|64{l49=LiPcF|#_wG6rqPtL6y}dYl-=Zp%lOkTc8o;Rgfj zQG0UzhFs<_e>)#r4XbKIU_taC>1rdZKwrVX_<33O*&aHS#c-pzt&s(+*g#3|;W=IFH zPoe=v^91Tf_l;jlzdc?K+UfZ2h$dv8F*I%NC<3Zr|Vr9wqS z*8Cn2`;O$oQnOOw8hfVx=xr*F_-zbQhCMiUp_XmQVyX*4fze%RiW$@< z+2%VW2bxkMT%Kjx%@X30F5WvD*>4cY9zlKhh;*12^+$DN13)SDVVhh#&S7JhYEg&(&B+9Gp2azaa!-5Ksr#7N>1I{8R@$bs(cZeQFDi$QyZ$SL5=k zKnJ`RflJAu%H+wV!K5}to6w;6Q=X$xdat@P9WVUTorM}8cCScRK`ki{*)fZzeOkHw z$V&6brh;A<0tAt=b0b==J+)8eMs(-meV{n(yL@^UdHZSW6@5OsHFDhsl)nQOZ+8hL zI?qXcBUI8iKLut`16K)6V6n>FwNdEo5Ia!ytJg1fH72V9wr3_Semz>dw@Pjti;8xg z>?H7-ibEShf`bQhQkRk{X+j-~V^}>fGVFy3L^&wXs$A93Sk0ny)Aq%?)Ey%%0jOwd zpE)M&lC25`lgfT@=w*gzLXQhvHElATYa>M=9} zURb0$RvM>uBgW`3ac;aMdt}Okh%iiv5&;NBf03ujvcBZ@OV^-z;}N{b?w3dxu85)~ zlAFPsdyty9OY;4A=QdeI07CZ?O1Jy5Up%K?Y$#DymSY-#M)(72Ti_6{9oak3w~s|V zI&gpE;3e%fogP5(SqjPl?`WHB5di~K>Oo%-2?HTn;}$q|9s~Bt6?C%~S))8GoqMpT zo-41NSG2_&&Ni8mi=XRWkLW1!j@qm!vgg2rA>B88&v_^4d_1JWAU{xv{N12Sa|k6P zy$i+`Q=BbKO93`>HuvacVQaB(l(_r$Jf+SVQq*+mx8#c>%)0PjumE;ygGD57t^KIK z2q$qf)<&6z@C-W&6&=gQA+Gc*+#?kf?vCN5$e?8M!{5rK- z@^`N@zF`TE1WAhC;t;O*2g;_Bqdf!8SfvNqEzBQ=R|dLVa#ub*zU9s}&l364fM2OB zG*U-EbYc!?mkGD%gEoYQuUgS9frgAqGNQ)W^g%1I=wEpGkq^DrgA1z`Y>+$^q+vXI zX2vC3W(~>>E@6lX8HsOxoQ1=603B_P@W}Q~N&U$5#*Le&IB@ESTd>xb;tia3JvK`U zQN4FZC7>lKeto%w-SG-om+S?_&S+TvS>idzgGkAZxH2&A*w^-|*(=i@T7&7;SR9qI z^;Bd6Wr?wd#njL%;2Gx2iDhI_&GO*V$O1!z{VffH(JpiDqN6lDGyBt>2j=ngk++P+ zwu<%bNIP2#k&HD+-hAhLFzc?SS%0EtD)L!>PGz6!mgBR5*mJffEbU*Tzr_|7n8Dm@ zmo!@~08~V@r#;|lI=)2mehS@Da1{EganP7WpM0zaH3_K=!~3?J>`D55pNlzA4}i+O+&J zNLUa#1J%oljP_Y8z>5%Yq6UN@1=%4tx0s`UFUV#hm1{zrToiAQ2xfSS+GNQNX(}>4 zpUsVxGXFn?;ic?dPX~MF1)w&QkTW)GUq=|LL$vA^Xh_$W75kPo93% z7Eawz|BMLXhY6+oej`B^EDTVp+jqJi)3jp?{4KrIRFpAYkzV{?Pm_eJfID+9@qIqx4#wy}riK zHq7<@4?vJ@mf;Q11>=QuUTkAFw_KApVA2WxRQHkzEm8SyZq=_6O(O#_gyiV&RO1OW zIsERjt6E@r&>cgn``FWHO0hm0h`jQ&er_@TZC+p^Ku(bVd#AE9ev6MeTn>V+piIjq zUP5rL*ty z)TEs0BpW&-1r_?@`b_&WE;8MoZXQQKQa)UQlT8HEi8ns^-T0X7*Ed!Nf&w{_Q`VEMxS;d?CjFVR-* zOC9_7R0}4MDTFCN`|jNM_Y3k)K%aj&73UhW1>@8fjMH3-v}?ShNn0Tds-mJ{M%T=^ zL@#O*HW?@P*HkXU3zE3p!=Yzeq!;B)86(m&Ic7a$>7Ip_SIR!NG`qRBwanci$7%1o z8{VP*=!mSnr!H%!Y}|Q;XPmSYR*H`AK^3A*&2&O(aE_#@g~so?XZQR$plFdckXr8icls;pFSlX;N62V2)qdl@RQyOJ@lqZ7Av1)Ohet?7@5A$FpnHJFHjk7etGOsWO^vTB%^PX$1ByNx$cL^mt);l&T+NQT*ss*td3zX2 zP_B8?q7LNW{cU@(;sgPH7w|CoF|W)}TdA6xue8=c8Oh{yh|}j}UV{gRz*p!mT)!l! zDtybOA&fpXq+Kdm`koyYRqwutp6_7^P=J^>PZac~WD9GOIQu2}Fyx!eBea zOT^BAc#p%Ls7e2Yk)v4V`MgEXPWGPR4=LUaY(85i;4z z^3?k3A!ex6xqc7w%GxJgm#HU_4Mn9|F-KdLE`os6f60>8Sj@yn1+2s%aGIQ^!7aWO zgHzgQX?i0AS2`1Yo{G18azBk|>% z|I4v~AKO4mNozF~CW6B}v=@YrWJi*rWw9}fu5AmQ-6uU#o;_eS`I{gfxi2x{7DdLrn zWp#5`xeMWfxZ011k{2Nr!=Mr=uHb@cERip5PV#m>4HEDWF{;IUuRlotYZn;Glat47z{Y-~AM(d!_U{ zAZKaCXm50}4g^o!f9Mq9Z-YZ*+H1+K$W*~~Cm1}}vf*IVY?GBvMh00nIN14VQ_vqh;WCxQ^y~?;u1xesuq_(O5R1M)mTE0H%Cc8kD2uw zBVWd=O@NBf+(YA25TWatE9r7Jx>O5audmzoMqaDX;u8&H#Um7QMDOyQ`eLT{vF0OV z21#c0efE>nW8P=ZkrZ>a2O#!kjz9oljc@V#0oXedE5w^8C}(?%AkJzo}V%j&1B!DUvJfEt{BunitBeUYl3! z&E42!@uMS19>-o`oiPmDXDjynN?={){Po#tC9<~DGxytPgOW{|Ei5yR!wD5JC+v~X zW!1Pr+Y@{r4zlBFbN>2bAFl?-GqD4UnG&lxM-lVOPDS-AkGr5|Zy2eF2M~keW6RIX zm_jXRJ)0Lf4AN`ke4Z9$xkBPK6lf>?k55k~j=)u9B}fr70*-whP@tPr~ zhP)u|TOFDDM!KE%NebB>75oF6`!(m2DoZ zaz`O>yk7_HsL>1>$H|4lz`JVe6vC@v5#@X{Ng`!O(7pJltF~~%1q0I~1i@!(NaS5h zD$fDmsjv`A6l0N#UXhjSr*~)j_D=8XPZq*#z22M$sQC;YR>iT0*O&|B5#CDc^b4QW z?ERc=^FNdSX61({Qv4y+1mb@drZpY}PQYs*>O0b)Z@enlfd_ny(q!T98{kq);$KsZ z4RmB6u(t(&d%>ZRUp(qNU@>YE7>5wz>ydbEEf^>l=WV!td-snJSo_yXF%iUvJKyjL ziOio2x(1yVQu07XBboNeG?Uppu60xHe{Jnd`^=Ai`}|O%+r{UmtYMP@L#cEO9c^YM z=6FerktU{e;Ftf@!U#p?M?1Al8ne$!nc+P+jWymh#C<)j{T7WEH3n(JIJKBS$HyCu zRAW^^eLJDbA=f=~Sg{+O#ffP_54Fe!r@k*U>hpE}^!$9a4iK6`-cx3y_a!JLPD}ge zCZ7xuFR_B~?TTrgDI6yZ-(vrDKR8y5Ro;9p@<)x_gHw1Nug_@bjm$9zqn6z9O<7AL zwPqO_sP)hLm|#JVe9eUwsXDb)?ElG&m1D+rZ8bn~=fNK&j-5or4aA?`Hugq%7#!br z?Wf*Q0}_nBX;28T>22dVBFo4hZDtS#zDnj0_D1002^EkFVz3*g1=lI+8kOVy1xIrw z4Ga!2;8)b1pVDi4V@6u{HdQo9`Q+OGS%X(}n;78t|7ir??FhSkyf?Nbcm-v{4lt89 zssLav21<$m%3i)dn*;OI8k+g5LW+=)aFjPBN47H`%Pzbi1O<@MQvew2qWN(+RyDR) zu)n9D_7&%tq$8b|R@wEx9hrsTh*}-e{S8)u-I5cqThe5QjQ69^`x7nHBqE|ES5gxM z20U#KRIQuwDuFv$S8d@7-+<5F)w`zRt3P~$2<992ReVT#5I+k&>D*$Z&gf(4Tc4>z zESLIRPNdrsJqLO+MXnDdTxKbVNXD`pJWks%#;!IS1g4J@W(}ywZDyqt3PbjOwboeA z{SSnGgYU(3>+sR5HQrj9kV+Yf3<-S6w`fzBAfhc&^W2J3A!GU=@n1a%JZzL{>8gTR zDOfuo1LLhPBNX|6jY6&aA)1!n*X|i2o|@)qvE6{D$tgZ87B8ZP_FR^#$8HhM>9j{Y z8=9d#SY>1Y!#D6SrC*R)f1y>jMT&h9x1gb<{nil!Hx%jze)+OnxL7P^*{T9o8F;tQ zmiU0byO~Hog*0$#a5ug0pKWR9*F`?9+A9NW|akfGZ8gP zQ5imD$dNt0s4_p!R8t;Q1kkl~m^o@FgiH||dr0;iZ!ZnE zaR+o1BA-7oq+{|&PAoennb(9W^y|W8Mq0NnH+&rVWJG^UGM@l>9=lcWys!UNALCk5 zdLh};d*zo6vrj|^#cDoldt7F;L%{(F31lAz(x-zP_oe7MTt!E;=F}U{M^JSbe%GqK z1jXb!PiX!7cYkF9_<>0n1HPE(Z`>0$`dpxC@MwZ(A;)HPrbsDn?h|Ai7y>W&momy= zMW+wp!lDODB%bxOg!$`f-8+A4FJ?V3Ul+-?L>J5zcU-?y&yKC2Bh}ZrK-Xpw5`vc}zIz!-t(hGd zzT@uY4t;m^^QB(NI3B!A68Roso(;9AXwSVxSuu!c9HwVZqG3By{9uNzYybpjJisD; z=@A*iZi2&6SqU{VQk2G76BYkY`lY$uN{8VtsfS5}?cocn0h?t5$3xia({%pK3AQvz zhoRByJZKlOE&qCMegI8AZvK8U}42_kv?AZBkDLOD$)~OZ^AKJP$hw^EC^`{Tz;kD2GH!&E= z7>1{F_>zu`^_p4s(Zg(aYG;cHb_y#2lDTwn*k3@6fYa@J2vU|iG9L0&0DUxqZ#%hW zUk>*PMbBcjsRreqglduzVe0iPh3;tRi}yN8xC_cn-viNFooBf#_#fO^0Um@o1>bZ# zrrRZ9HMhU+w#ck&Bm${lGv5We9hGo&ERR=z`FQ7Gm&F;i#v)r9PiXI=+aTqFwJa7{ zR^a(;PC2{kHsGv|HHRe}1&1FaqOt2sP$A|HghGotL=$~sWky7UCbS2y`3Ht8iOh9w zy6iO=j3XZlkX6@Wh01|S^j%-JwgHX2*C#H5z6Xsj#Fr=LV^L@B`+KWN);b0}P`~b$cCl6y(uBZdt887%Id?+L%r@bbgNG zVhLb1%8LvAD5!cR!KHDfGPU*aFor)B)@neplZU_FyQ4nH(;hXz@^e#pDp$zTO7Umg zE$;H_$^)tY8}uxkRS)hGUq_$M<)LEFtR9yTH^*723kXNpdp@ z6^}CH+;3N2tMI0q9puRKAF>*{rgd?r3E-N$?!Z|MNfsxc8P^-8OmqY~q|A`wRbTGQp4Gy%bxa z&bn?khuF0|dz>8_wl7=R@5k@GZ7AN025&W$w0Fo5HXN-9-fsZKX5V?PVXh_QaJmp;R zyCyz*TQ^1isnDfGE>qy1ahJ(Ds93yddj#om5jM9^qfQav$p)Ej5qCx;7%yjMJxZ98 ztCHEHx2O{qa`mTxQnNSs6B?6vBpg{9!S{?52bD~5+GA(w|gD&O5d*nxj*=YtcsclORS zTd}m4hoyDEKkK;FP(ONbw1{|B|MOcRG0#6mIGXEcHE=1}5<&NjCF>F^qHBYdPTHtI z4ml&=CV31Tr%x)V$|RcI#9L%iqdl zW&px?T)!{81};tx0cP>&JwnMWWsYI^z6aym65tBrbZNYLEgAqp>_3ai@hMuWr1Iu_ z3CqBot@o8gp;9*h>c?^Sw6C>-&@4)RKcM)$ab zt)ZjS-1i`$CX?n-!z@^hhf;Aj_f~2ZNlA7QH@}dZbAJzja`hhNP#chK^k%W!gFqj1 zIa%oq?Kq`zmT&g;bred`2a)aNs#^3ne}wcG>u+xeW`xCFb8?3wNlnUV!Diu9^rGC>6#&0R_*nFW07vNbpK1=>*z!^XN6*ch_x zVRHz%x#p+j@J2kDY{WQZrJK2Pk#sg&3614V@vT^RJHl~NKk)0@SH=n z4z`*{y_D@JBYxDar@t3(qh*%`^~8osCeT#PSg+=x3Xl_`XOQ{&O!;z_d^j;!P;An3 zn}+8eamFu@@_lHbo~PG=?4}6z*Se|A(v>OocKRSSI}rlsW7R1Yqwl;v=qR%?oPk*s%cm0aK8x9eQ}J@v2J%xqbiJR|95KVU|X zW709a5{gTV2&z$cgLGV{JQLsw=bz4aMc!lfPXvl@+{N0Qftn)9z4+OWWV70@wz zi$mWHt>60pmHUzF=s?_*w(cNk848)#j*Z;%O$2g(fyaSzsui3_Qk_&i!j!fb zBz1L5p#yKeqjL|WMMq*#FR!gln||>mO@BJYQ&N_z4Q_u*+ESr$3^Gjq6Dw8n(q!Ge zp!ZUUxr^rg9BS|c@Qt`L0YOKx3_R?36_y$aIEFc4cxt^lptLx+c7RtsY;EOZcArn~ z>MVl7SyAB%9eq;<um+ox4 z9NNBSWommlw(#~*&~B#+Fm6d41Z$-7Ey3J?e(h^v&g{fpmCs6F3qia6Z9i5`YOqHP zh*5l;oZU38N897WS(&64xDAiwu@9zjRjF-zH8-gmmxjpkFuN8?|f?D2No*yTt zcP8ZS9qFkbOSxN!G~F?hNY%PNPLUeDV`bXNJA%xH(?SIO`V(~?d&!`6LGzlT~g^V)qPK=5En2_uL4FpbM&2`eKc+`zYaP3PNyv*1Q&dV4%Um^N%Qlx2?FMO@_hqvznTy0mkzhi#r^M9HJ>G6wU z9opEQxK_=dDke`@VZQwlJ~Dc^+F$H?SVNh&Do`vYnx6-C~wy47;!70<|5F~L&aLV+%=6f@p0=m+OYE#IR@yK@oG3vDe6pVfzeomYr z1v~A3PHdPtrIox5y;XkMENZm(Qj=#js|3@JxcG*S!e~>$+HW)aKQ1gqA?Tr7mf-c9 zg@^Y=ISEF{ji^vtXPZVmJRm|IPQz52n)Ny|A=&5vlE97eQoK7M0jDX9oJ%LQ2AUE`|B`^9 zwq{Y4pjOAPTfhC~#A7lNLdTAW+T$a5v>Nxu-t(^K+SFv=kXfenBfs}Iokza>?gf&G z-;fjO_hWum(<3cp|qV<4-Ovce8h(yGC{-dUIkj zP;8f=wET$J1V7X(9M=yr=%Q5AH$ARvifDt0a}fSq4Jj4s+!|`r#?umh{W7o_e#RUA zr6k4Meu<&A_kUfs4gWzB4Bf|6)U)0;=gkCCB<;5eX)uquhPu-Dr`Q^J*eVH(s4~t0 zgCs9ryeKgR$V7D0!xO_DwP&lpv*lD^HkBMjXI5HowFN_*q4iMjyqP^0*>3h@i#y)^ z`^mk}>PMahwqJy{UQ@o=PZ{Y=E|3C^Y^WL|g3i%Gdp4ugQ|v?QzOesopUbi5F$oyN z!w?AqFMv^M868_?^fT3ziG%|M$#R4Hf^aqDZjMQ-@3s?^hi0Yb z2xh}&>c~_i4;#~meBLO&>e^3#@e>mjiH)KABNa7Q;^-&f10@W@AZ^092UFoCR;<=f zX{#fU%no+^Y`p#Nf4(%KJEe|%5&d^t2h)z3CW?8k78(LI3idItgOQ{IJAPjrhk|nR z=@H4kZoZAZ@nXLoriJorrSUy6D0a(j*Bg?bUcO$uPLQL8win{|+Y=60qz0Xj$XAz1 zF7|4oSvgnQBkP-mvANz0r-y24y!&-Hj7}7fEigu%tMIF^y6Mu7>L=$RT{@Y6D`-R7 zCd1(Yit=#IxyOy<@RU?;SQ%V5M)Ww3&cnd;u1I4vce;cyzV^xR7cBp_xL!NvZDFH14ags5nQm zKNDO9&lhp*<04(lfRX`&Nc}j1>)TVJVt+y6VR|QTmt!Of_h!E`0-RUFW)28~aVBEZ z$IO_t={MoY>XnI4dmzNYf2lC(8kG|54Ehz;JUj|-@>Pqg>C=?f>+1cvWrNvA$j?H= zbNzC(cqG72^$1Ue7nWCvJ`N5uB+eal+2SCx#RC*qhvHvJN~GLJ1^#g~KnxO9Na$@n zURTT9`Ww+DomXMck|?Ez$`7CI=Q}b;c?sQ!64|c|*bZqU5|G+*UUha>Xa!`~<82v! zLhV$3FQl~JjfZB*nJ~0!Om}cemR&m^Xh~yQk0J$3#7< z;d%D~nQdj*bGttC1|jm?Tn(IBLFj&CDe8j z;J-A*czI2a4OiEib-u#$u}xVGUClFMlY|^3TqE7i z4UZgQc7~aY*_p+`Jk~eiLL#QuOCXS&U5U&2(MpjHf4Y==LCevmJ;nAT%OjWB^1{Kv zcBX)%%USdK`PGC@Lg;fpf$Mb0nZyp`59fT7mbvb&3GseC zSOPIUZIav_dnW6pSUNqhfp~ov!flR`TOJedJ<5|gI9Y}Q6Jk{cIf#AN}yTooj|CSin|5e=a*S1IVG>OKf^$d=3 zS>6q#3v2_sz@p^WkX+%$OfS5I5|8Q`!feD@LM>x%cWAOz;zam-pkHi*l2c~94&u$T zsVDau=*Qd*<3&fcf`~{4U7@WP0>1v-o_-pS>Z6KQa23u;!1;_kc+o!~O)ay!-%H$_K&JT9RVbH&lst68=^`9E-)H2OQh!o*HLrM~)lUTM#?72UjobN-j8D%xG_5 zD7btfjYfl!qYy8PnARvNYn4%+!<9#oh?lCmMJec_&0Xh-4y!bbXfR#NjHH2fSk&|3J7Vg1;R5fN)7`a(-mBeDj#rgJNoOZ;ihc{q*ExceHs;GB@1fKkJ@X9kb{C_^4O(D$|#^hfY!hH%s;{ZRq(Cx3I)ICi8=e z(6W;hgM<6uLr3%XHZFDP{=dh>sPw1430$@Hf z6{UCawj^SeRwb)mMa-1i=><-mYJIEM-Y`ObRc38y#%% zOuzFHCWtM3rB2;#6MXa|z4yJsQnw@_uTgwjgDXHcv%^yZIWBVy!EoP3H$kf9$5)HS zT1u4XSbs}|+?lFwLJE2Uf2)(25Zx>60eD`-2uf24(vPS9$5^>c_dvLzcuqQ|{ugH| zyds9uefKSudlFbZ)Y|?>J5Bhzy!Cqv)ZrRJtz?f!-B3^bVFsU-%3@>_7tom5*<4f9 zhdLGxaBU7KXR)7*h^f<6gLyhx3^b_h2~CZIn$8TJfWgw;?J*&+W>Qv!I|yH=>`6MnmKRW;S-IcmXcsh{*e%&$Ri+N5byC4xD=*W4>=9K^{S7d#a$Ol zps&=m^S)|lp5z7xvhWdEh|n!O`Bd%wN(85NV!(gI2pi0iy;dCDJ%p za`&<$13ziB(!>Km`nuD`Xkoa;Xh~}b|40Xp$hU(@*A6D#wbKjfq&zx&vZvKZ#>7S# zqz8}riPL4@Oo5G=v8yEJFxNF%zB7s8p|0{;m%kONO1f5sWQpKQt{Z1c#W$s}7$}xM z`p0GIsQV9^iX9bTT?ayIbFAy|{l_r8=cA_fV{`4Twp-cxtYQ4Fk5vNiMju9E`c-U= zHy_CvsBLRM-^5!>@9&1961TVzKQdA=w$mLO6R*P7GY0{uxcNeH*ws z4Gx?z+RH?F^3EEE9`=!s zn*NLyOn{@$A|S;GM_v2L2EW*V@CrMnmO+Lx`8+HRwk#%qrED#(a4R^F)0z@Zoj>${ zGwaA7!^CZ9vnZm!()5^9|4c5v8&trfIQqR+XeQ(y{M0Y^THQvv*D>KPVZeuPMMOwbvwG5GV{|=lbeUMv~H9zao)#d)n!-hQ5_!2ib5O`}Kwe8qBzEe_rSd>PcPQ_@9s zvxn-W^jA&BdpD2Ozcd9@gqA;y6f~Z-?7_A1*f7vGv8wK29hRD=eQb9Pl>hcn$Fn)T zy6xq`#lirV`vPb|L z4gVwo|5wSO-Ans9-0v_{o1!|3=;mNl8?(Jf2Q@e{Wu;FxT&vY}5sXos;)o591y7?>YmLIqLc`u&U7nta|qbSh|J zxxph21ot9TFluW!s=(T7bak-vvCy}7{uhi6hw7z(ZOMU-eRqWo+w#l;WXSRYIXtk` zb3QvXtGSU*!ExLz*o}%otrjQ>4`XIOLl-uZ9A`^Ls=p4ddjW8ouf-RT#g=l2#r!L7LQatlgEn1 zjE0uW2lJQ3Y^ew?QVST#Q}NAhp&vh35H0=5&=jr|{Qy(sQBHb)KmyNm;ceTizAS&z6+8>)IZR`!+s|9EC6LvtaX@>g>KWgOepe9^B?F$33@cL;8_ANL;L zevj%3s3k!|bcVnEH0mW(&ojq&y!drmjYw)69Z-w?oSgk4Sn-CyOJD4Dwos_PL5)79 zjh;F@^r)!zLdVBoJBFT8Zk?`VO`O_Y!Ka)z>0ZPyNkT!Pu~!ZC6R%Wzme$Ve*_@xS z)xb^U?C0?*H~9&s!V}FkDeDavr;cdLnI-QFw;+_yksbErG>K)G6vr+HR$C9Y2-k&u zi?qsug9zE22L=fTk8bRAHKf3|vTfAyf@a#JLzlNFuTk@@RW&9x;5F##x@;Hh%b z^8p{g>6`}$`mNI-DxU%EAGA2dz5A*+=2SV64Dc`BrzimhRgR||6`9$=+aLDe18&P| z_Wez+x6dcn``;5+6th?QeP%s1_jd9)dekidLZ!PV0b*gQUwRuOvtdv}NUvFix6j8v z!&C8cw~>ppiBoM1Yg9P6l0*CNL-#Kuw4~XUI|n?g(E>PKnw>RXk(6KXl1*hMDnUbt zz|jC;6dsPukSVRl|L&7(Y>F6HR^k{qcmbp9jsV;e{`>6D$UX%HK zI0-`)iGhxyNl&xKaTK;$Ag}CFw;mVBzk)MC7)9BpiHm|>?Xvom0_YgAE@CEKR`NZM z=b%)N>|7K#I-U5~v-hO!QL&}mKxdr!KGE`{j1!Q4yjeC`rq+j-u}TkH+!h99*^P~nx$op&$S-RDL=?p9&r_fpHj z=ZnX!8+urwWXpM9-9F!Px*y*$%_4bOp`rGt`k64aGjMfdI@QB*QgR8S6-%KZL^1QAyNoX^)zp= zWhYv9*u7WKcfT+4?VsEsW43IP^$ma6iO#HlFE%7uu!z6Z&t4(!D*>u?=4i;rrzPb_ zC4f9g1_El)r@NDZM;fxaC6}9lez#R{J?`D4%ez_a>t>@IQn)13poXB4`m;S2+NPv# z6?(koZM1bn9tcYPj=_o8TvRkXAaDfdMaV=6je*ynoWG6ol~7cuKBdX@z+Skf;rPav zJ(&+L>2nTYC-EKpoCRXRx%6~-&RK21-RSCEiR6eddHfo=58nm5!6z*^XyaTH@!X~d zXjM=@&@bv6PYA+cTKD>y@pxth!=-C9RcHD)vAn7BiCcsHLtqt8=gBw!<-N8 zqb9CXH{+|!PaiNtTAro_Pz5K5m(+84H{}G|f;Y3z@JqJ!28>fDT*swR_4`ED4yrmw zD=fL@&P2)?(mIPj{ia(#_1s>bw7T0Z^o;u$xJrQp7fL)mn4-r;+{O$`JW^CTBW#$d zuE9}D2xs@R&Qn2Eqnbki)f%*F@dWjhf)As34453GpV}_B>Bg^or_E%y}BogDUHfP97HE~uNB5!p35d06K#*i^Ix1tK{7NxY=O$O-4>4s(6=Vb zS@-AnP*x~qlf-r8Q&`_6NM4BL{&bcf7u^5hJukb(V0i5;%bkb**<02{>X-rP>%39L zb(g4R3BP-|=KV!iD{`=5BOm10duq@eIQBxv6yY zMbSnAo|Qn$de`I6bD`N1Vs(u@1T}M?$ckc^J!;#s3-fb)yt4YEd7l(>hD{Ab*5Ic~ zKJTBNm6`DU`-PqdgIh8By*_a;$gWRPHGF=S$L!468$<`0$B#EnPvE8@w}qrd{W}*1 zU#7$go}Y8HqroLbTp4?pqgGE#AnolH-WMb?g(1+1la7OPDAb)`Uf<0Z zrP+v)qYu%QXIra1lbq8H0=a=-y*K==h}>7!;$e?C@B;d$QYtJj?0Q1h7?X*6^>6Lp z0N>zsp9sUHzy+QBBnjqc)E*iPfFYO0)zpw4pjWg~qO^}Xuw3;=eF+8PbxZoAGUa6X z4$?}drjc}q^>F5;di#P)b3a<)8TUrAzS^}IG~ z3^tRTpOojB)Fg?~Y*eLPdsx2{bdht}vY#fdcU9C(dXT|C@?_Bg%VpKT zL+P3uo-G%14#d}`+;KxPxSlh#v)2vYUeFPNy9wKpkjep&A=;c;3HqL$P5UENb+S7|+UwRibV7Gs`K zo4Y?e?L)tSI8UwTer#IdIlo-hNkZbfrt$aH*@?UY%G(T!tN!F$%{ucLUl8Ev=B4JoZHSJu5nHV5V_AsRwm9`}dAV){_q+1> zzK;w&%@C_-RKJml?=or!ewb25VKC&^V@w?l90*-$`$j(`9~FA~f)gGL&pa05*sygs zC=9jl=3i4S@ApY%IM`0HrhP~Wo~UWk6CivnI1QLgOa@lIb?#5i&yTcZlxob^?Zygu zB77C}t#w>Dz)H7`4c2{|EnRMvQ+J`1BWTV__`7p3h`l>fEnMewXImZbG|}w^0j-Y9 zFT5R_8dt&3!q+s&*02L&lW(`{HC=}_E(63|7s$5TLTyDa2-c`yWxGgm28k*6*+HD2 zvA>Oe9=WQ5(j0tUtwgb?Q0hX^FdX57Ea*N^Xv2w$@mus2CpX=v$t{68W|0SUbK3bD zf4}<+78K*Ch5h4F0R?p@hyfhToEjGGxkEkqXs_! z_#Q$Y5shRWp@%CD?&HIo#Fl*)tA~?aLC2Q6%B{NxeAMpCgBAwZJy%7~RLj_mH zqE(a1Z>UelGHew(Snf9fG_kfirBF}=Ut(qO0xn>s#J}N#z z;ohPw>Hx_5PB#Iwu`cBSSRDaU&%0=}N7AhA5@DVqCFT~tGL8~1BkTKDJSg+YeJd$M zBFaN_OB1^=KnFIhM@;pb-yD7Diob`eGSxPzEH_5)`g)AX%V3!+WjgFKKx)GkeB3_!qaoqq;!iJk z#>G%V24J)&Dh~QrGL73uR>#MuJVZuXhtrdz+wJ_W!bZ?MfFz$@56k%-ZqRNbDKI<; z{5By(!uo&Pc0Cd?+N)wQ+76CRoy6N4s=sCl^d6f`&$qhne#mv_H)a~34bI>@37p(+ z)~FvGR*u>E`8OpFWnvyO6xyJBJfd!jG( zYK-A@T}X@=UA4Q5gSUNZcGAMeDp{^rR}6T-9+K*q5SxT*`CU)psDN-_Qyv|Mx=S*~7E9=fuRC8|VQP z`I(If3L-cIRhh6tgq7sQ(v-1c+HaM5O24PJ5~I=!y)69aqG4oO!eL}qe_sXi4<0fN zHAbB{=_k@i`5_L-Z*uwxHS` z-0m_QvjoZn67^1cqBBP!wimjS=0X1bnh`^^y(1Y4Tvp5x8Vkx4mC?uNvulu?J%LXB zZv&&{(6*ms@hoR>_r0PaWw8``+5)8OCT^GA-jc6EY4vORtp&*E?yll^&p!GO2FV4e zP5B7_wEm2VP&q3sFuR)Sg~ykiOw7~svE&1qYugVmTF=zeIZCwZv)u)n2*P@jh49UW zGt+h^!jYT+s2HmEE%d-yz|;xlt=YP`7G;j2GS6H$y4H!9aC@K{A$&3-s~4gLZnNX3 z+U{{gkz(u*XpNhlu1wB4zVHFbPi?#`>qJZWQtM~T8J*t_O_sHO@snZZYQS>-X6HN{ z<+m^|kG&h7yqwblS;@D(F8OVavxUW%PkqxJ$K3c00n?q$0)oY77>hsd)aEf*GN_@1 z{jJ7A`2e-50(p3^ibIwoy>o*8gJlWF@5>Wp(y|Y)v+Qx_K0uCL%a_BDRt6??v=H~oj-?{X+ zG1w)~xu{ub9atDA_sv%0B&urVNgeS!>NC(@SZOzmURl=s*xWksB+8W{_D0UsZK^70 z1=-Zdjl|PaE}>CAo;>E=pkn)7ZXTKwS`aCto>u$>pDH+gh4}ituw`gAcCa!Xo1t4D z>z>{g{v!$yKr=#B`OwLDeALz}+s|&kFj6ZBKi|^ofg$DKjLMEab|sawIM#M_En(Hr z?cU#W9YZwG-$}^w!-5kyix+XUDX0BJ+(NN*B=MQ@GX0Wz7K|=P%#+C z%(SazWsu}Ge-4*T5v-0UT|Vx=LNt_mGyIbi)J}7>bDrN&|Hl*2rjR?4-6wuW*5v1o z?1P(YTP~n!iCDSrWV_{ zYMTjCS_p$9u}J`(3AU&&D3D<6N|%4YBnDi9WppGi#Sxv}QmdhLT?vaKEc3pcIbJ*a z^%^e@*J(0?qplxeL-LN`MFt)S$(%LH=i`qlSrJdyXZnlw>3XhV=@Ew-+qDra3b{3m zp5my%`Yg7q%a)phnr|O$f!ZcZ1P?wD2uGZm26q7acS?qZ?Defee}^N>weNa|zvejdFgllg>JdZRz{0h8FQAf< z6NI~Q>p=PNo5UGVa*&o3$w?dU+zw?ovw|GWt~0&_Vy`CiT0gfg;79S>9ci$3{u#*N z;L3pF!i?*>)?^$gdFHo!Xl^a!WDrph1^LMx8Pzfb|!S7Vt~9MS8`j`}de*IV(ErZ~sn z`6F(SdF^g6Dcu!`uWGN-`dvWgLR_H7e8vAzGC|ayax?794ib!-kiDS8AGsW5N%7L$ zj4;=pi{FkbvK_q z)lqX@Qw84lF5rgl)3~<|FmnBCC2WMFuNRd_qb9nJo&ow?Mtk9%vPW^9xLW95qzF6J z)6W;XZTzMqU5s3Ry%&yj!l}b!?C9&}{if(wE8l!c=GGe04t{zJ1noGLRbG0WG8K?O zfW{@kYTiP@<%XwmX7Z|q7v>O(WYmh&a{k%tB~u5&e?y!yq1PtgQRD@egYG(xR*^9} zJlOYvSDxPV_m1!witv7-eZ0H>#ykQ1i{ESzIi%eTuW~^xvLSn6k1rAztlUoZnZ^MQ z;+iq_Fm#e;kauC;Xb(rht>UK={Am!E;evN2Fd?ZurH zSnLXUfmM_3#(D~)w?Ko^NU5I>O)1ZLJ&^_7>BytD>HDC^@6jvIE)d0h!Arxx$nbFR zpC;RR>iVVqWFBePkx6=LlS>A7OuW)V}Fml?< zYdZ_*efgK-v4BH0GAfEW)XCVPN0%S^dwqI?ahpf^WMh@PgDUVzwm{!y zsL+M-VAjsOTkWZjm-{&Q{*K)J@(nKs-*d8^yRP5+8}QEBKX2xYNk4@Xqw+2odU?3d z^BvH1`?~SjFXpk^Ty2s2c{Pnu%V~OW9Pz8V?g4e0kL#f?YOgF*Aday-4$SiXiy%|J zx%*~w{JQm2N-X%QrIZD@M7ByWYdGjKyU+xnOGO7@LeGz2Ss#m2G!0EeNQN~!F}>rf z5g74fBU*BS{p)%GAeZ<4Ppky5z)xIyMk#&`Al=nWJ&ne`H~E1I6!UM-(xP~qB6-@{ z7L%9LquzYdazK^%V4gmg@M}bV(uiz^j>|t+oWu)e!NFQooze?t{h#qvQ?H~N@5}g- zdG^*^OVLv(38CUg{vWb^#AIrU4d&P?)=Ud6BTmfQdCYe&5c@-03e!xyZG(1Me$gYL_ClqUyu;!J3dQ6(+N6tG-yjF)O{P1)hTfZ#PK?52Cb)SPD z4%B0gdT;VRV@?DI^Sl0xE)O`mVHbWFnEmpv#q#;<;qK=@?6J=Nnjgb3Fi(DmF_;pE zpX*16puj}j$$ZwOxe)mzP!IPqTV?t5eb^JMVgGShA%D*M;8VEU-@J5?^`-r?9xL+( zJ0E4o(~PIlh}Up`toGTg!s3pTx1_gY;VT$4dg3>=AK^)HsA%<+zjiwfz)n{Xf2%|% zWaRR8Z$G3%?O{0cg!q!G8U9~`CEU&P@0r|WjWxpO{*sEvg%|Fv%2>zEV2V|2e-`1C z4P!=8OB+5O?mH3siz>L`(?)oR1rXI4B4;Wvb@=_;^G-_d=|ZnsI=n1^1Ho{cD#tj{ zRZeE{&75eWol);jOlyt}#B!JY`n@w5-sY9**hj)KDB(H(;05P%gnx-YW~hG~5PBHe zX$qn`e{I&CYGKMMz2lLzbD?KJ{SXo>7>CInBKhQ}tOX8R%=1(>KG*c} zrt<-(n>g-_yorEN0S;p4H^gy41HB^uj#UDzE#GC;*|%Dd6-SXf$q;*`l)Y?aB1!<9|^Zw;A5&i1-r! z#t@ydik`Zwm7uTl2EgCywxdk0g$53~jQz4mBq#txeW@+WzKk$TP0l^ka7Kp(WY6vA`;zSfXw@)7 zb&I`EaO3Tf2%AjENM5j^?H1t;jVE`FPX*&C`{!Rj8i0_Z7HvU%=IW!h6&V(g_i$4C zbQ;XZ3$05>@;yg(pGbyP9?Y0d)vj;~!FLt+G?QhJ_M$B6);UfWnUC;5zb`&SN&4dp znYIW2@hzfX1#NKE`>#w6hFZD$rTMXM;*_7!d$PY1Nzdhm(O+DAJojd1?JE%Y>nis= zXfCoo9jvMMjZc(&ujaO4d49QeK>tabdVQU3S#m1d$p8u5Up|h$3gFnD+AP*Qz3j|a z#9pAOHuSPIel$jC}-uf*n#C8JdksRk7b#p>HQTUISNNh}TEoK3816n!~6=2gI{vMx!Z$ zdK!t_;tXEUI{48PGRaARnd$54CbD~CZjzyYyxn_{`OLi6KDN1U-eg#vjPftv^N1L6 zdCf5e8<9MU^f)=No8fE63-S$Dab5U=Lz+28CP)`Hc}2(@U6uSl;u+0r-t;?p#6{OH z*R^4xW8S80MHeu0lc!<32e zU#FZ#NA1+ySFum`3+s(h#5l!3JGAMf* z5m|HTtP^(ZC}{JZz=9z&2c;5tueN63toCbB2IN^^H2X7=4nKn5ZrQOHk8fe>KjQYj zH>3WQ*CI^s)XpF?E#VsGXxfIs1sM7!ZU$YaJ26$ZzGPw+nyo*--Agri%V)LFYOMaL zhM5zu|F?~;4X!RWbCQ+jX*i@(Ietezt}&$~HA3@nGe!2W#_#ct17e)vz$(sjoXQPA zj8Zvw=hE=b;|BT`p0}H?QD0^#TdS%S?U|OHb^SW8cwOJ>bn{spGEmR?-;5$q-wHc_ zjl*2e$zOHdn)N=A$w#{A6Cef_L>4yg^vH)4hIf<-%-#Uk@p!wQUo)y3xP3%2ZM@SqvAnkL*0w;%ns*XhJU@SL72Z#S?If#1FNuzSw8r}uB(wq8^ z*u2=Of8}!p?3k@S)J{~KQ@1Pk>+;91+bgPysuW(Ir&>uqas=e6N*-`MK<47#8P(TD zuF2Y6KsLY8tjM3F3tY7{D&hTRoXH9s;~2}DhCHChZWptu@ru< zTgFB(8z0{6%$3En&hT$#x7GPJjv+$#K40B33zld}8)`assOcDfm+9liXEqzZI=w3t z+TN{X)=jyR9~(!dU5n#{s3kl!NjpO}WfIeoDlZ}l_{^V8cM1LtvehKKYcNONNO-$C z_(PL)7zSKHG9ENJ;O~&iX+Ls#3|P=9oMBLOy2FdD=GUCspqTRh2UCJmjUX?Ru^V5& zNZndZ34+gOorasUJi>&ho2Xdh`hiMR&#*PqT*Y{v29M^Y{YZYtL+cEYUD#BGISP2` z`s^`OsOtpRo{TMcrf@$)QU_BYoUC-m`3noMs!ZQB$b+@Q$C1F%&`@m|GTmnw`Q7T7X7HtAET~Q+prn2&Mu9{OF zicehPj-W)h=7*4}34M$Vn}@z#E$ef}{6XuDHt=ua-WrVyvP$O^n`>Vi_07m~Du*f2 zea_2ox`zpzc74UiM3AzitCKkWjVnOIWK#3BjdTr8pY5qe< zu0EM+4a!D^7R8{!=v_q05)D0yH z-&=t%5ST99tV6=LnGHJV+5r$Kkrdd)!EMwGe1DIF{%FSx(~Z0Vh~r;l6!jKprfs%k zcPRB_u?UvFn036M=cJ@7$nY3X11T4k%#dUr!^1B3G%w+{9#){%Oeq;$8sstT-lwMa zJ@o@0bin1&e7;<|%;ObToInFVlNt@rJwcceBRJGTzI9U*!|#y+>uSBf&Zpq!?2D0@y<&`IZ1O+CHnETQMx<8@n7!wiVAdxZ zV&#>*SJ}|<9fk89^Py47g!E3h`S!hwf)(o%c%qc7MEG2zXQIiPv0NuB$8kr5e|H=+ zRAHoB{6vNpctc;voje{;R)1X-IXB*|{$J~PFlfeM_sWRm`6 z+4PaXo1wMQD&?tGEh2VH?%V;`VRV9wG-|3~@|{0&T`i**&Fh26k=1*A1rt8hWzwjG z?-mJEOXc_KaBE7@k={1kg2;f#Q)Cba9^j+*n%U_PlP*+E>0ugp-f$~bQn2& zLnpLH`{I~ne)V<}(5m2RURivzfJPEFBIY{QKzK%(ALJFk0yI8AG1>#j9JdaGy2tqBPQZIT3|e+S*!G(9z1n8woJwylbt=* zYfn#e`|q(`t{iZRd|>z}?u1hKXite+1Ai|IUM=c6Tv$)_wtNEdPAORaENP{wEMn3%buhnt zD+e1S6bu!p-MncJ8%#w4~h#xttIC5SvejpnwYGibI7Kt#Kc2 z(y=;#ts8Fg5A7SP@5p(dIDQ021gMULe++HW#qtFe0hJjyxPXDU2}bzaz5)`g6t*9O z{)Y39PDF34`hSwNNp2+Ri&I1m$-2jM>uHH4+dN;d99)&<0)U|=Ja-B5!BV)Z!0`O1 z#Ny(`dr>R9d!^ zm6%Dv00dTks`}=Yz;Kr#J~XYAgB1Et`wk8%1*K^htLuIEuF}gJpj8vIa&lBK)gYqsF^_tR zRUkO7yyjE=Xt0Ksg@|oBa+NEGX<3a+88Ma-jVi_t)=$Q|r0%vq7n4KFvP^%Bn>`r2 zXSH6OCv386G}yLyI~*%$-%M30sXmcrFabLkd|hD77K;r!o?FpwhbS!FyEN78%3dI- zq=d%WPV+Ke4|)G)GN}(Pia%(|D*ssW_Uy~`LkJIFq25tieNY}#E%!W+jQHvM!x@!U zFNo>X-4VJwL^VTy&cbkCyL7AsbZaN0{T$QE+Y-dK046ZrwRcYdaCVQbpz*qi^nwY@ zCr5VUtvIBpo%<3=X)c{*U}FrnJk-f!_=BmsNA+HszcJ->5*(3vA$(@!iH}WEaBQ~G zwF*ZjkQM;OAQ>qTRBnd(O!PRJAwFg6&tbl2dXS~|l@hr^KtQ0V^>(w6$t~K(x##h+ zZ`Z+-|H>qx$2qsXapv@S&!(%mTyko&Uayhy+~VdwnZ`t&C#eLy#Wbs6P=UHs)nYAp z`*5#6@)QFh0sP4iS!To@yYae7I-Uyx&m2|ZNX8i%Ht>TQ3Rm{W8Ann~C2CjXAY;yV ziar3FMhue^6r?#*3FqfnpY^7}m}M7ROvWS06A_%$ocA?+iJ<m199k?a+oK} z`nVA{uCDJTd^ndRAdw`k)4Y5|Ei62Orcf`BVh`I&8O)S$EMxom z@`ZnmVO5!IKu!SlDW$innb0lD1}35&muXMZOK+N#9$4x3$K4Kb=LuSDB2ip4>uA>r5Yv`vEwD=xN5C2-Z$Y9!UR z8X<$}AwraV_(7g2s`tXdp816v-7==1Ak4M9jFFX@A71v%lwBXECu(ks!TRC}2i%X- zP!=HFb6VWyFhf0v%~;il)v$F-y!R~8jZKie}pIH!3PR*g!a);AgmE6`ppoK2h^6?Ps** zlH`!p1C-47cUikXn=Y<%pI_&>cz#&5tTyBC{CTxUJLDP2aEM-CCJ|xQx}bt7mciZ0 zlq*b*ZuUx12+v|N9BGa6!?Pt%eF;r{naF<&+v!>pt>}!N>d~vOGx0;FUNI^9`x@JGqc!KkEwRz2mrKGKe`oK_JAyT`-dke$L06&*v|4nkN86L{jnjTIFzl!a znBxLzdJ&apL@#j0bB#EisKHwU>sR9GnR8im?@7-+1bwRvN1v*fS9P3E=#w@oF+2L* zM!g(K`gClCEm)~xm3qUdDl@QNMxf?XA&akM?do`;*+9J~Tb1hLpO+sX``}6GQUvoD zVbosJTybUAN+%f-b?9Z&)D?YH{v{^amOr}kimz$Vli29cBd~lI-GtwP;~e%l8^Mnl zPS}$LBb(l5Q6!gvt-0UukoyIaG5eZhxfWF!fL6np^;i@Gau$vIQ6|DbJ=3K6FQ(Na zjBh+UU2bdatr9V$tdzp9=3IqRwOxX&C8R`LrPUC>EewWqtwhyVy=!r}o{qS8*)dSt zrF0IeUv591yR3L7Vf$WlN`{0SM zBTU8jI2QRZ!XqQ2hW|AW`JizG>M^N+R&T|73VKc;zVTuwJvk@t`waBV;>4#QJ8c^U zCWvIJn^lqIOfNuW>!d9bfd>Cf&#CKo#oEbw12NoETg);s@WvD`bzoEJ#(c}N;=^a_ zU8x=6-p4G5_Qi&hG0ez**U?X7{2W#VR*_(bxzsN?1-$dQ11Q(;pdY1#N9e#xiTMuV z&nVZ!g^$t6WO*{M7$yvgS{tUq+yEv$97uV-1LcLh?6`4FV|xd6!)~q)Y|Fe9tL~@Ro=2eup;}{TrW8(0^pitt+j-8&9gl3vcVjI zYiUU>!`1PWktlxzpojJ%pirT*4X=5oo9{i>n^fB$(Un31O@kjvjJ|mXBA=t1{BXPI zL~Z56)cV<{3R%HsQA+N|)VSCGlrH?WoYMA3$X|AuWk>YQ`;s2c1C*#_XR;V&wUkir z4)P&z;-hqyC9#NkaPjjiIj3N=S(=r8N`Tq7))5nwkajyUQ7%$_*eJE2`Do6`>B-xxuDEK`f*tkOA#c`02-LG;j&JF;r5!TdG z*Wwe!iFzUxE_;CEW8jPdBOc30{^+i$E4|#Nq9y&?T?%3c(C@FGIHXTT>YKsU4EVdX z6YoWWr>_q^+m}*InG-zA8}4>Y%WT!|*Za()%k^;FBF!oeH^mpqt*mQpbu3PY7Dt4n z_2^M+9IR`ypVfKp-B&w#%We)@1~ZRSxC*U7Qp78{O+ndG%Vf|$6I*-!PZST%ZfY)H zpfuye(d7$NRxr}97Es!v$R)4zj=>%*nU{$`oNU3C zySm;cXiiRY8CmxTXzTqPucCq2>Ns$y5ryj)bjhz*SidgbmMl%0ZDA0Lu{Xc- z%*;GFL`9|qh&#LK#Q80jsVt3NI#5LVi!LTvx-{HWj98SklpcRMG_nhqV^8HhG1CG8 z5S?;1tUQ4?$B#z*9c2+6=DkHJQz)3>lo!p(2GkEaMI`rE~phTNjD`F^{G(QmrOvHKhZ4Z`o+rsfRkfw#@$5$H%MpV!f(oz$@GZ*{{$&$wu1WbAZB_Hfd)_3*~e)3B^ z2p}o>Zov@LWl3|tHHRm?QW4P8>GN47=fL9hv-^11v&X8AmW4hwbMAfpwrn1)zPiAcLkAte%U5eZR^8zYwGt7*$gWFq0hfj?F z^wGn}fv)JZ070aZ48~NL&-dDOGmA(1lT2-QdvOvovIp6U^2Wd?n$IXwp%sWyp-z(05hBXQjN}x`8F3*o)SX;&Ux}q-8Yj`^H>iX( z1Eo~w=`MS@$p5Es$Z``_-mpNBT8Hi!xD*_ZIMfria^gm$O*lR^RamrZl;~h*F13S{ z+k9qip2;SG1#>{wx>@O&fk+**zA`2)+?J(O)Wa$^!G=RFT%C(~!8T&u&9wbuZiUI| zlH&k5X#?qAt(69)`Vy>0SK-q7pkgOC%cF(XNzb641&@zBxe)AD(Y0|f*8)mvZvtF{ zgy4wymzCr;X@IY<<&9yA+`_$HUWkqD#jjDl*i`R@Ph1 zRyM-K#F&r(leOxz+++AhGVn(_@DHt@;hH=4u|*NyTR?Dk)#tzSA@Wu=CIP0PjP3im zp(0%tyKG&3e7vqYPWI9W^G-lP_@;^EiSK@?F?$^8?;&4^TFUf}r}!nd8QpKj>j(P+ z2hH$zt~2UkMR~inT~?^$%`~f4XyvF?m^sP|!5lNxG?V!m>2vqa;N6f+RTU52PR{IaI2ub)WE)))nHaTl&SZzf$PgtA}dpE$Hk0YGv!uJypr=Rb`H%x ziTL{!al>weigv*>Ym-Cr7gW7_-Ek%^#)P?;2H3fnn|SGXeS6)q5%QQJWc`+mkMn0@ zEU3GrgXw&U05JhTbMFQo(aY5EVJUPXG?PL+1UfaCB-a#IdX?7$Bh40- z#9Ki>lc^JyJT;it(uO~|QXTxUYU9H+)R0NGY!F5AS`A0VMV6F#$5{YwNSf<#b*`%&mTwZjLNNw(IIf^dZmD^1^Nea6W`$IOqtefU_ zBx5uA=WmcH-EHO;7`a|wu5ljE2EoCDt-R_VOBHew?1y%3ODaO!Jmr>N5A`|?E9cqz zw>y-(k)bKvV~3tM4pC=weNnF=lB^?k+lnRMU`CcpJyJX$Gv~-7n$K_V`C`gVsviKW z1;};`0!iHW>3s7QZ@Uvb_DnW-xZMlGLH^fmD1ETNDEua zQc9S!19K-I|GGvPH(q|{N$~u5$?ZbC0hW!?J8vvxCG{BCa!h>^^NNL@klRCh8Pft+ zEvf&HO?F<5xoZ~Sf1Kg!ISjTj3ru?GQmNRRKc+k`DNM~I1F5ZcG4c&Nm>tC z9sP6A`=<59_9ddrh%QR+3JX8)yAhDDZRS<>okz%Fr2wtdGQvI6m5dU1^}3VSyYaYw z^M^wrnv{17YSE>~>jgX3yWC1DqFs&s`EV!_6N7z+K)zFyBYW^d0%z-di`nD=w*j)c3Db*j$WQzFHamD~HJopz@^A`Bk zDb@m^7aCs^z7!l+)XH1}>SRp$g&M)XDe=%-4Bw5sI|}P_RTNuMoyu2bl0q7MD^mYu zvi^xk9njhv>?7cH96x#zjIrbzT`r)En(ej^s!~Q$xIfgvs3!M_BY##;$4JVrc{1D% z-FI*FDz%bUCA*n<{ch#Y*m;)2`T+ESSUJ>6DN6Wxa;{&LVA@}l9j`eMP%5R8UZqlp zL6{j~(EF)zd=&#pRiuh=bF=9;=5H=0+v*a3zan@EA3W0tl~NfLzk;FRBV^tgt_4L8 zU%RWWkY~OH=X1IuLfXkF?@ZGGbPtZ5ET%?iA~n|5)>>!Rz%sGyndP<1?tlb8d`@x9 zQ>9*VuY^Uz=cmW{CcO{OhNmbg;{?ps01g=ynyGZVX;q}jMyT%NATC_NfI1s*BxQAY zmH3iLV*YNIqOMzw&325&>93f;k9v_6$b86RE5LgWVybJfzNtjD0NKxkzeTR^vM{N#e z{c*+?z4qybmj3crG^}_ok0*alZ^Q-NERY_Zjrg7LIQS|}CU`u;a5=yKD!xQc<=LWw z%A(+Q%PH}cqr%H|y=Z*%sdQPD1MmFzzH1hD05eOeMpEss{8~=8klysfQT zw#y-f)ookx@gnRQQcb>_3AQd3$OUf!v!PaJB{^zEwCFvGszKH z+*Rnrq85I}%U4q~U6-Y|U1_xF^D&bOlSuZOD81EXzLyby@uB% zx1za0x!l}B4cSo%5>l;Es#Iu*{jjX9zlfmmYzuvW_3l?xorPJOW!Y|5w6RZ-!dJPW z0I5p79S-}BxpeLA6|A59eZ$;}1%7$L67=U;p2b9RImh*qJkZm{I*r(YGYW(#CMi%D zla!;k)YnZJ49YfgC$c`7YR$$dR@^onQ&OY^to+TQ$_O6?Si?SyzQh-l{%DlO=zoSWWFo=mkXqMof+JY812Hl(>vgvdzZ+tQJJ=9YM=8>(5eo94(kt&)vju`Ht2 zN-Z)L$4Qrb)Ay&Na)vLCzkYVCBLJ>EKl6V383H%`!^7Idnu{BQyd&o0fLhE)gs8Vt zj^vV^qF>{Ex0=K@!noWno#zLTVjAUXU<3hi^fd8_^SQ?ugb4p54#>RF-{Hb4ji?Hw z(&Ac~q!djWMIVq&ol?d9TrE*J1zCA_amXK5lLF1QK4eylv>6CaYhA24Tn+DB9UYU@ z`~NbSU$q{)UP?`MQ9nAdsgYE3w|%zM9!L3Mb)bA@=%hXd0vqn>rwd(`WyOK^~Fx4AJRpT?c5ybt1;vvC+W$$}I$jeC3A4f@K+ z+dkcwQTPa?+96#pv6Q9Ym^$UED&%Z4B8bLJMb5;tI5(TX4IY43S*_QQHu2#Kfuv5g zwa0tnscYxvksdgfMPClzkg<3$_pqg~j%la`c5>^w{egWdqN4PuGh@$r(_aHUPaLb# z`n81z165-oEyTZqf5-Mi4x#bjLkFL{vm0Zqss1~I3O~^usLG>H2rVf8$pGcr#nJy| zBZZ$ra%cC|>-z^8>eoxBNf^3Qx50LN1#fLPohTZ!?mQ^YuF`Whn^T^2RQUQ7<4im0 zy-TLb+E7%}=KSuA=uWTJQh1^ZEbmY`#8Kg9%-DGKFU>iTsm}1D%_oEv?jo|s7%t<- z-t;?v&F7;*l0ZOwKyMqwj8W`41mIk|+iwD(DKukve?@Y)M=rO+^FCA;$#lWYgS-2Y z4)eX6-aBQt?=u&6ECf>TwJe6f9txa<4wmKM)ugHe&+3tmr=yt)PKWk9!A1NC!WohU z^bNOaE1sCH@%0s94iu3GAkqTY@O;BX=gg_8+IMC^k)bRO5`^PgY>!%lb{jUJ)lhb- zDxqtwm;(?x`G;_TAFDrU=$5Bm20A*><>w+58$7(!&~h`0Ym3PL;Ho zIENvs-o=_Wt4+1-7Piv|`o|8XM9objrM4AY1{**!RQO-UTM|$GQBDy(Dv$|xzHprC zD!i0To&H|q-p4eGAY5#g!Z2#?^q)AY=oHyu)F6@rHz(UQJ{z9;YG}FtvXnGC+PS+^cR?KIY9X1o^quWDb zP_M{%1^D7J4#IkJwQ7GvwvV4L3UfTM{G9tmx1re+N}WcH=_~3XrHlU#Uz|2Jl=kbe zC)T`+?KV?w%l~T^Zx7vWhqiq(2Mr3=oSx(zpgu;t%Vd$k9<d&2V@_ccF^a3sELt_8>E?u^`-^0f;p$ zLl`!$4+SQ4LD>Un{|WKFtXGN{jT&(#bjr4GVr8uU<1_L`qm}OHK}>sj66-7VaRPp~ zWvOop?I$eRAB<{-o+ot+ZN~+ZTmo1JPo*yfspI&B-e3jFmRj;o#5^36dA)H5^3Q~a zNYq$m(zf@s3ofMX5?Dh8fs7xTaAb#QN^c;EWsJK!xj9H-Y&!F%?h+GMVk4{%%G2rgF= zc`H4{B68XTbRKRVU!i$$>nvpp7%isWBVYF|U3jV^?R`U_D90Tu2%+quD9?-JY#Ws| z-es!|sv_%6%dkf3`bVY5CS$o&6?r|*&EXF{+EC*W%Q6n{J}Jd2cPk#_j?@KZ>>24{>=SBuS6B!njV zF1^_C+vPe-oE8)R!iiL+f-C(>U1&p;<9+9WrPU@~w#fkr5BwrK93SO4doK#%P`BzB z9`Q&{kZpzU9=^?|R5<30&k16qx}GupHOuHveD6ecu>yXC;tp~R<+Qy0r%>1bpU)Ik zyq51{-D&w@5pkF}@e0J9`&t(u{)VxIN5XFqE|A>6S(LRsli$n^yGr*oC+=;(`LRAh z*OHiz8rt9!Hp=6_tA7<+4L4#K^8cfeanq#z`y5#o15i}@4E@pXQ-3Jm5JoPk)FDo{&{l?ie zT<3Bph;vwHaw(peQ3@celZ~pla+p}0b*wVow=men0%K14`|P{*5BYnHCP(M~$WBLY z9Hgjm$WH&(Jn)92n|mH@mpQm`(#;ur5d01@iRsISD*7`d;EyTJaJchHW42G{x}gZ+ zOT8X@cpGWBEZxw0&wrUwmt&+Z)dg4$S-rUtm4sgf{o?y-W$T=KG-9(zKDWe)(l{qa zeFW6l29ep^4=0c9&h#A`&O=UwRx`|U=Hhl99@;hRJU&6jK!GijBA_T_-`WBSy!WjN z-aDY*JYC60Sy1ICG$dZn3+)=hr+0DfeH|b2E_uH-)IV1{CLH6QffYoy8;Uu|eA!X< zig)j2r*gb)GYbH{Kc(;LA;8(yp#x=&x89>>LeOhQ)MRnlloR*H1ossq-9808oGw)+ zNBGL9KE)H-*<&$N{D~c_SN>Iyb4{{h{Ruda zCN>+fnYY4^)5k99U=%>vd;ygVGeC1)k49}irgAW!w2V8M@X%qoXcobe7H-0;A=Yqf zg)}VIy>7mEX{Mz}U;1v#58mj*#HnB;24ES7uF1^i2ZI7+S*i%;ewC_%udwmGBk}Z> zazY{lzdoF8Pwh%89=Y_*3fLbdoy0}@{KI&vCx{3h2yKr5cqRrXbaOYt)fY-crKHZH z$~-ZWonU3_3<@nnI+LepXoy^?szMe1SF8NxCaP-8 zPwee>(#vB4Cn(}B94r-Zbt^;z`kLi=tHb(Q7T8!i?WpGqFz6|o-N7PD#xzjneeD_%<8nmP%*}fkHt}f$I{;*A%8bxkmCzB1zq&} z{razlXhwo4h1IPAK^v_@4WKiM5hhE6kUqEiWP{BdY8u6&thQoRTc;H{K=iX8*}o`ObxyKpi)EMwE;ThAFkO#SZ)%treUbOt4)H`e~uy_>pGg zOX-m=wlI1o(_H18=ELScugeRW^i^Oz6fDk=iqmP=b%-j+advoUjmjkpim5)ea^NP_5XgT{Apsw?YIwXWMRn8K=C(2{XsJ@FZ67;HIkrE!dk(z5;_ z+9Wg-m=Nf^B-&TjnREdR`h)wfhN`YQ-#ZfOR7jEc38aLCp!&@|H5<(St9b|Bvk*ZR z+Ds>OW|C~FecLousDESxm9~=rLjYF#Dme0jVVpH_qvB@U1LW^*m{FMJ4RW@So=8FeB47`7xh!^Ga{!*|KLFQ9D{SW@pN&} zS4S%%(;F}~;qUu+xm%=Q$x_Vv-gq+qS+z5f;8}xml%sdG^q&?jaUMHBOlE|z7Yld- zD%8d_*p1b=cde$@i_3wgi-lm9eDxp%<-Db6hCT8Rp@!v?KL}005NhzPlD1D@oYRCM z6x2UdTf%dKDxbKNyhS>S*RnwNp4Wv>W9a6S!OFvRURVQXx$y1ny{q%ZL+S;>Ud-W0 z?r(6@#j0B?porL=3N|)i{~N504HkEgK=fP2Md?F)o6Vi7P|#&C5fFInE0CNeh?Dy1 zmqM;jaf;oRpxfZTp0VHFee^JdRHOHjz_&dLjXK)Mk7s@6@2;%VopixO>czI~iAO*U3{@@7to)=4Bq5mYS_y zgIM%kM=~*82b$a(H1)HkEeTyBqJP;<+SNv0&F(1oLSYuknfBy6K7uRmX;d}QuHODC zII}%jSMK7d;}6Z#;)B|@j2|%D%oK<>vB3}ia#!-u)ESdO}@CG#aCH>?7tIFNzi@bk5b!#>L&*+?R{_mKM-d$Wqx zLVN$c4i`j6Hg-`U!=|P43y#2pfTfJbUp4oGJ{$+MRxd8#d1B?MD)B1=ZQgWvz=7ZK zmxF028Nbg;@wiLq?zYhcGQ8)$6y990-fRG&K6STJ3FyDO1U3i2gqPCYM=;@9f5S?C zYcu@K_#{M+D!G?-MtW!i{o`UJ8PXsUNb*4?Cd7I72YbYu zV2g}bp?`azSClUqMjixFQU0$?09=5(c>QdHVg)9(@4ACn-&Y^)2*Q*YMA5LNd)PtS zeZ8XpR~WsCyb$OWJpxAh>$aigHA0d&ZYKRoBh9j2d8|1ftQ^Q454UEHtA1r{*<~$O ziFZ*g3i-Tr6EgK2xaq$&*`|f4N&8?`(@Ha&M!H(`Slc#!+jTUN)l~Da_G`EOv+RthyYh&lVo|^`Ezx#mLTJyHdC%Yx^KJ~jjEtr?9 zZM9^*mYEtjxl#gNF1HxcZPjkMcbU?FuuCHajDx^^QCQl(h7Wd`qag5>Q4HCi{Y2Dg zWZ#&oDRsnKe4{nV&P$i}8-0An-q{3m7Gd$+{FL6)iW29>wQ1 z-x)TAg13j~Uz|&5uM{t+-I~^GZN+#vj-B&RU$Z*3Oo(FkWjw5YaYAAcCM>d6qhT|r zrTfBvr@G7My_9j0KtNn8EDhRCi+E6;%G420#8(gQfHW{v^JbJpRjo z$rtSx(! z7THE1{P8D-qP{Z_bu&d;cE$H^X`gVdB@rDt7Jo!iQ+m*Bs=BJQJuv)d@$!anHqhSJnN9V*7IYqf*y^Cw|a?XQa zx)mb=-K${z^7;hfN8g()YwUgJ+%E6?+!fr49a97Rz3)URE{!4c^-ZpRyiIdwQ_Bf7 zGsxB5yP%p~FVOeC>M24Htg`RIM4SE}(TKsUo+A4%GDil@J!gi@Mp-U}u{W2yC`9!)zU2njsY{nzOsVp98Hc$fX?7C# z&To`?@y%K48Irm=0!>JOQ_TPf!)i!diOGsJ7Gf6i-ML`%6P5 z5=ThtBRK@j>QzYupCYNe#WnO5%D zg)Cq=rxs02q5eHs5F@?+6_tQNy((eT&cB30sS#WVTVDRp^4GBC6Dm%osuYp1QY_~( zOQ+6$DJbcDDg{-v4d%UWE3fxg$4d@x5!5c4%epQ*osQFT&&V6#b!&1ABJ!qEWjY`OXGaz9(hs|qIXgfZrgh>&-03=M9m@TAcm+&1DxJ)qKLl}#CA&0(CjdIIOl-JChtZs+Vu z^hw&Q`05%R^SYY0;(hJ@?nbc)ZjnZEo zTZNHFyF_^Zv9-j7pa}0H(8mtO)?ZoeNBNf^Be&6x}NRzILZIvacNlYQ=4==>W00-8NoMKQtT1FPo6%2c_-n zlFI(L&Ipv-AIUMxPc6ojtdFc+=ya*YYoM?P{^|Po7XSb?=_;vBX21s*8d8gzhUtS~3gF*5&%`J0wh4Xrzwv%tk znnoHNW7vJG7t#KvoP~h;l$d2R5ipPHpgd*YfW#U?`LQ$o`3n(Q2?(_#MGZ(ssA+My z&yMr|OdC<|sA1#|-zg1NFOxGb(+A77(Ml7~C68hCiKqeCxUsU;76b8qlL)9%np-(0 z59EGtehaWNG-v0DgLyUJ#Dt3Q&sNlisaJ}FjA+28_d_C`X}Q68N`J0L`Rbez{p*6F zebYpmVq}Q^Z)rC?02Sdswd1)*nmnKq4#3ooSHn{7h-VOg66H%B+9cN`x|t)}twtiN znqGIqz*|)OL4Z)6%bR`%V2!(2q7y%@2Tf*T@W9hgb`^?zIIYTvB;s1pOxvgXuNpT2 zQiK3RQ^u|aoQmDbjXwoPm*B5)I7#rZl6)N!Vk)-UGDM8NH~B~O1j{G!Fh8UF6NN_J zRQD44MukPf1et*C$zQz6vyO3BjVc?ha!76wP(!bBhU?8T8;N<#CCA!xsh+YyW_~R- zz`zLgjIuN5+I=E)SZ`i7PI%ogH(P5-(EJK^mh z%r#8P9g4{|6*i=E`-7COph}$lPCmk0=%<}Otmqa~B7Of!bDl!%;$zx@dOg_SHzo!f zO;j_o$V|x?-v}9w=DSsDAYm^La{u-|V`Va=$%gJy-8FB}H}}UcBpPfln&euBr4^Ec zrp5cAOTOVKwAP5A0d$T(TWu`@G}xJ*iID?Y^}dIC#iGOp!boYnZWz-rF&3`YK4Ku5 zz+fvF*AVH+QV`vVO*&Bd`(c)X=sZG*$T`A~2<0CmK;$HuMw`W$v5^^yS|G!iDbY~G zI#cuJ6kOS%IbXI@RTE93yB|&L{VGmIDj#^|;8wO*f1l((`ml9y;@<=H_ZIfPJ$Jj% zT0Xjn*~&^u61itgeN0-gkW7M0;n2~E%7Hc+Urf4oX{L!Vxh` zN+t}l5?E$phcc{Z*zLwPD*pyBw690YFndtM!x*m5xSYRheJ|Zo7wTNBnm8(_c=YD< z^Gi=K@f_=k+z7gr^~zRtO55D?95u_PsS6JltGkC1ziKkYl&`^1zvhf1P<*f7D~~Pa zG7uDi|XVgfybXWG8cH9r;4j&WE(dx2xt^ z=rt9L_lJee^jkSosCRS=w)WYp#o^^Ois$9J2`&X;2jy)|kCio~w^I$?VlwKV2OwO3 z6R)>1BbIPHMF^4n%rB`#G1Ms5$){Ma$tS+W2r0JhEDwLR`zDFyF#vFWii?Bp!;3QSL_U4O zB=W1(D&l>leoW&K9eONQn8UbfT|*^HTWHW}$G#g#p5 z^+t{%3FS!;Y1vN=TISx3bYCXl7jop%o*0P{ok+dp${O(>Y1L_*okE*2v#nBv4Z#Mn znwgA>%=i46z(PS3Ru#eA&QcfPSjDZtjpfZk!{wUrLA(#kbH96DH*v$iDxRR}DOZVY z02`y~_xHeZm9NQ`qhGI5AxHC&1Jq`02{UuELpTyEf!25VAT}L^*aycyjn9%9!v)(kA_dK?%dfX8QpwsGg1@nP z+P4ZifTBrU_Ado;;o?bL{*t%lGq-W>So!A!NEwU?r+4kxD#{*>TQrmxV7cU4g>N(T z4(;8fPbW;f*6%=$<3QGpZ19aKSAg}XMZ5aQDii~_*asF!E_{9tclQqdMuv9Vq5OuQ zbTy>o%8S~(jZf~>p?ctN{R%Jc{h#{5hm{Z}L3g{~%CbDl{Su0IE#EOYE``5t8tL;% ze(Uef^keU)75rx()JMtto%kH{u=l2J>!or3W3YGc;h;X{%SE=W{J5)|Hky&PkG6z{u(7OeT|0KIApN){ihn*h~RAFF|gDbwqF>jIB8whox8g?#VAlM z4E3zyY{}r{(9lbrM9=}pAuWjxN%;QOXlq$CUqJ8Yb3NZ{DQjJsWvq!OTigb*x&+_F zNBxKWS2Cgg)e9Qv{WCigRs#S} zp3FiOWyp_hO$r-TS!~V0GX^}_a<5yY;~FXAW}o?wSFj7yUpG z6+Q=P<2xW>f#>UQTVb8!z6@lg_~38CwCPP%k^9p76c_#f(rH8gJ}UgySn23J{Fth|86QGkhX9}NnIXm6M-z7) z_e;{7r*pfV^cRjdaG%k-4*Lw+T&s94KYyfnO>%!}f;d7WZ^d8gpBT)Is$YjSgW7?&g6eDwTbbzj-MxMrqT`jYB0a;DHfNy&4 z%--nt+ZW;|t}X!xH+iR$ujHFs)CEt|KjlEw#e3(2bdMON1th=kSb9@%pGQCnb=Z{_ zEB5Z~BF364L!yXQK-ON>A%EuPiu1eyV8CV{SqyuC-ejecQ$=Jt+y;KgAC%np4AV)X ztC@lk{=c2(cmvo7)u6wt_dLRKn5#LqSB{k_sfy)$E+} z!ixB&H>RyBDvGt7>cCiyMxuHh+4j2xh0>7Yb(}u|5rz{wh4=-rT>u&j#aiH*wy6C1XHOpdy3$+Nm$A1z1Dx+YVJkfis9WV5v`mr+d< z7U#@sbbZmJ2UgA_{ZOmlUsfz{9lJc&<(hx?UmOalf`f&AVly-cEj&r*;%o`Jy-wB| zxew|uI&qYXhpIvRk*}V7jBkm(U6R!#0On)FkT?2+YmCbd`$1w$rVGB5209sgBQGLU zqF+`Qt7y}w2Bm3#+z7K)SlbQphu9MRNELP?J}}@p{a~5XAwb-;(SVgFp)z3-K}1;d3_fs$>Ny24xx=3-{JW;D4x>YFB_+QfH<1@!hJ6O#QF7AV=rMw`reFZJfen% zn=3=Q%R~SEL;iIZeR;At%!-g9sEr1{eve5dPQT#m4nb{ma5T4g-U4yAPb(Gh9om$dfM}~bjf|S@ zM}ZNM=7r|pAR+xpThpqzSvqGMLTh>@!|3@~zOOeNV~^o-&|AhGny5``vi2Q>=~LN6 zJ?()Y(cCcOwal_Jy0fRHMDy`DgWuVhEkso|>H&}XUrU=R&g{1-3aYZW%Gaf2 zWcKzKi>M}CyViy}`cwOAa0UgJX2K3YgZ>&D&X{aL)AN8#mcx9S>`6Gvp`5bTFU&3~Utq z{wm(q)qxFm)5r38-3%;CB_hz#BiU0y9>gs9bQ1V_()nEOfq2iDw@VtN@qh9t84#^U zm$CR!=#b1E6)dzzR}@S(MK2E*qw9W(6sV+P-=VQ_ za#s?~KzDn%L|O!kx|4-Io|x$TbttC0kUxZa+=ihALA1-H6I+YmD^jg{>nM>p)cCeb z2swyPSG@^?6iBBE{>l&_rHZVTHhh`D2x*tFODs|L#ju^lzhMU5j-^br|yqKA` zW8?G|a20%ezgsa>sm0YU(Ly>Mls__D_jxht-Yc!*=P$MRkl75K5uwom>MZKg3H+Uv zI6eAGo#-a%?>O;gPJaQVN2nX@0WsinYBUzoa?&K_s=qLeW`=6IblQqHsTh_#IeWpj z=H@zn^`PUueksnL z3>(;+XKgge5}ysPSJ~>@-pnMdF>tf}%<}8xFGYU_vgM7DZ~Vl8Wixwe?KQqQ<*U)N zANSUl$BJ|DXUt)go^qvfjJJ@IGHuh@f9{C0KN(T=k=0DsOa2X`Sc-G7qNP<06TJjo zZXam}J|KzoU;PhuMeuAL-)ZNMz;FKutX$5BIu!ka9%brKQ3d$Rq6sVNBKpSd*~stJ z$w!S$f^uJiR8M8EdCSK8_d$ZdB4NEpc{6ovnC zVVbyRdIcF*+UD-CR#lzd*E*DI(EB;y!I!Y9Jtk8p&8GJ~nmJW-^}YMFEv3Bm$0k|B zM{@Tfs=D7E)xiI5JLRyY?Q+L#)mT+x;MJ^Njp7Wi}4Y#4!&0Y_Nad<3)|XE2k+V2l z&A$Dp!In1}8zlndQU0?t;5Gp+7@q?+5>&qw6Q2lI8s{?+Y7r*3e7J6tdlX#?I&P~K zAsdYix}xiQQAc}&aXX{>e#r`kmZdHCy}ZGgGuM`4UK09`mzhp(&x--5RJ>>G#fon1 zfA7jkx$YZBRz#g*Qt#KYj<(L^sAWfK9GjDjbh<;4wYo*O zvc;*yjh%TSqFXrX9ENE1-14{cdeA-mF#K>6xDToOzpBVGF{S{5z!x9rF;+$g)ZB3} zxA)tnm3DWCS@2lQj{+Z*MRiFxaK*gk_a;6b&PjS*;xYFHxuH<;$bM2AGh^58gH~~- z;k!7gn?Kj@ERK^&JG3i!n%yA87%Kueh>Ma+vk-%dRVuA z74wg^Uk8E+9&DxeS_Fs;k;J@mrL!4NZJ!%3HgEepyueSEJ`B@R>QK<{&Kw1z)Lci* zp7`v`(W+HK@qZ2kqagcFRLF`J`pIZm4u9xAB^jX1imPTS;T!4Vq93+|;}rCtu+m&f8@+j(Qis-|qCn@WB7kMD(a@Asi~A6>>3U z?~h;PrPi$9!>*<(_^2~fJ>@#d$Jw`Q z&+hubj9mmGt{CP4IXMIGOhchuZ%abIssE1uu312B0DL(wb{h8`q;6!2r?BbvreLPF zE{(@+YS!XShf<7GiYRu}YiL9}CJzJ77d!}_1d?G8dHyoN=PNvTg_k)NN!misYL9vE z#y?2*zy);QHpyZQKJeANw_euVaMPgTVG|4=F67phhAO8)a*-$BNPndgUahYX$nhi- z(1vHdcFFb@@1d-CPJo&YYE0zs{K=HuhFaq!twAyJ0p|q*eJ(Y%sWOhK)DZdDh^LB^ z;N0Xt9Yy`l@B2BN6=ofFE&2O}Wm#v0bOE6pTP~fGNnk4uX!-8p`p8T|?9J*SPNtH> z#3l>G9ygH|8IiOF z3zD(EQ4>(2rhJw_Jbggbi(u2kskfz94B5F#@%7YP&t+VH$+}tYBq4BrWN{Y!`D8y) z@D0+oFxeJDuO;CLETa(EdP}To;7?HK-nX(f!x@cnb5c>h+&UKlvVUgO(F?qYay*Rq11M4PyD!E5c z0IZO)ZvE~%%C+c|SEl8n&ZVq!Dxs}dI;Dz?GmH|Gb6Q%u=MiT}*>(cl7?gHBh>60} z%obTL4dGqAZI2h5H&whGB(j%*`07+5*;j~^2NW3PiF$&y=^~(%&~5x3*7^uKO+}IW&2-{!C6-a*eZ3n1{_}v8@s|AhH!qCJ;kWG>*P02-(9UZCz=4 z!$N7*gC7v_0<`ssWCT;=w3l_W@M9|N<+H6@?P>Jd8- zD&#@=INOtG2(Mj1raN;60i%XK3`QB#g^ft4ZnMUA=FAXe>#sdnubkc*cfWfkIfP3; z$w98A4lzpawyflEj&l;U{vVZN=J#pCRQ@ycx(Dk85kWXP>JTE}K=6fU?k^s|%k}cM z;%uLDgARJU5-DJG{x6wC>cGmQ+Uc9`AAd_A@sjutL?XJ~Q1EEuzZothgX#8<#{_2N zBrg(%^Y&E$q}MflXzc;Y9}*jU;hmz8oXu6JbFuTLiVUVAcOZ zkSlEig8&qIz3FeZbxImM8mD9b<)w|wTRC!crQ~+R-weLt+=nd43x}p}b2`|Z(;DzC z<}*d2bmMo+7w1YPXbMEoaDW)r7X(z4EbR+)*fUQwW+WDa4x=%W*HA$$)XIq* z&B{tN4uNMxXohJ0VQkMPn(xoKO?2;Q8F2hUI)7k9(g$x_lZ>3$ZLu2zYWr?&@bX-_ zV1U>)FNQ@gn1s6rZxbXaC*sIRR_8Lv)P_5Y59!Go_j2rpln4zChb=e>PCOykMVx@nbe)l(m$Xn1qEKRix)k}R$MD<5VexZbeYY}>pxEFi*)-D~_JsUzBz(4q^ViQ8W z+a1@Xo%yvL;2oiKzq^Ii6ccG?O@Xei$VTrG8C|i+%AONK;_ylSENey;#O(~8F_S6H#KGFlmfk7nwy^! zL*8Busz~8o+S}&}>JC*MpA&rfjDEXmCJ%|Yplt)p(_W!!M6b`71tSC(XeKZzLMwkW z2FI}ypga^UnIpW^+>wr)2=0-RG2NO+L)FO4?W%JG)tN04;B|^H$x$-4ny&f@rd||_ zf=T_%>9Q9i2EP}X*@yX+^00S@H`pf;Mlc~)zMWd{PBJ2CZ~75Kk(I*}LEuRDiNb86 z1vf$R$80I`9{vT~Di5<*MD509UOL8M>?jp>TFs2{Y<*u!MMBgW&< z58PGfGbVmhHvY!onmHn7Z^|fOLlk0bT^AK3vWs+2J($b6jfFAwnUt|uhyDtTWp=}RX-xFjFHDAGL4O7+?Y)+Yv7>-jBls`xV#rv4Nd7g#ps^ZTOhavM^M$b;zULj)AVH+7L&u@mYcD;Na8l-=<%cedQSVn|bc-yiiG8QRPn;9z* zE;Qo)^N0Q{(ozN0!`37^Z25KnmnX-&3j~iEyK5jbO~h}Om}X)hRCb}J0S3Lncvw^u zgJbt^hgI;1u<2YfM^5Zb$^H)su;@$eI&ldMS`>l@|QwV^D@jx?{+G&%~4m0G~tl%p)xKn2(cs=dd7%Q3CMi~ z+6`Iu9F}&F(Gri*E6Sq`4NXa-Z4v3;>m$mfBvGSTh~+kX&n8tu5&Zw^=^#G{>Yzr<#YV%#m}-CK$bp51himgkD8m5$*nybo64;HMqZDlnO(nP! z4`JNcRByg_`?s?MMq!Wh`Qr0#Eby9^zzka+c+D{2r!*`$Oe>?otJmc6jBzG3(gDGU z)OiJpr+SBU>TyNtW@>D1nIp)CH2D9A2^RStRXg>U9Beq)@|e%4sH;z%s;9NJrf=}Q z_YQxyc6obDsi93a6FSF(M-pNe7F$>R*4TB!h{I_O$Q%r!wY*tw?U#1mnk5}SmX}Ad zTbn+Mw*8{jw4g3FxMc+~r)OHC&k-Yz{XE(Hf#cU8$KvaiK{yxCEc#-v(PFACICDx?ly*6dmM?Cwe(b>d{pzo45SEq;WUqf{zj=qqj;Z@@-)NO>; ztR&ur8GNK3D=A|l8hvHLSW!_kf^NcCb7aMd$kBN)WLY;vKA_keo-UDKfSFn-_?jB+ zG^FaYHk|=u@9nR!ePCE1z9# zIP%QKS`p~&OVYFus#waExg{e;s$WfCL^D(Ut0tYgzj)S3{S?iL=7lwu%{*`jWV+dg zTiJ3-o{yU~=*74h;S?g!cd@N0XLMQ#eDJimjjU4tieCkE0Sj(>Xe=)Le>NkY@fFAv z4U682+?65qv)lf`;pq|Nebu=gbm^%mdBFTpm$f+4#$GhkIzNV2K&K#5&~ex{%sjHV ze{^Nj!}WQA@=gXwP^Z&_$8$7GF%wF%!S7G#IqDv}<%8roD&6m_)#IkFTR?qW5-Q<` z8|(9vL8eYNLT}Upt1PmySzrvp=N7wF`v2M7afxp1I=o4?e%rj>sd#Q$**$seSCMJ)+boAEA8#{^mFp9Wyjr8y8`bKDU*#QZ!X=7Ir+u}k zj{$-|E6TT~Kt4!OBL-3cCB`~;B*@m+I?jmgN*k+ zuj6hk^-aWxrNeCd_J8MV*;Kx@R`7Ixe6&AQKMw6w4d@NI2+`aiYz2Qge z8}PYGnGcYRqRw(YWFJndaz=$oA%8K$qV)p z+k;A5;<~bV9`tPyv0(!_%rr;`;kX3{fBz4Ym){$=c- zRF4dN3iSIWAM>It`<8eQA00H-Y>#Uwy?$%Z`X+0h$2EF*(h=-01U-zQag^&dl^-|= zCDkQQLkp=#hqzvL<)VCNH*npWC+>nhIP+iV=KFGs!|Ko8V-2%AG%C_c0;$wIcA>y^ zAciu|uLJ=bZNE*`BAQfXo>ace>f5V;TZi5QpVYa^Mdc-yJWtEH-Uiq4<}WL%|3-L>(8q2PW>YCeytKJpxs9za|fi&H0U5dNgf!4g6-3!4h zy$24zBsbegL!>rq3r-0(=1IQu>rTSgJW~9Rs`?51^9i1t_>y?IMpj|4M~0r1P06h3J|lgUd1r>3C*@R?e4favRVCR#&hYtGDX&wu$M#S)z}Ld1aXl#n4sBzA$vGlSHR5n0NB)^U%_cl(_;O4h&g zysSRH1z<4O_ZSPT%oJVhpI*XUnzvb?KvaLhBNZ@eO6{N!e=Bbn+d;vUO)~SwY>=d# z7~Rq_N(JT{JN9(u2Y)pA$R+qz?|(>k#8>uHW%4BV$aB0AK0PZhF4lZ^n2qNW=9!#W zJY1_BF&_C8A02`Qs((q{6KiQ5kqTeDs-`Y!9-IW=FC=dAKo+nTp<4QZL7TWt08a$; z#81BsJrR(HKE{h8FVSK*DAIC;ajGC_rB^Wo4w-zk5!BTGpXC>Q6Jg75{#kyJAZSuv~o zVfLhI_7%E7ga{c!n5x;M`L1&a4Ehmkev)I0dy8x?;B9HX`b5}o4*NWs z;3T%Mp?N>&3;anr2xq;}C{i<$`L{9iPz3ZZnw60hczguLfk6~_Z(Ef*7qEAKMGieUPs0A*;w&85U9ozluCm6jlPc zH8j<~{Jdm6Ttk#CUS%g7#TBf6--Di*-b3av7cG40Vh z>I@6seTG`rlYGiY9kb5ZD3u-Y(@dg;+j!UiV4iw=R%ysCYy-nQmHlBlMgl7S>(9!m zCnu-poM#l2C(PczAI&4|OVx@akDQ8!Fd9B?2?=L$;qiR{bZ|_uZC9nfFFdMevQ94p_pC)&k7Pwy zYr>HUxxQ!TO^cJD5>Njxs4F6_Oqy~ee?ZmmmSOc;tp>Mx*5-pfBAUd5+~MQV_P_#C z`vk;{KNeJBHvx5g%ot@U;IS0O%R>VsxFH)zxo@0-l0VCQMT@IMcx=WjN}M-S zpTB|Te493P7U+0%|Is)W6>e|uZUrkTU^LjzSqY|(aS*u)M(#Th4xw55`HPS(wzYWm ztlsV%pXRVA$}jGZ!m6EXxIly7jQzZqQD2L{%+05h8VuOTdJA=XDJQBWA7qKOz=EEZ5!4v41!!a^ZK07>ewYSYteT&`563C$bKhhcpt>lb+!A!ZRV?Q4G6d2Uy^1Y ziz-K4Vl=qZeIKT40-{&zG(_&>3H00L1nuKdn()edQ8;*y)*ma2hwHryQ?dwpCy2^C zJu@!mRsQu?+V4XBz0b$hl7tO#`X%AZ z`cGip!AR8p+aD@sZeaQ2%RhM^8|*mFX}=MhHlG@-5ol;l~i}#Qh{?Up!C_m68D7;T|`{oK+Bfzk(OE# zM2SYXW`XE-dJT~}A>4gQNYY-d_69S*yi{PD2r z4!Od96(xdZSVI7o44ts+$oBCLWV9r9_$tU$$NN%xf*4S^uC|-iOX?|V3_+{+C`hYp z5?5bRJtYEuzsvoOETiB34LPh;7HTI3`)T|MldrjBylD8)S4E!fvGC5H$$P}ZbIR_Y z(Z`BNAYQW4Y5M_RqfpkAq)i3zZ=jYuU-Cuy6pL}QNm5B?2m|CcqNYNKs( zqAx@JUo@dV7O{QZ=#vQV@F&uzznVV2IYU1b#yC^rAd2I=ilXSWpJsXspO5l^KO?qT zw=DDnMz+(iPHcCFeeFNb0Z{KiiMo33dM!!Ws8dGmCF&VbccSVpo~t=tuHBzhKI(Yq z)7-|i1>l8dv{tpIJ7i!4&ar9(LfI|STF5zortue1mUs$C={wBZxLE1&7nXA7P*1(3~hC1f$vgK5fW zFstuZw{A`{N1$ui`2;|(Rg@cF2O=^oPsZ1MZ`JjQ&LRA!yY2EmlcX8@w&J5NNADF< zGw*HKt`7^Oaty1S32baUQUpf14Qi8*WK4+6Y0XCk^$`omzgZ;AGJ*?7@`igpkW?LC%b=OKr*1Y9hI%#u#4AP+gX(nmqCGck= zaVeQYMR}PVSJoK+zS|4*p{sOF=*~y$GD3ucmfxJtUW15Nx%(i@MzoXD?75j?# zbzfLeya=VB9%IM~ZGKgp9DqPa+^qbxjp+>&vFFkrCdz=ob-m=;$;PIG)IapBcm-fv zU>G0l{RmPXa)JmSZpSA-G+RE1$Q^HWhF|-P_je#gC7y^?K~(Wy@4iNKanE1kO$t{# zvuO$pBi6dxk-;zeQp(+*e0 zy!RsHy39Z2>RDEruU;x~a~FxtmDw6OfqrKM|Ks2-eT?J9Z=}Nvfe`6UrFg zduG1s0KzvT=3k`H%`9po3B$P`*T7R%awDIq(I+i~V->jRBcI&|Nr;iY-o?kovZPbn ze1RIr_o3*?C?ctSCoOA}T?Al+PMsXTcb~>x^8)f*cs#kCr|0HMPSK^!+$5Dm4^Z2vdiLV?oriC|=Po_qo#+5w(#^ z4dR6A_*Y`Y-=>gr(yiMwU@kqn*5~{+r)d60{z{r(V(Uzhyo%F4Ew=`1B10errt5U?&bR%j?-wzw(X>`ZJUjqrg5@k zqp_OCw(T^wZQJ&fbD!t`>v@wGxz=~j%$k`si=UOnATJiqmLs}5t7!Ullo^j_@Ymm^ z;`Mm_Fl$Rm;~E1;>2V|Z#2dz>*sS}s#+arDHUxZXM480LXB}S;6a=t3LybLO$0^M} zhw8gv`BCucX)u7c{9)m_T)xjg^vr>*!(4B}3k zB#3$JbF|I5YGoQI__TbyWBI+!&X!()U>sh)voc2rcktw`$&9Z>{$)S3nHY zQ$wZx5zU0J~P5)&fm;Vfybsmqu(`O948m_D|FGFRROor&kt(pHjecGr)vTFYW_Z%H7mxut?}JM z@bkfpRhkS1i%9&yemCrFrPi;(bpg&;q-7#wa3q2tzPt6nO1yk*PI((C_`%M#8YqXHUw%{LlE--{blB?&On2 z;1X#?gSacbY$i^HY;(#tdZ63DUjQEb=u9q(pgX3jf}gi)guQ!SNhVd}Wxt}eGDIML zIG_B($?GerK2e>(*dlQ?l_P3Uf{7LiYV0>5^wFx#pn!Yxzc#+xRN-4+gr!ePh^3p~ z)bXlYb?CjhHJ>2dE3rG}zU!^`GsxEbS{Mu*igf=Cwoi4y6(*zc>!;C)z24m!f&89s zHjdN;eZa~aAxUskgaY&`TgWsnKEs07TxMF_)blbWp)ESXHby2k+Kf_~n4Zr1; zZsEzV2N4_0w)SH}xHAI(wiPRT!;%5s@8o+&Euv!_rj)!W1Gw7OA22k)bNXLl4lb7I zjmcQB@r|GW6tZ8~5gc+F2NX8%ZvSAxp6&4AZi6|aW z0fMCAa+;#hjC;@Z=d)s*r|iiG+=cVA&ECq)lw}gUpS2qp<`vn*w&-e)MoCQ&Bo7`Q z&wuoaDE^^Y(W{Tz@Lvt>%btQR)Wws46PqT&^1AUJTB%>X%eR4}oo$}lLv z_V130YsTI#xeSq2th&6NtYlUWwTn6zc&%l$V`eJk;EgDl;dQrtyzZa%!xPN(-^KEI zbk2;d$E6}WZucYA-90bhUYKipx8vEjEfD%}REjY%W-1`adJ*JZUBPb26>uSYqPS2g zL=RN(t9u3`y$loRROa(EV44FSOWmRocaj5|ayfg}jP0q)C7wD7_OP%`iVN=id@gQ* z`}gv zen)61zehdT?j%0Q&4h3F4oh4hC$Jt5z1p14y56D$8k)NiliMyK*jKDmzea4`T<-Z< zKkjfm9`~wrAteaiEnV}`cv@yqR9(!m%aPqICH2^a%!t-R+I~uGKw{lk;FiemZ|%tx ztz^+&HL&rKqFf_V4Z}3b!NhXcS);}D5o+6pI{(pQf*+QWKDT4n2413#hY8P`+It=2 zP(J}1)pjl9oE}<@AP(a(V~}`m55C#_f*zVI2HZk)d#VCt(tk{)v$OO-W<>jnQ72Zq zdnd-j$Kum%KlniFDCyBU;=LinxI^f9+rfH&*I#%b{c&tcTh zm3f$*Un5NFD)8zApZ-L9k)4%!+A3jti0{Jn}j-!j`$WpgsdgGC~X zEki`g^5FoO?z;q3NUG+Xn0hCP4xYE&ePG0O2qnN z!nX7A=e=KpfJ_?Q4hkiJ!C`w7h4M?XTXLeM)|78xnY0wzIjr#8T)2sYn!2~3M&wdb8i1kt z?<$RLGG)?aw^1hgHG5xv7u2M28PPXxw|%Jr1n{d+!0(OoYN^iqw?|x;=9DjVYG+|s zJ|bpuA`nW<#JkbK0b8#GGraddP!(u4niob&db&dd+Q>GT7P}gOaOZcOya;9(k9~`? zXef2U=m=BDh6~kPBSDk{X*K+b$szWFO|v1c8FAx(jN;CSZ1xU8s&@&rTjJs+osns0 za4Ru9&F34elt#vmEjt}=->pZ8RSYvcrjui~!bsgh{0@RUJG|c11bBHHh+^h`_I}*| zKr;>IbKfos8ESleW>bEQaqfN;Ze~!c8G_wsZt=0P?#Ov}St48v!(hjA7@S4Gdzeen zdG`PS6TXh>#dLlBHSr*i2fQ%B-r#Y#Y)6IO;OTx`Cm(YyRTD1p-6xaY_PzA-k)lbe z4ozZ~L7lmHY8&{aFk()Y#8ykyn^FxR*>cjXp^i7PJZk02to;}YP1IZNB zz=W(3+5tcf&PBgyADpuo;lA!m;f|K9{-R=l}$QhuAqp@X3^O zpS$yaPusc>Yn=r=$}AfY0IYuUrQqOj*&`VA$|yt_6YU{nmKvt@M7upidY3*_oeR{6 zK#piOqp3qzakNo~oNDX#4c(Y>1ywmdDQCFjVU_lh4KFO6;;tF&B9G@@k~+S0ldjLq z;Kx(0-j)Ryt_QwaJbeG@=2iC$m97sB-&`!Z{3TjHYnvO7Zsao|O$()aX36}~rf7IQ zQ*_J9!N{9WuLP>QwiK~Owj8VHuypCFFaQnx)T3Z z7BX~8q3+G9g5cJyI;61)+T^%PTc;3^M_eZL5|A7ZhI+Cy;urGb<+$xI23o>3C_N1O z6XJYmmX+ks?{{=O=n>-{=B&jPjH|<{qJFM(>wzLp@**LO?(75w5_DM%CaGDTAotvN z=tIWn#EW0ILhbj1(jZ0eWqBF8yD&)#lr;3xZr1X6cbp{0sVaZov-Fobyo{)HQXOzZhG;3(vNOcr8@zfH9C*R(IMNsG4a~d;6+9dlCd9 zCSU7sBu4QLegZzefIASwAH5Jh8XSj^l6k1a>-fkt7Dk_%^xQYsB$#y2kvj}3$C=ik zoh^r+0s18Usl>0D9$eMhNW8IFvl3b2DlMd?GoiK^Muw*wC;3o9jC%j_u)4hxONxS8 z+{~DVrfv~bJ7spxo+47NGP7f~$GzyGS%*?f(L1&Z!WO}N|Jl#3%>V?AUl(?U>yBsj zxAxkQ7kC=gcf%@y%7^W{81zSutY_c2lEh2dSRozWtC1TWvy zA|||0!zt=(W%B&pxK z$Jd0N#x2h4`sKurAt15RHWCW?NT6t#h-3n1pePIpS-2*is$~-?^X%71e;bML7^pyU z_lz34$Q!mskY*7{lfP=L;5sG>d3>N~tsmap2B#m;$oeYx0?G>XN=%!yjve~+S~bGi zlGg4^Wr`i>wdFJkoOBbx{afa~?gnW?d*RJJ5Se!G@NFp*)#db+TEPKgdP*n2YcdHZ&}tTS@-kShg~u+*97(b{mQcj1rHD?!9-_xlee5IuL zG&RUD>HcpWB~(KwNs!)(5DD7D!{h+$l)q0<56}QANjA=JEZAL@WIymJtemp@l_Vc) z*`rC_b>Hm|@QT9&f;Ve{{W7dxg5T$hOEv$H4`;@Mp`RT02PR(4w`xn$<}6sYUM_=v zSL<8K(o1b32l6OH&h-=ah7=?Z=!%W$2ebde&60WE$6k^#plZU(a~VHc=UxP+47{$ znpBlr)&3uKLIy{?yJ9((CX_lXhlo6=GkmC`Y#Tj9sl_NMtu{>L?mv-A#U+h)^7vid z+H4fHUao8u%eNO_%*&QN&{^%c?6$skV#BcdcjT(H6p2jt2FhFg*Y{`2rkWDY$2zZ6 zY1bATIgH!)fsR|`r)_Qsclh#N@@ooZLU&;4iZ*)@BHmRXTLHLt2N~bZ-0p??z%yQ! zYX?!|%eHEA&k~2roqFS$7=B_^PrK%6_<2iT?mL-5X9i@&pRhVjIekX}SaH6q8~t*1 zPvi3}UT@4Nj*aUWTwoad;HERoG3xmqFlSH0efA23Q3wH)BGxW#pdjeX7a=s(z8AFj zMlGU8UP7=PEQQ>eSy=AtqOxw7B5ct zuk8W0UB^f*o2jN8>h228JpVl4i*>UPWmL!RjpNt6DEXGA83wCp>mm@`3;snt1j6I3 zRHL=^8IhIKIM)$B|DI?uxZ+aFPhJ5LSsR)Pe5?YWq?Fe?C>9tZ!HTc{fY`mIF>H|M zt+pT%Dnl!Uxh8|g#2D@IYo(K4Dobvl-Wm%ayFf?D})j|IViYHXSUD==HI%#uWg!c56Lp(gNlJ+Y3K{p0pRouE33pyD)4cQ<&>@ zg2t_W+RyrxpSx1J8-*qeR9TP|Oo$_3p+la{N*za3_SgNLR@^~%kNMICzS2K>KAaUg zmr$184g87LXfFv35$Bj5?E`wtu?;|s7KJ9EfjQXHd%_ko)rq)tXvfn8~ zV2j1gKdlQ&zaSEPV8gn%KL}1J+P?sTofC&?`*UoswTLQY42D@T>dBXJ=I<&6-lHVxnK=w9A{|y#+4f<;GFx^qL-z_`AJ=ztP*COElrFBA z-)~Yi96q}u&cbj6-dB0;Qn~Ga*?{&Uu2yvtCJ%;4NZNVHF*yosRg;ozDpdhbwk7%K z_ulB%nxM|~)ROx4>wQtDMus9w{(h>RSZ)KuQHt`{1)>rKqWj9AR8MQ^w&J6M$rHniS zbB3Fs(zx;{du@BcUBW7TJbl^Uu`f1p|YH?vwYtISI$!-Pn{ew&QOC1+r}FgxK{{sh!XEBwqzP{_V&+Ca+*>Ip()$03|`S42;_^`fv18m z>Zlft*mZJ1$GwUpV6*jcOl!f&Zbh-kc`EmA1vQB)y~ekpS0-Y*G9wgb0rEbEP?*wd zPBXe;^~9jBzdlL+`cQaJ?mmB`c36-3;;<~F4$}}OSQ2L`qN)O>s`!X~3Q zNY>6%8z$a2AAjmCTAmDa${sX_i^5w9oF1~-J+wnt`d|Ay739`HvWw%WeOJ7}Wd;PW zK)RTfY<3Hedwk1u5uy}Bicdfk37)+0pEGu9Ye1Qm2I>=U8XQLtOsbRQKzg1kJzw0pNWvom(y8Oy<`oxTP9#o$(t(lu8){(=nnL~>$PYNTPV%g3b z3di4I6SPZ0zmr0%QTv6)tWz$F_@eWfY@7*L`ZNvyO~dAYshPXgGA&JUMdOdX7XV~N zBotd%*Lzh7QcUBpi5KWP0iW*nX9hCipCH;X+iEk}0_4+JXQ2lr!A3?LAMB*5`A;$0 z1MVZZWDQ}WPL4%&E1lqy=N-op=t`J*}a4!&Ng>H)ApSnjI#og@(NI*XGi zi+h@n#j74fQV8QR6+h4Vp)qGU%@HljrM>H~c!lF<)@tQW&XJ62~z^ z3jlr=EwV(Z+z>g%B1EYqU{k(oV!M>UPvC1(lzdYui=-DahT1H67rzPrMX&>aU(tVF zb9V!xRQ^&yw410uT+{l&40sXmG_!O7Htz^ekt$$?Dw+=ro`G8)EZ62<_sjJO21$_` zG$qokXUB4YZ25*od!hOj<#WTiRv}kiJ6Dujr=8F7v;C45%fJ?IJN__%nw?shSPSTY z6_x;@6MZyE%ifik?%ujE7-spmM14aTn(UEFuoe}PN8jO>VF|ehj$`}G-xsHKd$c!i zKh<+-Mt&RE+jfPtQ4P?zbhxlMTTsrJE)UISr_16m51~!T7g*w<57AIKw3JG!CO{5> z36MD`2D>L#(^dV+5aF@>tIbs{EXWs3l%)5zZG_7(l1{e$;%->T=cE9REI@qkHw$PJ zYmusBr!(-`vKB#YJ;Gn_(19+N@PPAA@^s^n{wQnu1Km81R%A>RsyT^t^h&t4Z2L;{ zM5FcdfO5wdi}y-DO=EMC=N!Q`brMYNAER3&BnJJc{jG{E8n(2eB6wtx6jc1HFtqano7wQ&DO z0*AuE#n0`8$r>Amszh*6Ge1_$e!Peox8C;$?s%UI*o4S2e^hAk-3zoMs6{7JYdLc9=G*$b(Bu%G{M zt0wiKkq##d(c@WgPXBX#Nan5lr$OWKM+d)4NLupNZzT8BifiX$jcO8x>!kEh9)r$g z?px0zmN)(5$%}lzn|}D=gFi2vI_L)ZOCqAq9vf-G9&OEvSOPkmzSyjb!|vq8-vkck z?fW~=quS#Kri(Az@;ED^y?S{YB09#_;;KXg9AVs~%VGt+Jkt$t>uDtn;4AU$Iu~X= z4Z5PwXP9cmff+dR2cmK6UTALqrN5rfyF#)Qwq~DWc239GADsG1tdA|bnLF@Q&sCUZ zPOHLZ-lu7zu$jggLe9BB&7tSiR4by^YflJXI_FBqC;Yt@Ikx|FJo&eM zYa~6@p%|R0__=t1w2NR%arQ$}gUi?i9RpZ@bbvh+$3%_?l{^gSaW!&Rtrnrs(~YV(vedODKwkd zjTGMfP4Y}2>t`{*a3Y{xPNmUBjyiO`>>0Fl-Y6<0Fyn#v3VO2B0lh^6v#GTPebyR5 zq>}-28c}=mdtc^0*efc_sR4=ks6LVY|VD}q!(|3ShvJ$QyMr8vK4Z!kC_Vi z5l)@G(nQD-{5Zb92j2g~4 zc0e^iZ2hIjSpsf!k|#0j+hVMy2TKe-$XyNl&nmAYFBibQpTlH%-gt_~2KE~byEh_@ zkHbZ+QS=7!k7RZ*)j>QL;-15y9Uo3d%1o7u7o-Tad^OZN!|6izi1PC}}L zQvRiUI+C%(wVJSBsa{)49*HGn{XdCA+0B&?pG>(3asNnEbNx!sKHs3D+fja@X&tL* zERW=tp?okQ#oWiMYY$w%O*Fr5*LCMv`{_)cQGdo@=OMK*=bBr@Q%*xoj%kL$Bmo7T zeDhFurVL$5`(d<^V8BjUg1e*-cq)m)(%fqjGYdmSElx%ZpJa^F{nEBS@@-EvRAQM@ z@AgCk#w?D?mt6cNyD*sLJ}_i)d$>uCa%Gzbbt zDhe|j3|cgXKn4Ub_|WEF)U512&O(*h1$so19+LT!9(f=Dp`}O3B#7XQvMR$`a^0Ia9d0fFp`&VCCo#X;*h|7O6ls=o2x-faFpAqe^aU~Ml7Rs4M zs0LVA3%vw!+%_*Q?2&%0BtExu?Wvkej_~yYn=4aU8B=qeCuaZ~<*tb@Tgka@(<)$- zoqOyosOwX~$;5e$0_+sBH8( zmg*yd6oCfNKigD(GsiFR+n%`?R+XOJ5N{%viN}AG!tPsBkEPn-Tc(R~7${3mS^#Pp zokDCgc zDAu;X*UnYBSf^C-J&SRWQX@o3{xA?0=#X~_AY>2>bC)jU((;zJ)ym3Qr+cS8beWT< z*!Ib2!04Iij9f^MX#<5T5lMatjhM&P%vYRLNC(-zYbxrq{;pIR#pCX?`6bWnc!#6#gGJ`rJB)FV!BSF<*>7 z8QZNiy6Ko)r|3|jS`R9TeQ{51MdkZ(8l<`Zc!O4Bicuc-@fqZRDy~C2Kbf=f+|a#G z9OfuL7SX0alf89MAFR8vvx>WGuAza1Js(M;~A}|H$~R1F=?gD`Hx2Q z23c6svXCNFk^?eSzcwY+7}1EF#?BYM`$4az`_)hDFhuNtz`+{l^NJxD)bC>)Fhxr= zOV6#_t5QpOc%*V83Thx!HI~eYW_it6q3y`%s!7BeTQ!@neG_R6rVxd=qerw7Ry8a7 zt*=~Ep=h7Xp^>n&_r=qv=;I_u#g>%{O-0k4bMfT6(Hb!E+rA>U*@$ZJFA>ueF4bV{ z9F|e_sfx&*P_oNRstB;SmwW|f0lGhi$p=rv!Onoh?Ek#ddIqK`e5J!kH}BStuIBV@ z5db;0>IUC65-sB8XXxkwWLK~K20w=4Ox3iLk~+Z_oP^O=>SIAILHlD4n?r@&1AEWn zx6UvTTP4w;PF{ETOQNPY=zMj*I(`o&E8c4#cW1`rVBd61$pM72-t{AqLQmu{{>^3N znymG;OjBEkK~0G7w61Fl;n8aZZD1U8waR={myNxYNClI@M z>)0FHHy@pVJHP7Mid}&8sI}Ka^7@2cMS=BCXXhFq{Wu69QS&xvIKv}%La`TAgq%^h z@2bhrIb4`i5$ost(+wW%COs z`>CRs4&2OBVYv zKg|G37Qut!xoQ|yla-QK7mo>|xoIX>G~{ZBg+f~UTj3N*)I-F$f74@jsEZkK$1>Eu zhP%5eNG(pTs!WrlQ_X7^Hl0X=yZ)H6`=Q+Hjp>I*55r}f17?A2ttj~c_4_Hemo>J% zMQ6XkhOrxSTxCVOi`p>El*BQ5>}BWMN8`Pu%srvcRNv~ycG_Am(cDimS#xuWulT2k zRM&9NV_Us_22>voZk5ePv6U-NtCMLR;ec-x$dzk57wHpVg4<m1uf}!wG#{rJ4 z{6D6eA6sBPo@IZO)d_G74$KGm{R)UNaC*NxAK9!Os22F59tf7w(Masc=aWlgXr@JL+pZWOEs%B zgV1_!%Wac+_aJPd|LlL0!I)m98gbpK*RKx{Lc`&XIMJ<7jLjs(u);kReMWZ=D;uQc zkiLd;SPWQ)x{a@d_1JUOQtpWFxT@x5O9UZy0Og_C1bJhLJ;<^P(X%+h3`#5CX)fb< znRF?t#UG2==5c3E1us|G9CHS%8-~LOb*g!p$@ndFXginjcf$&qtjv3B=mBzmK*xTVZoM`w(g`nEov z?bW__B$f=HPN=i-Q^u4KLW5>j2M^+~NUO058s&S|)P{_czP17AdwB=rO@2kEbr}>8 zk=b;8AH+t!!$5aol8HiVvlPtFjNqhB>)Vy$Hgh9LxG{a&mh9`QDNIDhO)hVbqq_|Z zyyq@BC340->i3ykL@qxOi4;s?p%+fcI)AYqC3Yz7OZewMLlK-b&DkO zwGtT^vLwFMNVb|s|I+|4q{eGwdb$*Mjj_FRZ(V?vJarUJD;ADWufJq;>mG9r!y-l%59l*{yqfjVc< ze;u$^@mIoSyRI*s?N5}f^tJI!;aW##aV)Qfty@^5wKF3M)O=#RYmH9+^kx4V^+D)= zH^x5aBtefEvBR3iJrrOA*&QBFIgRno80rIdwU~V2{|M}OcU?R~+P*P;HaJ^`xLP*z zf6N~H{&+r6TD53Oh5%W(W`Nu>;!3uj-x`PRfJVu~+Is+atNc435um}xZ-LTx%$xII zH(9R;!B>(a#$|21vJ+M`xWU{x`H)buxKl(P1SWcSO)u8Oe3B^sy@cY;pWpkaTT<=6 zU7W%nn7L$$j7SeV&1{r`5sZTSJ4>ES6h7l3P8gi@Xbem-?VFOy^!jw5@z%84$E=Dy z@0BhoU$M0ev=z7@yJ~rQ6;hNi5h&zravf?rY3aCiz65J8E-p^K7muV_IN|0y-L(L# z-<&?$Ppf*4<7v>#vy4K)&7KBN74d)LV5A5$PkU@wY5frV@oeGFNS2@{hC6pkj^9gY{SR;FiP;y{l@PpWVkP*-ztCy{#`fBL$xPHVVHUysS{U?pC5)Syh_>^PA~MI{&ftaMZcG z1q~;Qdu^rZTNTdqx9bOT7a>6^zsSjUfURPfl&h^%46vhw#kGj$#OJCHm=N@xp$bPzR8%|XyYQA|lY!TZ=8BhRUbru=`k)mYRoCBv^;YKfnIQR>)x z)R-T!9VoW+y-!|Np^yYqG%4G3JM3tC(^QiakL^lq&{|9qj`NQsZnPSUEhU&A$t8B= zduzH1x|L@1MPaav#4kxDNfjE+C~&Q&EJ&NZj$H=Np{{(d=WytmKw-1H<920DffAEH zspj-17gc+QUpdyAHZONd3(#DSWrV;w3!E=d?{}9CP(e)zcD%cP_CIEEOp7!;(8;)f5dW~YoI_w6zaKYC=Z#!_hubzhf} zxT}?iW+pf^!D`kI)6wL7()>p`9X+F^xG`6gHCk616rN*tYQm zXj{*Ok)WlwO*W-4Y3~O|hZJC2K>V&5^VSj@Cgj=!E{)H$gEja2*n8wW&W zBvP!@n)MwPnrHolRF%qSW);78Oov15PSbWRb0hQkct3Sa$t=vOFL|MJJ^?~JQSGy| zUbZh@Fp+4G{FNZ^37AmE5uOHq z?kwPS-1YSZNh&lEXO0_rmSXwa)h_hcB4oNoSUuVHnc71rz;7GYK`?SFeuJ=7o`j+& z7ILd|#hiTrxm6UE(g+FsbZ9|fkd#=C3G|6eM`Uyyjc%frTJU6d%NIu6{BowDp6OK^HM>fFA^j zO*0g|1f}E9y&J^5B`Qc5eWZ--P6j*OZ3ME$TM!TwL+b!6x}b8T#F$%K#+UaCbTfDb zRH{r$@{yTA%(9ytB!($1_FS!^-bVIGf^?-Hs%$nQsm+z+L7o0y%x=h}Vnov3zX?ie z7P0unh^oC0$TmIy{7>j)T)&jE+BY#_0VA>;chPI6vCvM~VXC50S{Fmnm~DjGwYj!@Y2QS3M4FcHOrDH7@f#8h0lxVL5Pl za)1_Xuok+$;!D(TdDqVz7wl6s2zWm@$<^JG_S${Mbz?l%NP12-Tw#@c1#69HYf;0j zP-~nGazu@q$>2O@ipHye`PK(iyF~1bU+;lLd1i60)fj@4bABvCsqAWL{X4lFk^$U=xE%g=q!|7z`v_5`>=uZ93Fi~n`)ELcFs|aJ-nj@DbW9aowZqdB-t8qZ6+I@Ig+0gK5ak6MZ^w z14yb5XAFhcSvn-~k(E^;xxpA^(NoC~cyw%j z|BU$CCc^+e69|{NAwvF%_=~g*t797nP9?-qPl}nCRCO|SNWAn6TRU0=i>lp3YcD=eoNb_kbE72n|frsos$srcNciSTM3}qU? z$kKYt4Ry5aq0sEmaj49~N4<+vN0gzf7v%MnZB~=uQ1XPvH9{+X_cjapr)MxwEF{kU z({V;`U|eCOcwJo>oUGnQby{z5UHIv zLZg8NMGl4{-WP9R<}|JVZjLcn4)0vAa@F$5@`qaJ*Z4AlfyrJbiRJ|d1xt+!)3@BN zXnBoDHu^$2_z#mGvtese9?-gxM?0srMhT#(M#9M&T$^3E33Ez%sB`RG945C4UfTG1 z;m2=wZU1B!KGS80l&Z!cTBk4tRL=}^|=ODq<8-Mebu|<_3<16anzRi9tyFg zs|fx^1+V6nRUjjqvmVg`e>fvs!Jg~vXSo9r_}+_$8e_p@4~FB+lj2)vyALtj{8d&k zeT)h8rwtUO{5~}Cidf*aGiR6)MjYK5bKH3j=Q6oNVxbv-?Y&K^@9F;@NH?(S7t~3| zV|b;DLx{jSLYtS*Xf;YR@%ppWyVk&Mz@xuu^BvYs3&8~zq;YvDj7YDZwkwDsZzFr< zDCIkoct=K*)bR$FNzZQAL2d-dhW3xs4i&Cr+DV+pzURor@1~S-IDhUa6qDw(UV^C+ zQ#t6}X#D%i1_P|Nm4-B5q+>%0;z}}G)QqxE`brczr>^zU<*@2@d@zozPwdr;#MTS$ zKt$`(;Obn8a~sB>v|DGZYq9+>V!8XPGxL?u;>aSvQO?4{cin%*#08ZyjnBjtmXb}Pp}tO=h(K&e z+AkD81JtxkJ#I{0{Zqb~wa;-FP(;{@D%cm_`&hZ#_H;avW{9xLSPXnqD~K0q1Kgckg+eq zvsQQsx5|k)LdFcMg8q9~tWn&UVFAH=6>SS$p1#=;aR?jry?TQu1il$S)A%q-^x$)N zv2uOSxk=S$giB%>)?>B1MCdO#_b0}JwIuw%+%zsCFc0 zSao7!Nf*kjoSYl5+x2K)=TlSsVhf2D3JO#UGW2~X!kh=G02v&!<3(a`9ZIg)-FXX{ zS-Ke*yRGKP1Uy(v(8)@ILFES=bh7m2ZXieUsfpiuTk3yYIv znvqQe_>y^}i{shPEOHbY&1Z}$S}&ab-wLw7o{OA0THSxHVAeKm zx4k%Y!QDADQ3GRtRTusJ9{1*bCn#E?ayHsgY@`v&(0kTkdC?QB>Z)GQH#8?#jRRD| zBF--av7$C)Ft?E0mktdCwzEfH2r-YQxEI8MbthBe4TWnJ+jS-Wc*=9oFkw`3lE??N z+ZQaIu$oQbU@KF8deLT${{tv_Ou4 z(Lw3SMo=^2ba1D~%v_sm^uUuTU`GJO%dW@|+>C;V!m}~YO97NvzL}igzVhicBadeaLjL{w9=MJ=H+?;&bi_zYlxl(M-4XTfMslzQ9Y>xo;ulZ4gQdYxRlmzAA^F(J7NPZM{C8n z-Ty$7%%kcA9C-^X0C)V(`(3NLsKc6O(d5hAZS~IgkAAR0EGr0!QY$AslZSuKvBt#+ z84xqLS=W!6_?aFB0Mb9Es9;-bYB?dw71ldb|EwI{A}0+&VB@9<;VHyWJvCvjyz}K& zDJ*PYtp=ojwl&9VBlGOOD&Z}%oxMwbY^XlWH6tx)a~s$ux^XpWT;8hzaLd*Bnn12SX(^dz+cS_9@%{dXzINr` z8hm4y`GL~|)xGTXLZh$yP<^N5!@ODJ#p&H{!jX;Ey)a=(S!WKMv*^GvVbwV^YE(eo*rjgaIt#Pfgwc^Kl`7#ar zOCH)_1N@Dav>^SU2~kBBf)10|1^Gn5#+kFg`%5JO9F;Yb;T0)2K;m=jnSzYb z2r&WhP*hj;7*3vF39NhnNT*H?b5P+=M@MEkHQpUpDlLX3EYCuJ^PdW8yrm46-xvkkqaG5B8#&5JRn$pYzr6aZQWC?d$bR66C9N$QZ8J$Z7fbVN6!%AO+s}ZY|#;P z+2}(xp*?c_!g0`+k~t(YJO0m03`~@flNn>*jTespPj+thUs&G(MHy~-z6WqSbtB9_ znk$X1N0O>!^nU))UU!@C*w`Wv{fgUt+KJaHSF9}^9`P&!sfB&_uDV9nZDj&Y-9Jjj zbm|leroK{MHzo>Nx)Pmk%K&S!P>|@~@JrbBQvH>87)Xy6UNmb> zY-lDv{d7r;+_H9v2<-6OvhwF-O6BOuzoo_L#Uul(2{p)~1qI^wz4fQ(7^vxm#Wu1t ztN&MByMuIoVh*gsT8Iv2+MmS!Be^3*%)9mPWO&+4leLTa*v2~NhHjg=JZc1IeDqQt zgnv5;dOAU~!+dPsT#@RI{u$U4fb>~)JC;+0A9Tqt+9tQzB5V+BJo?JdY126Um17cL z8QJHTYOkxL7%)V&S0ax@Dox`Xfw_rBK6RKs9VHu_G0K2cJzO|`gwY60)kRFW=Km_x z9kL$sN%*yU4kf_x9S`B1@~-j(GcQGx1T!aVP=kq1&ZQ7p(%OP3c2n&)KcC27Ifw)Y ziZ0LlQrxS!DSr$)fR=D}xI-WR9<+d!Y}(7@BUoTaMVIR#EKpPf38Rz-j#T;&Rlue^ zjWQXKUm?5+-XccST~*Wnlep?HpEl1=V1ad~(POWT4khgG~VxBxGh z@JUUL%;N(8vgsV3%+&{bXw5Zd)eCxPO+xZqN`I0@mO5JvFRqAAML2ueK9x)gr{5A= zteN~D;=gXXs2Bdv4=maQ2p&>I%vVW&`q-YgEkL*U>2B{Ns$Gzg_4_*h8<0r*LA6i(GtT<_;oDJ#+ zs^MX}%DzyQf%N+$NU>sUAxN*$4 zjmAjbl&nBYHYZJi$sG$L5OTIqNIOr;MoH-jkm&o@;8bApO7xA6@$v!scjIwWV#%r* z(z?C4EXQk7#K6$Mz)9!bG8`*x7>bbJ&ESJj%R)-)Q`cT*;s&WPW*t{-&JL#MV#M=b z&K2ayp3}A;*4Yx+?j9oo{*gp|XwaD}2K@*9sn)Vj?{6Zy3N{@l>Yrz09xQB!=rY4lW3`BpY^r!Tt5{e zY%dOjl0Y)1o`0q~BBb5$zw2o%dlaAK6&Uuolj6_iWCT0i)ZUp^y8n{xN@)xl4ijw( z8vZ#uIl{JGKi%;={aKasP!bH)s;RI4-aSloJXs|lY?V*A6+-limlzEri4S{m2I%_% zr94FPJwCo)tWQ2I{FTVqNa0o;#tzuz$U{Fm`a_L4LE)z30=00|XsIs6>Cx0Sgp~e< zW{ph_RaD;ue&>X9JCT4-V^!EimmPzO?7h7gzx}3T-iKKZhNLlLRVl1Hwbl0i2*mRz zJ>QKF4ZzEe_m@CvdqPERZoVVP$EbJvC`i&E@rfj==#jWHcVXYyIsJX{{WVX1WQ$HZ zA+W9Jwk|nWf-Ys(ut3}PQ{rOA!KOp|$o^I*V*pv7sI3{`$8RsSa5+0t9|He@;FdY5q|vXwIwMc+VIn zzXb1qLWN)&UPwjzeXtp3d*TOdWwa+D4l$f^;{|>d8>}VBH#;(X_3-V!XNfdE1+Gt| zV}10O0t*9Y`vyX{Yw~#OXTcHVi%aGZ5VQI<=@nU!+LpIZd~GnSc_6j#5E{;|?1iLP z(}4o@e5o1QOthtN^=EL*{H&HL$6MZ)STu(z8fHz6S}K5!v4#oCKL)!G3_5J#@6?sb z6t)rGZBQ7GC&P>+cNlNa$J5kK&gvwp4d-m`8Rk*c>GUeB-&qrvWU^n`B_d~Xd6nY2 zZZw<^Re3$^4Sb&VDl^)Uw?Srk?t*I9dY%Z**UK)h-rO`v(Ht&40-oCR|DP`KHJsC} zec3G1DsZ8c+6$sch-~;z=p@syn<^!`%r#1iP*Rc0rN`d@182!g+xq6j{+$tEDis*a}V_TWx%cZc8! zPH+wG?(XjH5FkKs_u%gC?(Xhx!R?+T-+lA^f;FdSO?S;M+f~yIHS*Bq7eI)|{?G-| z{b62{57ZNpN>mvcXC|W8E%~RODj>ZF6a~?{@}E@=5XvOPds%wX9o-^}?lkR=RR*hZ z>sC-lloq3N^=p)i$|8L^o6r(L0)f5-Ifq*5l4MAH&M8*z>heo(MJ2l+GM}3~g{0ly z;8n9W0fplDI~o29BH&~Ofs?_*V;}4S5kQ=Op#@!qM|o_Co{TsXOAACXgWAu_TWy__(rLD_N1kjJR<(}xT1h24&-Tv0*ZGfIeJ!~4ULBya#XlX^E572bzrKmn*VY~Pp-dvunU-yX{)yE!~MUd-c1-ico-QgWueybswJFo#8Jz+%4ePUv>A zvda4X6wU{I{)P#~y7;i2-UV@r1ZJ)Y4h@Y0K9pKFl5lmoul*Vg=O#Xr z0C73^7Jh}VUl=mjK7ChT15i8W`n@^bXZfRUb_*^?^{`IjL&n%aR@wD~@fsI{X`CdxRD-pq2{Dtu9187bN(<&zkA)tjT`Q}r zFW#MKo-=8fJa2b9U~8vVd`I*8&cnbQ$)ZRrq4Y@L?x%0}36wH)+WNCqaRMqk{{efN zE~&fh2+ZX=u~jESMK&Eg$=)bx#)LjwGLw=h*sv)()oBpmBD1(DBY^8gs92JpiJ=TvlR=9(&q_0hnxc)m9AbSJErjTOiDp~3kLZ9o>~q+U*CFtZ4qQP z@)tuSoaJbK_Pkei%YbisNOFlQ-ls!WywXWDl_0k)(`Ze44lsClUt35`9sKLDe%>Mo zU_u>a;6Rz6JkSQ{MjL&Gj*YPcPHrqMm`qYg0!9<}Ys*wEFvr_mUfr>^qW80KfYD5~ z=&WOj#(*TYYLo_}L-_Ku7>zH+A8Sq?bRl^99C|q|i!RvAi|%ZDc~xO&SrRleKOa)9 zz8}$09-~?lZ_ZcUjIS47@*&1tFb<5l22%4a1A%EUdJQ1JW zxm^}}BA~AcoNAoKcN<3%&JcoP6b>x&Y7r;~IRHAW{s;b!W^gLR{59lS4t@>znJ48O zxNiWy|WkXv>PiZ$jQBfHt66roTaI zx0Tfam>?Z|1XP};J3Fns4G_$O#)A>X{oJB+8YY(cwr6`^=km($!6}(Fw|ZpCqIha0 zky_dVu0BRSXw1!bb?viI5O8rDX8emtT{GV6i&M>Y_@)D^y~8v-?XL~Vw1wfl>}Bb zQkcPH3BGYnu-#Jr0>)6+PZQ!z+~yABisM{)t#E`*#4a#{*#F?hQVquelrzU~Ig5Nx zPNQMfKu^+^hRpc0NQ@HBC#8wi;*z#v{gQj!_GLN_N5;13cPf|3LAj?XDd|C2cVU4K zvRVcr1(BZ*?C=q4<|h+o<_4VFI53O*Oy2SaCk?yjB=rN9AV8;r{{TXZ2+8W)E|fKq zueJ$1XN-kt87CSpfRE$ml+3`+7!I8}>Vy?F^!KQLmZJeqODNUDTqqSNiqr0-A?(v` zL(LVTaf?qTTGV36AfYxNN#)AID{}5CRrW}AidoyFur%{CScA0WOXyQ|!+5jq9D}sd zkT+T5oO8_-oKgV|O#^-_nxL!uD4VPc0Beg&I{5CLYqB#a+M)EoBF*dO5%8Q9@J57x zh-_YiXlN>cY)A&@k!To@9M4*by|VhFm{xkgJD|Y^u(*!_Ehdg-bi82fEyY`a>7^lH1#2Acb+)9X?UGXC3emB*=EJ%Qm=@<@^t}=-%Y*udrh|pEq!iMjbd(BUv!- zFX0AvK-eKtp0ZmLSKd!pJax3H-b1se7_pnsn6IR0M_6<%;{)yKeochs8bf2@|1m)O z!M;;X16_wWQvtvK#h->8m5PkeLrMw})9BomZAPS7Ydt6MO~M5g3HhH1`r@$Tr02L^ zq~{3KCnh!uHAAK%CK*;sQwn?Ss1!!BMC)eXWW6@-ILE?7sxy%pievIWLYo^A`4z3r zT1(ug4q=9ONvj`oAkIeQf{H zL+oy#BT|9axWW4AzMIq!yhb!p=S2i-_q)P2Sn8c#5{WCE69wUNgYNvt&aR#5ueK@} ztV)8`wR~g6@ia)_!$4}sxfctamZo1e-nNW)Zufbyw!x=rt=&3O(aP3S;3;nyp`6pS zEa5!izMQjNx^sE0@}Q9fOtu~YKL52I-Qa*RQh;d&i0}TM|BBj=Pi!Ol`;W<#O6-zq zXe(+di*8AegVd|QA^-5BvPBOV<6;4fk=X{q;*uSH++Voxd4`bBRT_`CCWdHPyy&C( z*r6h8dDxxO;q%N--M4)XmUAAEq$OrnfF}ABX zp3`>!NuO9}ar38yD|A$!K?vfG(e^LQd+Lm9wFMZf(D4}%B?E@X+j=uc4zAHGEB0my1K{Q(cX>5ViIMFx zl?C?7Exg)@DLleYCkd2uB?y}4*9FhK95$O1yG5nPyc@+NSLq*iRj(8IY5F=&IubIT zMSPLlj&z0oK*2HynlVSz7x@bq7L%mD&M0V?B`?aT1GtGD9v7_>GcvRZ#zR=RDluq8 z=>Ig&>*Fj0se1t=X$tuFN&!fig%+i6RXUL#B)zi{$CDBHL@oASs#K3*8&;q`>I^GHh`g035*@0y z(v%IzyLjuU5!`5CfG6xCM+^Qj?n)`Xcf;R!is`(`FHFwIAKcVe*+#LG zdIny15K<7qYMFj1X!K@GpiD${IR?@W362XTK_;iVW=|lS=8E#+{+q20XY-`U#q6X= zY$x*19c&csJC@? z0bPjy!zj9Smk~Kg56g`|?lEbNNH_MMF=)WmTFi4XU(5qaz2yoXCik@8aCi5Q6J2o@ zT?rR{Ma!Jy&!Gl`ObnM*FjTuPr6+`JNMD-y`h-_xokyIPQ}WWcX0V{cAD7Ojnp2A_ zm0ElX-aXBQsJ9eKpy&*$=O%{BsUzf#v+EDi@9zdOkp)sXFuf|3)*A`X_oL$Ss}wSG z0sp_is@erPVZ8`Bfx?e8?iCwFg!Xd@G5oC~DFZ^@Ha;Mja4J?y;l=^NC|a?dv?N6J*Iu z74DHMNDK}^tH_sEgf5#L>R_AUVQkl zZ*5j)u};YV!6$I6X*OSC+*&j+L%_`ok$zeW@<=QDbLsl6l1_{5gmt2Wb`9{3IR$NQVUwP+>UBA|4N9# zLdU&#uI}5m%DX0F|IPbT8PbLh^|zPdj+=p79YsqWA57-NM|<~?2O7Ese>&o!qkIvr zE+KQt1l?Bu6TZ#Dx8m53+E#&aG`vHTx0mJbupSiO03J^>T^WCZ*CiojU71Ya1;|R1 z0115nu5LyW1Z~x8D2%8r+jo3E1ft)=bN-jhZ3sDaWdL7i1`tG&as1tWVJS1)<^5lX z^@}qC4uojq_`%uHeV$EU84#F2W5KmrcBlB!@oUB(d*~l^&V5F0w5fDYM7&efwoYZv zRFKLjzQO*5^&B|L6fa`fA*z^ACLhTYB$!qH?4)@Bczn5UH*`NYQciEI1WXD$Z@pC$Q7D^jO@Z$I8k_`zl6FEo zjg#R-9>Im;tn54FUcY=#gs1q9OPo`_kTuqi z9Vd+M#hO(|&C-DDzwx3IX!HRg)Zh&aUxp0e+7pbZqHBv0dh3(T{$h0JCxha0&^RUN zFSMXyzi;?oig%*Lm*Hd1mjN^dT5MtftqS??d$8Z#NQCA@ZBZI*AkVdrQ0XD)FrLp_ zl3h!C5tpkV;1jJsYISI=wTbBba@fHxy@*vIdhUfznYt_$t+ zm^*<){HzKlmJPn6S4;cyRsOWKBN%VmLbh}6Z#PxA_Gd;)Ex1#H%WIRtwa>pjMinl& z_u*(#>@LR*H?OW8^N1>ZS=}qU6Bs5;C=~eHf5?dCwZ09Ag8q$UpkkjRBREo@Wx$uD z4!T(ZdxEd(qO`tTvK-d(5XRPtuHWY0JH~a+LCo0wpA~)E*knMn<2|Zn5XOv5Xf1pN;zQ z_kJfQgk2OJanaoE}+Ftn`E_j ze-!2>)J+_|!75C5l7VZ)ggy$7Y=(}g)A}Do*dVnkHEhi*fm{Hzfo^m(u#xTUTnBmd zI7w6hzPoVSUG}hBQ+I;MqOnu^LfWe;!F`DWa?i6#GK=;~53h93FW^bpk|10uGIZoV z(RJU-`CVCuRdb9`5-|qzo)+1jQrpJ0ImmUjqmHg$)kU#aANi2;&l2b`{L10J3oaxt zYJ{`M?%nPQKBikq^t-54;g=s5TWey!?6crAr^Z&ld`n>kox;RI@+vw<$fzWXWWSMb zG)EI3)=%}Y?mvrw8?8kS<@slyQ|sw-7}!~ICV*L*8CQA2MiQj}?aFR&cW!|tlLh@I zy_|Y@JRjkXmX6^B77}!eE@w9)y2r{i1uhua^DoqKKZTh`sGXCXr;~a~o!6lzWs==@ zWa1wr9j=cXbDL_{J8xs~%ZOmmj8eISciq@<#(KltTvFJXVZKY+o1$v_k1?UhEBwBI ze<6wuS2I!P<}48(&@|Nd5Oo=HQ5XOy?X^=mZraXVduE_aU0U}reu=5+vkZcPj{If% z&WI{KyX;hXP`Qk_W=$9tJfCIfu;V>9{0dfQ>wWpZ)T}92)?1_`~clH>cnIvt4Cvvstp*4*W0~e8vydE2$IH z1Gmsf7~wRaUdd-!7vL?Y0ZgUtC_8=g+>C~qP8U1Cz%J3oLedrggR4ktkOcVeU=k^d zWBs*nTH41q^hvYvi``q{UQmwVi@No(zWR`mR6j8}r7^gW!A3*4eT;a*Ee|dF(%Hj4 zfkc1kbw-hu{ExiG>Cry1v!KlY<#qNMD6jD$+0n4Hg^8r8m^^4f>)$KKe%Mx`ny2$t~g++a=;*>`G_z0;J` z9jROZAo9VC7jdPtA8S)N$pi{9ya|_T^D7k!VkLTSFp{s_KdCK6SHfW-$RJ>`z?1Wdi|5O01&=X3Cj;~ zn5^Ck8b52p6QOq&!drNV0mS~PW5t;kz|7SgPy{r2R%~L7X3vIzqu(y!;6(JK-yZ<- z*(i zP%zP9@T*+W5BRwmn!4e-#aS=sY}gt+sRiru*Kcbm!yKCHI_mBeI=g&{D*8j2<7Z2j zcc7OCDL?4pjwUqQQCAj-9$w(_JdPGN68B!^eYt$@K+7Ef)7oB8FIq-ls1qTA-S5MH z$?mr1Q+6jFSr4U(2HLA8E6vmKZ%r3TYmd!p_?duzeGcUd{6Nr0`m1)9gW30b>O;k| zjHY@=iNGxN=Q<4muGU-i!B0zX9$#5orK{XZb&-ysy6%Bnh(pxCI?>`(&PQZ9i0cHZ4B; zUVd{62B>zpp*v@j?bWH%$CN+m48A&>3>s{CBl7@;thqf$ou+?T#S-xUf1K^DlvIre|WPrU+RC5c%o(M;A(DK^EY5+Jbp5Cz4=W=t6O)j zlvKwRG&NjzHh6VN1amK0)Nqqi$NtExxixA40p#4JFvozcFS%0@_NjAzW#i4`5Ua3k zQObWC*2IloIJt%JEdChtLjU7ki(*bm&d<$NXGCs&+;}1ILJ@2#a8+@C z-8Zp$xxLbSOMNj|3P>uARij&1*U7`hVCsp7zz{bG9%;ND+Jz zeonk~Q+T^_%$812qv)uX`>_Wixq>FwkUZZAUd+7h~_X!cNFiTgUA z2YFfY%Tpt*@OXL|c7^?NChy2R;Fk8n{Rdx)AY?2jH6R zV+kqfXGsN8f`X7RvVnjqzF6Y1KQ)au+6X)V>k8;Jl{b6g=c_91vFh_a$ednqNSr^R zCOHM;o=t$O~oH?Z=x~ShW)ha)rpBRKuf2$f);A;p zrbu$ypn(y8UhOps(e5QXl0C5Y>jtA}Ysv?~cE|z=z})9Rc6@aL`)QuZcZ51I;H(RZ z{+|W!o#puVDCGJB6^p8Z9~5z<4di*;2|79w~TmP zP-94jUWh@!g#QPK3<^;#EK^5wtU~cDwOA<>F)4x@?w%Cx;F+u;3giV_)_G7xrO7pO z4K39+?=P^Szhss5^Ia}+%6dO3={Ppj=b2Z~lr!{BLmi%I4Ow}&gk(tQ_*I;A_sCKe zeV;4?C_<7T3q5R|evktBttw$Z0lx$1pDF&pdJ?s%so>AeXja|GFI%qG(Tpn)c&-T# zwBu*deO;2!OcK?rqO7-}ouU7UZO|N`>{FHjy^Uu{->>?A(Ce7UJ$IMDH)!yoPA8Sn5~jB9xgxwS6wa8iSq4*WzS z>+#21&~W%IhkqA569zYD0A7m$sY~P}k$I&x^h7*}IT1=taA+#2yChQqQlA$qgQ_nRH$eK2*0N@a8Y_%f2o* zeeDetISt^Tz-kAO$8RG?a-Fh+ZVlzz6b1)nU?#rQq`d29*AIK4zaeqE+vmAgjsDhq z&ppu)6nRMJ*ZH3$aori&b*c#26)28h^F)60D?^tpOlcHt`NHrENUieEjL*u6NJ@LJ zBduSYE*i{1gvIBUo+m=k$y0ReSI=E!19rG{0&Ki1S4J-0o6R@hw3fs`Izs^y*}s!^ zb4=(ch$tyvT657mxVnX zM0_6vlaXox%-Lz3xPARcMf5@pRKCBJ?YbmDweSGQ5((%a1~Om$Ai&VUYpYog?Gtp3 zpu<`;Ie%O=_oiQu6>iRH=--?EM-tj$4q~L^3>pJT!f*r>Q@V@@ecT@Ex(8rEuuJ4_ z&RK!}BvQky_*ciLMzw(N_b!B`PSis~v32`T?&TV_`Qh{-7EhpG`=KQZU_Af!sBlVc zuH@`oS|R({ghP937n3rX`vQm^%r8ELalM(|Qv>6e( zdTIzxEe)im7Fd!Vl5OIE3$KBlt_jWdInX5at{|5P{Fl8lQQD?2r{`fQA19l%RFXt_ zyR%!&ig1h53t$dLeey=YMMq^*bkp&CyA40yg>cSQwdymjiDf{S2Kt+Jm3I9ZGn(sT--CHvx4ZqDe+9M2s;~yZDET3$z$@?B z7kKj~fe1ZJOJ&nP&=n#9`mUJ393MPGAfbQ1e<85I-?b72gy^u>1MIB*>|ppwVyn%! zO2`{VK18twia_hU`mr1;JNZlx03H@AACuqye{>V%IOlO&A@}h&9Yz!YJ`0e7ypG%= zgOB#}m~qpOFQb=&&p8G^{tGoFN?DgHyTXD9dl@8U--d8bj(3JK zM5)Q|f#U_&`BBt$2scJxPs)kd_mIY~R`5?@Oa&%S%M)*Uy!Q>Y!3cB!6W7)gfg*%I zF2gPR5*sslERAT)xV(p0EJ_s=bl_iKhL^---&J2h{}u4rmEe#th2%-_Tev+%&mgf_ z__0X=uh^?T%85kE^ILM^%Hk}=qqZaf_KWu-YJpaHg4W?iYC4-c%3e(*0QVn8V+;bM zGdv1xGkMV`r-^9Os|sX&Vbck#6C~*%7+&hkS!Q>S*WYO zN8nFhumo3B)WW~BI0N?^4v!MtOJ2-0qr967PsVfTDLFGv6p+ODgaLlZzzTTBQAGkv z^ZP}Y#gFC!u2A$8U6i>pm~J2mc>l-8+R!$4b}afT%{1&*aFsk4*AHQ+Oci6L)3u&nzJ84oK4XJa3Fa%;S>~$%QwdKx;ikq)4LvHBA1o(^>W!C^ zO(&Efpmvo%Uy`aX|Jx&(3_xL>UwrJlZ=`D2g=d(S0t%ndOpOnkS{3ebtV^z20S+r@ zAr>K&VgyWySBi_(WE zvr#JD)|qCTiiydKGZqdKRrVaR&j5Yorem|vx)Xh|6O-4nk0 zKMj>W0`^4J!%-en@oeb|@lhLq#WBO2#d$b)YZ8nlVeZlIL?3Okn+V?XNq`fdn{q!Yrpr;CGW-#?7as=1_?vv(-G{sWVJnieDFl@E-0igsc0ENU(jkE zpGZMle1FVYv-l%jC==AeFlx14l@vE(o%U@N0%zhwaf|UclKv`6vneylpRd=vBoS z3S=Y+-q_vIdP4{GL1}<4m#Z}`kMO3FR4fU?o+I~1&U|2B;F2tg>wK^?iUOoqdY;=& zA+m>4d;G~u%VHWEPWo>cyDOr=Hvca!Vd!` z64apD;s3J7o!Ov;en`_prv4!!_hLKdP<(?lNr3h;dt{Pt7dtlDY2?gL6NggI+>|oI z`7skQwIB++XkYpcgaL6#{N3HJi7Stf*7@=lo!wTwye>g+usZc5G`|kT_-v#UD5Vx1 zP3iwmJP=u!8h3efYaEaf`DFnHkBa7`pZErJ!+`r6-ae(-E|fUcHFOazKI*30|B%5| zi#`3kyaN9)AXAMkGBslv?A9OLlP(7^W9o;0Kfi}NvAI5iLaI%5gJ^IOhS%2-Q2%T1MDg$Eo8721)!=-uR`fl_nLjYGR`wi?PB0Npef z#9)?zF_R)kH@l9K9X6lL*PUt)PelRx@KP6%Rf%`rd7nhvde8pW4s_f@Dy{dL3-I}q z$GHzRfT5_3qz8ksl>ywB(r3W!{8N)0>@GFuMIkat=3|aBg~qg0b?OBtY5PaSf;Gl^ z-t;#-)?{BmL#btGRDY+|ZcWQpS=F zT&cs?81+bQ9JpYGl9qd1=R~e2AtPq~f8+5h!s5Ag=TDJ)QOi!Cp0erAL`33N7R}PO zfuuINh{s#Q&PldU<6Z^b9@$hVeH2|x*(k5a_11fRd%{`DLIBe&N?&-o3OQPB`#Pq2 zGv-WwugT%KwgF*HG(TA_=cl49PQB)F@|wtyIf2QLMPKHA5iP9&mADC;i^#~tj;vZY zXQ`o3(mzvqu+U~&QeS#Ivjq9$dh1L1c}NuG{svRP&**8gAsooF{Rp{7;GO^}_}gN?!IpO3t_L_Gtg*ool38Pu{KR^W3keeJ)zj(a zq=d-w0Oa8XoXHw|JKXAY-{&|=SItw)?Tbq47xoXdNPH4{JTkYD5ZrueJ89W7c=ggg zoB2^3sB9`U1KUjKCe3a>X21kmW?D|dWB;JF_rQSTa#6$ShpDB!R^2u9hX~8${BGf~ zWZ6h%PU^M@za@^r{(s#**!C^PgV9*F5!lS38Ro&jX{8V=;DmbeWuQr{q7Z{}W|8d> zjm2mcqDUZ+G?#B@rMO)X(7hFYCHXp0rpmtv{(XOP=-DF-8;!fCo1JtzOLDxk^N-cW zjeDc$!}a$J&Q*4ckgD5o3hb=81eyJDFLCLjFw~E2pa00J8;D>&1B@0&A!SBd|o33c0$1 z3Yp&d*J{ZJc`fgDO~-Qj5*8h&Z-~YGtlI?E!c2+i6Uj_G&}K%I2cv&+P*&>qYLe-9 zRhvctEDD7&j-N8ZB&V_?-ZW0A;eCs~5;N4^9uLGtaJjJ{`+!T!O$YUV;AB(fU(kK6 zt;NedEP^~)1pWmN7-Ek45QAeT?ao?KXB4`}Jot+L6~WZgbilET3-|gy4}^XQR@L!fYb{UQq)_Wid$*9F8(N`x{n{lrgM5i5T_#}Sb`d>bk(--v@BvmVm5qZC z`meZeq*FiqvP=!3gt#^3l^z>QXRpS0Q+5JNbSsJ$RpE+I+a9o^Fis{6>1nJIxvm`R ziS@VrzYiu-F`cc}Wh7vkzh#);!0UI+x;BV{c~OX8b&f zm}^&=I07YA`MFnJJ?xd~V0Fd#F|Ys`yWpX{(TC4+a+i$6Q{Z-gIay80Nc1xSrxO5F zp=Ygu-EFKU3)9h)4lUw@fli;;03GnQxz1!Y7%Helff}VsUMYD;woz*QA}DP&LfoLK zO}vx+<4u!i_$=&?$kT2X%WMI=UzMWOXo`yYO7Vo=_kBwIm{oF~n&}qin>=$ceS}A` zGIk9-*FWsJ^nQ~XzwA120ES8$Okgcb-@YU)SyLA$nxT5@zvvuyEOkYu3vlSw(~?*w z6T1vZ?TX6@A@5`mev&cd+4&w@(|J?PE&e)~jBsCTO7>xencL<61EaynZXw~db`>88 zjQY{f1~qhC6ix$!WwbE*{qUtan~w7su4-ols7FZgP4Sqxh3nO|S;*<1?JcT`OY|fV z`~;0KdsSv3Zcf_XLdI`$Ei-CO?{$}0x2t9&ZS(EsqyyWn*ZFT-t=9NQbS;>85oM5> z+o`WVb8ra%A4b4r6x%v{MS7yH*IW>E`j)Q=o*GQYNR8pI^706*h(L77jFUII8yD|o>Q4HEgr6sXfyw?^<^opat%&K&V z3rM{*_^KMoiAg@n-vRywt!qVS0_&~`!E|smh4j8?Ik$~Tc`f88w{>az^QvUjrFt=a zHYDijUJ84v|0IA2%^YZ~!4ACr@L7wGVNX#*pJ;gcO($LLxw(IRyM9&1R8$hzRC^rE zHz*vI8)|q0`v$%qc1=4XWv5e0zenBVzPs{^Kf{_Z3&3WpT&!4ITm##rv65f;W9@bG z>h22@lRyXMKJTjed=ckM7}gSIlVY83&C=*ta^fO#__bojLo4m|E@C?8D=Wfl(1!5Y z3Kqe0Qc#qBDOP^?qVf8RC(Rh)^cSZL-raYJfmT(c?I>oIcW$m|^0wnPG$~i8z$<%miqJTk5f@@tn5teEki}r&&$(IYqH_~{k7~_^i+hv+s=l1Nq+IINp%_mAJ6Y4Tzt+d8SV#lZ{B(z&D zIYCA@5ri(RF===XvTR~3LiWpxjrR6q52l`1)Ox6@8pzec&)GX;in29`?JFwKl3sCSnL8aEuA? zgsm!n$bjaoI$Y*V)k01Dx;q^k2XQHg^6?G&BFqhm4H7kGrXl4P%OW81CBod27j4(7 zEWmNyXU*#1l0XMPuigm}aqL8SquX-Ck81MQ(x;oP$%6>N^W9|3%1#O6(Q*6nACp6Q zCdk74r+xewPqq3kc4MrNykA7B|Fl!~8x4=dc$7;}$!Ga!|@W_4Vl^^)LPT4P7M z#&a=fDQ%V(IAG(tWOh`$JYeb;WRvRRG+bR^Z^ht?K)JhiBX~BWEtAFIq`$F`s$u_O zl0oH&w*Wi{QWe`Ou9@#36Q!KnDb3#A7scQ+PChcfINqLrkB0rDc!L7p!6K+@Vy(s- zDBmD8K%-PA!(5Z_IGC!B)U;w#sVa_v`Qw6yL<+%KQmEC8Ou78U0|5ys_sF;9 zoU;;9J!f-Rnh)=5V+qI5zpg0t4Y|HSM1h4gG1Z1efbQiv?BCF)2p7ffXKZbkhUW?I zBn?o(!5XC%(gNXMts4=XMZiH|N9lXj^^*>Pb0q=(l=F0DP`T_!3>kLoB|W#Y5ho3u zL}HL^gVA1>FzCXHG#h?(8)IQ^K&ZNIEJgiAnC#qdvB_t(DFkutz{n(B1R>v?G8)CC z^Bu13CsQ(O7!nkrNn^?#>8du8#(~Cj$WhC>QRMSso8@N>^u&YiDPS4_x3>v4f_>NN zlv1rK`UoI-s#+`qk+P1LXq2#aBz9ZAIWGPgMN}s}q)|wZ1d6ww?r6%s*^xLxDMUE= zD8B;!wu8gc%>hdE2(+LXcIS`WCeBE^qc`$VeNDKPWP_eZ=5|eTw(6wKVvJC!>r6O) z+x`^h;1m;u$XL1jq=Q%R1n9%1+2PI17ruf{Fhz(o9qm4trDMDete#E`n_>eE8X4Yw z->nY8ZCj$=b@!FL!BtOCnW|CAtB_)PP$&_SH80Z0&G4#-Q2EaXJTabs4Rsxnq@`v0 z+6ov+Ywal@OH<|Q#p5DN&(aJeb(|_c;B2rF24I3OSe@aEj3>&HY$_-=UmShOhHr!%MaX{IbESs#L z@~Fs;I&7-CCqj!_H_WuZp?G@_=~zy*{|x&p$%*%+Sr(z{F8?^*n`}fL$N3~iP+p*^ z1P2Og4%E^=5JPf+lS5QD9cZ&w^t!DEB$Cbov2W7IbgNDV9cR`n%&bY6M^0 zLD5E~9DICB?cVK7L`b{uU;$aA9!ycWtKvywN?$6e4696@X*cg^lgFw%?~fWIXCMOD zc|qX)htrxL3jFzHMS8Z`Ncao;qL@-Kd`MK{z8~;8m$o0zo)A)Tl4(?UKs3vTXPWQ{ zV{)@%>UYV6_^^w1^8Q|o_MjEpO;QiOn|CB$l%38S;S&9L_T6uZW$5F=UsQB6Q2ZBOCV?C0|K zWd$hneX9If@s}~{8j!su9?QUAKe8}|;;(OY-%dUBk9QF!90&a!zzw%hnd~u)%@Qb> zQjP3rWgxCA0&fDZKL6@T9u&gDwRUaJ_B@~ryp~H=U@ zYQmr0-hM_d2iMlwTc8sg_=25&LZ-=y1RUd`TK6ZF@e(BZl+SacSG@`)k^P<^) zUc!(-_kL5RGCHYc+D6JtNX>dMXo-1CpA}<~NOzJuBCvbfET6briYGu9uy5E{A$Egq>$m6+D$zHB?YwWs!JAhdY;#yfwVFCJA< zZtOk9@r!LkS!Z^REiC2WB8(%~)b)ju^`y@Z#M;r2?OS8&72#Fq?yhD)YB0s3poe6W_e1@yQ^p7)7& zPraeKQk}|Sn>L#{QEJJyUIdrE=C>X{IQCkdI*$mPqpWc4VHJ~NFUklVlkcSJfjq=@ zU7Hr&g<|J+c6N@tOA!TXy#^S)*$i5|3??y{E2H8no_Af8sDUN*>V`MR8py+Pu?Uu`hSW< z$6tO01lV8D(7jvg`nt?AkVdY=I(2+x=DR$x0`Ff|!IDheqd$SCQ9kM+O~kMyO&I$E z{$_g-Rwb^LOrYfw6<(g}nSA_U?lCHL>g!fyP(!wx)+fFR@o6Gl-+D6M+HoyE_hiS( zNPy@Wp-aTtQe~#!L!#1a9c^Qm`AN34T^s4-Fa_yqzmk1lT>?+CyAR6MNDi=2M3G)$I>@OSJpM%#&$;?vtv7bV%xTDI~`jc+qP}nw%xID&+~rw*Zy(p>`|*Q zca62G=GyumZM+qVGS`W6yr>gTH6;bWqcp;TVr{4&mNQ}$E!HSpZl zSk4PLUF&A4WYzn2ez-`L?M=+LrjqRc17Ddt`Jb2s^z~bQQJOE0hH!WeGJbDLszz{Z zAW|;rN%r61__%FD)6mI-Ja{&LP&&LIlEp1!bBt?2Xl)#BM%`cv;jwmkGor3k= zHO0}-$%a;v!qa{ppQ6+bC7c5&A7AMxkE)O_R{Ta?MQm7`Zv@`tSh36Z4bEc~lGU5i zDoM(yr2Me7bv!6yCf+IKN&PNuiy3_ixP~V%9N#Yky)MX}Wq;meZgh(OQ4O(oDLWD+ z^;9>ySu7!M`2X~;BtRkf9|&hKeQjUIw}BRY%({rZ!4SY2#Mrv;#L(<=M1)IJP(`xaEy zd@_>HJv!WXEj7!9g1h6~8{~zj4~EYr_sQuzA0@ztJe%_KU~baH;5w4%HUZ#dVO+Wa zDc#DdZ`j!_-TSMPc(wW^nXpk^WYH9d49twQOBEb*U%E=yqJKy=^UT}n^^GyOHwaW1 z41$Sn)DwMvM;l|Q;EBGX-9o(#huXD9{Nb5}hq4%Kwe+x<314`R06L#v?8&V9UvSwb zL#MpB3=9}17phqvPsWie^(7Gtr2v-j-aJvntt2C8%}t2D5?%A&GaY9h*aANqCvF)S zwwluZwFkGqIBxfm#Y{+2`I54C;Jr%munO-XGO3U+1DR4k0?`@57cu)C9;EOsbm;u2 zYF-}ZmUrL?eo!+vflh%&tvpBUo7A1OI)GQQDt`J<_m!U3!NYIOxXs0{6W%9PMuoLw zj8S&4bA%=sT>#w`t{B_|C$DzIfO|H6YjfHgHFy%Wd$TEs24h)P=~yg$q-*f$%9rk} zyWf=wpFa8wyQcQX?hiYd=DLn$)4U6@f*}tPx#BIe8z&a%DkhH}DO= zk$oxPf_6ZY96x6}Oi@i?bFo*ak$7-YTfc&pd?@0iM}-o|JdgSfyi5 z1=<#V4x_t9^m^-LsP2D|ve&beR4wq2_7L~gX=4cVyxz>BQ{8MfT`8RqgVqx7A zbgRF6kaAjMTWS!mUai*gkf-SqR(`XfTYQ=nM{n-_D81BG{nlQhHsQIjeKdQ6w zPBba1aezt84`zl5Ys}wcQIKUuW(Ig8fLt09cb(oaF>p~)D-`O`Wun9@XvB7TR1zE7 z&?bv<^le4!DU5xAi$_#qP-Vjor!jn^78OmgOr$Bp>EwM~YK&c+8U5c};6V(5>f9ie z%`y{Z%^Y4{cw0Ny15c2@SKBMg1<4x|qj6y)pmw@v)jv#kI^~B-b`y@}y%?%yq}oEu zYDK&BvagP^`;v}iw-x|!-Q`H;e(}q{F!*qSOy!sM9&WPEB+B>=x5U3Lb;WTNdNW2Z zLZ*2vf~hIv`{6X{k#DWG?7{ch3izOHdE_x09&ciV#&Sua+fD?XbB?nAGBZR$L>4G( zA``Tu@I4sjZ2NW5OAh}=m4r$%swD^!{9%6RH|}mn#cp{Z(w2K|RW~=Jh>4}@Kt*rG zr&_w4uF4u{k55+{<-DXy?QTW-;k(LB}nN#9sLal80U~ z{JwY;JpEh_O4!+2TCrMzfy}|Bp#gnMtcDmty`1Gkeep3>vO>7iEw6PwYZ`9O$kp|0 z6#9NI6kPLU78B-8r&JdMyt*m-^%*+Pe~Hlpvg-BD;8v06Qg0VRJE`3`XIjmDw>|B} zbEWXTtL+V9&qD@b1iLg4yV4T!0z zh0g!C6ik1Gpl30i6m|z7gbb{YlFvGjXFMGR3;6I&X5z>(nY;&uIX5O~2*zD?O@A{m zY=u0}*YEt1r!UV1wbZxzt8AK89AVlO2DS(t=4zV6y-DTyYe;c(;GfObO>A7+r@AtR zWBfx5O6jJ6zub0BBTFmQ;}W8pTQOEUUv_)h83gODQS~@g?~(XlNaB(v$;hTn2Uc1w zgZke}6*F!iC+IieH&aRnOXY@{R$JlFUpk|59*<4!jl8TDSMLW01gljoz3sl3=m3v6 ziW%8}4ydLkw%SAC-agw+nN^WG9|yR0XcK12XNmv}lDBNch_hiwqeyp%-OI3{@C?Xs z!eS50R+F=Sr_LXJPQWEy4X*yOIALu>nr1gO8c0pTvA}C|UMGqna%@#qae!`x>{?;s zl>k(@5%SanzPcyw2p$yEa8q64;bf8sY7#5&b|S0Lvy!dy;MM=BmNoN_ zAtA+_`<7;ek~`|l*R-}Fl^5l!@z4B|1-fZlZ&KfjjB8~l%o2hl^6*;GNX^rHe-zln91y(Z;BG#*0P;QFXq;gPWLnV)AY`55B{ z*Rpp7{bqRletDAC_-+Wjd)Me1S=r!ojIHc%0wX|6hE7e3hD-yQCA!ca8V`xKt!kE; zeHS#T?CO<8SY<(L|BbJFgb!UVC}yiqh>+ibP~Y-%h9|TrjtHlS1?GCbeFIX(g91z? z4+yZ4buxD(#l)5N%>q8#9q3`~M*G~*aeG6V?B~@t18(O|*Y9bjQ#n%-RbawXIaO@g0?W(+~o%F8jj*>RX*9olRav-^j+V2g} znO__`AQSz>0~s}Y;!6;rNgcV~=rGMZ;Z>qy6 zQ#~}!nXV@xoQTZO6-8}?22^|CpYP-#o&}F)+oS7c=B}um+@|H~R^seKUM9!(e8=CTaHK2o%O|Pt5pQ?I?qr>RLD@&DmQ(wkP6)X;PG8P!q6iOx z(Rk+-ie3b@!M|H=oHke5v|*Pp^Z;n>8)5{KdB=&^!j5bq8Y1y%mjwi{`9_V?{nn2k zd#%9mXz;I-VTNC*)#2PIq$9*wS%;E%(cA$n!xhUd=zL?aAkBbz()lLBm-`^Ag<7US z6BP*puMm5)J6ai_5lp)E%^lBejf6D>V-u%~xE zg!=9ys-%;fO`AaTJ7!KQz3?O!Zn8+a>~H({(boo4B1xDAeXG;kDcF3Ql?-co*^;2# zWSCoW3%_+o{X+U$j{68SJ!zc0aviykryWe7V*LY-ot#;p#BCD=6kYGMl5>Oy-jg3X-uRvii%0 zcOg!Jb0h2qbG%b7aY0R2h(^8I>NDMLXkka0xYp@aA!*!bx0te`UC(tPRa@`I8orJ} ze{plNo4=WQ|4NX(cPRGi`l%P$hxzz(uSsaV4|bpjnL0{Glf&ae*wt)}OM$~n&8+1- zw`SVUT@6bp-8TE;ak|8K{=++G865J%>>Dgs@W{Z*g*o<{)dW+ z?2=3_PsLd?Sd&v~T_`i83V#$xFs&ABw*d;rH32_yyu_C3KsZx_hk z%lGtA16U)3ZJN8&bg=Y>43&;%Qba9Jgjw@J>q%$zOg}tYB>Xj48xBd5(6y&Y z1Kn|@Qf7wLNz6ZC0LpFyPE0oghp%vbhf=)2XfASE+i^T#X>0`e@$gw@MQ$rW0lwV{ z6;TQqy#XweN+NJ9%>-;l73JKUkl_Zr5>5;(CRq(b)T+dCxmk|O(VqRsd4iw+g?22>FCe(lSTjtD&XFwM!^2gHOE6kF{JZEx zGwk2jgl@L6M^&3LoXWZ3@~GfZzUw7JV)!*I5l%IwvS>xbh|SU36f$V(5< z8)YCC1!GNqBUPR1NN#AJVxQU3iUC;gCq}R0cav{KYQgIZiSX?+j*3PqehMAgNE4$* zHRI`vk6w9=Vi(=)W~PW&i7{pU&SxKjy?O#P4U$)%CF@4p4Byq5O_n&Pbw_|7LR zy=}d2wLX|$hK&LU;|5TH1(nrU)W z8o}dC=H$cd5;P@wRrbwuWjL*27YsSyl?zy&&~+^4m-Wh^(~>Jm0soqt&M<~G|J0;E zY7u_zLP>^Ij_LKM-*l1wDl)2&)ZU_Iw7|H~>U$JUpQxV(WPsnLRVO<%SGan66mQFd zqgJHjnPQxEEnbvlbA^35SIMs5w?r~DEmNPCobR_im#FwR-*eMf?GPn-c4(EAt7Glj zPpDBUFUXl4w_>TD*pz2=(w*cbNPq}z)0WC&Z5>P2*doAXq2M-N5_BUim}{aDx$eD| zG9;P|+WO(0!{eu!b!QYCj0a^2K!Z&Gbo-23%f`AVOMkT$<+#1+C3>;Yor(7N ze_7Ae!82Y-JD&12p6E&Ou;ttpR5jB>Z~H~qOnX@T@-_wSESC{r1q9;C?E`z6(@_Tk zAl1UJNtYjefY6Po-v-nDWSDhXFu&c-mT;XNWctGGWlHfpAM>q?rQfIyx{6kzY<)vl zXugJ(@0nIBa<8zp&D8CDvlujYdvCT)(iIxUY3MFLrbM%;*J?8Mbv@JXj~koacTp@o z6tD*3GvE%_wAyC5KF2>eK!*O2{E?|BhtJd0h_85Gu~9+;FF#2!QF$*-0+`e*#;$CR zEQ|128k0+3_P49FZprOO4(ICE*~2uKiu){HP{PywLRoa0Lz3ot^XQ&#|6~ABNc@Ja- zp$kYCY9GMd6kCRf0^Rr4b!+v^LxWMC!=tLXkCwWSG1Iq>Ivhg_zPtGS=ip5op&9YI zK@I;pCCwbNk5ySEy9rMt)Y@G|`MuUa^E(Y8@kF-MrAk}8Co-T@dZ_Qz> z5En|DRRlXDqVE+lo+f~mi;)SF3rs9*Hn6t`?*ewjw%~?%QN)9FTs9ZPkNQ!q=xh3K zdR~a&?}9*iTjp_A!zlvjCPA^7`pJ7CRF*JnW(G+T%(bT|E-E?jK1c}mGq#OjO-PCW zO<+l9mCR4g<2NN6sJUl-m_F1BwQSAZnGvPctVI1gPntCO%0Zpb`S8~=68XIKu}K|x zwNd{i>pi~K3kq>ziVfDqk4%`0z;Pzp4JAXL;>kU_A@+S+Fe7$hlJv;Q_6pOI@`W!& zr8e3rtmm;km!AulxnI6L*_@cA{5efmNy`M-J2o$GeV*?lo>W-p!`wSqX|H^2&JOR5 zn9CJv%WFmpdRO(?BNK1mQ_jj?`f9YkTjPKp73vKyzkIqo3^g|!PRnK zq)4shMrrNj)Otx3C1R!Na~_eYi0-^-&?Y|(Kx2gVf!iIvlfnPQXv1|Vm9B@P-uq3P zuZ$%ye|ek!ZiGA~aR9>!zkhQTpy7oSwy-ZzvmuonM9A%0KdjeIwh}yHn%3Kxv=+XY z^VmV^Gp>e3@?V!Y3Obi57u=BT?A$s1#WH1tEVIu;oUr+~xIiV~V3zuH)Znm0cG~Bd z!nYTY4T|Q1S*IN&d+J$+1?4=lnH#AJYu*^)Ad-JMqY-b;!F&)g$a!L@vCBiVt@uMM zg$%B848yQsb@3gdvtg%*D)^V5y;b@CPJIV^v#BVxX#4GgY z3hnT#hFY!=w@_!%ub66$DDcVCtBr~k|Ie*U)$)(*a-)&@=zgI_cr1;inGmvEJW|yo zhbF_>__iNY^{metfWVI&kUKw;ww4Z$%wl^Zyx$>07FcsAvtdvN<-%(@4b*eRs>3Sb z4mi)Q&fBN?g>d!Sw@uU_1)BEedM!{BW{0Gm6o>m(j-IRlPI{b}7+NZYI4+iC2mxw3 zlT>j(mgFzf%)|IFN4`hI+d*4aKyJa_Fk5&%pP5WP@vTbtUJ}5kkeYg!=0axeAL=%} zoOGCjM}Dk7y<8M{GR2O~M7z=YlY!FpHDTq-eJn$d_CWd)-I>d;RNuZUE+maQrGQ<^ zg)k8>Z4^BGwId4>Q{8?vVzp{4Gx`IMUmS0Y2&6N&%p1js7ORK>q0T6qjphnZdfTP& zF%_>j+#;{J#QKoALv6Mi;m!g=uhHFk%j^Zpfx4KT@-t7M#iJBv+S=~`L} zWA`7ToBxvi^>K9nmMVX&#?+^(8M|xmV&ShL&I`Av@xmYQSBtN>sAn2;Mb0le==>gc z=TFIi?fA13hxCD?MmB7#8L!-GDXhnvxYJ282OWapf#}0hJ?`ja;1fr`&)^NqTk)}y zf;e+evg8&jF2Sk%&<*gSEA9^5>=n@avDk|lh0p=na-Cw5uZeIoDS56@N}8&Dpr7yb z8p3ZBpTt|F4-Q0-Dncw|VX@|cv>z{RBMA`vNSo0bllO5))%e`;Si^aFjf$($&>_x% z+16zy*9FazxAG{B3+x_`ssiLF4;ac&&Hk)1&2NqBT-FlmA5Vohd0x3@b=(i=*K;AU zr|yS>Sp*OWu`po1WTFJ!OTLfgP9 zRczHdj_$nuj(n)rR5xZ!+CDm|h;wq^-Y*GLI`1z^2~UF2Q!$pB)r+($M(H)n!q5z7 zjzdx1F4f-vpt~SHb^8HRQz!FPa8$06C{B%v5_P!T8P@`=LUhOqo1 z7be735sU&)lm{*4>okQ8EvGp5DYM)f02zJ`p%6p2_H1PakZ8ZgW4{JTnsn7q1IId~ z$|P~AE?F4r8&1yQ*r#Tfn^aPHq%K%&Cy&kq9&!9t!4;%)90qKa*$NBFMRodCW!eRU zTZT{JhV7OyqV8ohZ1ToYikXyO!8}ISE}etEQ-Cw4%__np=ZhWkFAu(ASiU>3g6VPX&<06l7!X%~=^6$_3hECQg+n#=|I z0d9vZlkYvZ2;s|Are?8uo4{zt<&hyXwqJ26=>|mBXIkab>SO-K7twXWSeW?&&WY7+UZwqPoHoX!L;tu!z%9 z2}>{S8-Liab$10!mg~Eyq8R+}UZ+4~(^iK|sQ<}O{vtcorVzTMNBnArHe<_6NWtiN&U)3(511_$|9xSh*aDa+MQ@*z@Nji{L zJf_jwA<`~d770eGj34>tB<-kC8wsn81bqah-1%MIX-l9rW9H!N3v-E94jq6+osQ}r zn|kyg#nZR~EVy(sZi&X#vyU2RogEqM5vKV$da((x^o7?(szf4iH6s6SCCemhba^5O z0&@IEQT2w9X)#a$VB)1MaPv`aA@!0H_S*yDw9D0caMizoduK&M6}O8BIXE=;r}) z71(Amo?W63A@kxT^^+S-*7TI5waajWx(dHtvYjN)u9qR@cvQYLDdrU_Q(x@hC`C6c z0aC58Mw?{-O$webbXI(|T!~S)M_I#egIbL>|YkMs}@x8FG23}JNSkp+0vY#Xj9A-?A@Z-Nx(qKpLxB&n3|_sJ9lDy+0K7HPRJLVxFo6J@rhzK#zaaCfS%1s75 zvK1B4e5{!THNr@Akf@t<;~jj$9D!PP5Uk{vjj@&)cr_D}p4LN`dC4 zqtfK)_-orC=A*siO@Q{0jS}=bbAdE$&H+`}*?4B`5Gi{CJPx;Q65cF;oaMJ^+3yL* zk;nt0ya^QHEf_;*Z3t8oziqTZBkvG$&Z1Z0@+c*uMiQb* zv%R(Me59VWVjNnG*?d-E4AIwfmWiAG6o~oo921|TMkJ8@j+hfw+cIFug=rr>d_Tg4 z>~0)5PO%BGoPiZyleq%bVSZ6-m`EfaQ=7R$Gv--asZ$Rh2O?}mGq0zOG()c5+V{kE z2m4sGkw$=DFpJTG;x!cWD+pm}^LpKA*sKwEQc?V!!G_*42w2pOEV7%OpLp3@ZI6$G zzssqCqk_TFYHF@O&6Ul%qA=6r}?G)ujjzc>oRP{ zRo^}Rn4{j znHQ%RazY7HlKZeP*}(J;xS5LORr6-ayrr0ThEEl=$PqIQx$DiS~;nz`c`&P2uAM0lR5jpK`kN zmFu2?fMnFyqtLE1D?HFR5}KPvNODmkXWb@6^R>mKy^s>xX-+eM0+W(TJWG6GTA8r! z>7*P{B=I}hah)7c(;!cAGGxIL1v&TO0WWGo)xfS?E$^ptykB-P##H{tiTQ;PEm!KXmE~*%sW`!!2_hkl;|>h)JgM{Eqbw9a7oza+j?!Tqc($3_ zZ%Mzr!aOmp><`DzDlF2nDf7X)5iD{Y!w3j}(j+agLi|p^b+j-fNP!xnplgd`u01S9 zwRAtuBZm%cThDlB?>yCy4R#&XL5k>@Z|&}m*5!Si22@YUj`|{HL6yYW%9{_uWeT)+ z-K%$B!U6E1C|z3Krgdy;`^#Lq&g+>gD=jr`>h+bi|G=g&D8Y=U+}1P`D^VUZ1d_gqaa&+SDGGT2ZcI%oG>Wf3~W-Sm+K83N!qh%0{#^#CFONn6QQuf(aI- zZSX)KZlqlpE-dn)No}O2s!^?{o}e$HC5@&M} zv#%okKz>@&3gD*mdrTl&0?8LI!OCCwDa;fr5R@EU)zLYk<94mpYWU^M<$k;}u zY?@NrgOQBQ9A-!m2r~qvoGwJ*cgBehGvh_d??xCRHEX>nPrX`SE?o9;n39c^*$5l( z7jrNBZgluBWeeX2);g2BzFKUEb zfQ|T1|0`Bq)EU4bJW-z-X5POQZtm&N437@uy6drR(H=L9q8x}ytTO_3N2KD~NMHa3 zozz9n*2~INI_WT%dkvP}q5hDt=GgC4)^-#ziS| z<7Ijs%82Q`q;gS`kLUbrbG#Y(!O^Ejz3up6y2XVLYBnO;eKsOEz}zK&VJ?D>!!_0h z4z)qpWdygtI^*e)$?Xbh#Q0b7`s7q*Jn1f=S3s_@LDka=)4^@geN zbzYOr$U6ZKNc@i%L0VR@_y)(Hbw_@ibcQS2XB3{PD_aej2@zo<)%(AE1TntJNMXrs9-cyj_r$%D&roR z95!&`<~w8Vgbz{V0sWcljP~y=%>$-rJ0@W#H_?{%@@b`+$aV+(fzf*q!2ahCciNkC zzLP&(nOwD0dqKRTU8FK5qH_W2OA_Zm+#G(Z70T1Fr@(2ql z*P{Q?&Z4@55t)6dWL8;1^!4sWSR=;V+h^FF4>}=M(0L7WgDqgLmPqk zcVy(iK3@jU6~!FG#ngKCvexOk+sXJ+zp#LU`cAC!o%umExGcxNwnv!I@(9mt!IU@a z?}oL`FMR#gh0xle^T&%84z+k)F&g-cE$}A%xC+%G7mUkWiQC-o*e`N z=jY6x0)pRWUOyYnH91X19sz z-skBeZ=zKiWO$Z%=N@qOQzYSP;2d9L!EREko)J=(!)88(*SEQ@xawWckSu9gz$n0E zsQ>t08H&snD>JT=B3H*RY4h2Gn=-CeNcaQH@h{S>o z)oax~c3t&Hq&3mwlZuEaEN{@Xz0&wsLRgUEh*iar@i<+*|GECDGq#l%PgA$4_ChErCD88rfH3r5<=R&UCyVV*Imt1_3B{kk zAXKVRV9l5-I47D=OsbgUjkoJTHJA&t|9UL4py#v_squ_;@Z-IXQ|#;T#N!JM9GWM*NVhYiV`gX)+%E7ZzI5hk51Lk zSq&LtzXB#|H%SbmOOD%RZcEaxlyGc1SVsNDHrmy9+%EF!izuZl)LlBv11-09|7rfV zE0M6kb_ZV-!KOvm|DCFk<4bp-H7AKIl5RyKD_m2#Qht01Ls}yVek>uVqFeh9;j_>_ zXPOwE&}~_3=oD`a=y{3j^TXt(!RO};$YHkeS}22MhkaT7h=pk6R{UA3V@ck_Ob2q% za|iNw3ERG_waHVA%u~yz=K<68(2cVuSDF}&(1h|Sot5xdxuU(=Np!g2Iw8EyU^Jzr z0@TwraaHDIK~mm}GJ=rl>*wQd|NXKnCLSj-Xm?77`&wPMm>v?oF;6^&lQhwcqdz2D zF>EY3YOLHq4xi^`VxPiEEyQVvSpe^kT?R^oU5!sxAV6v#&Z(LG`4W5nsG?IN`P@_j z$qb3gAQ_|b)4}zko~anl1`C@)buroDmncvAmZbYxe>?_Q#*2{C360|%xj+erV3@zz z1i$9PJA{4qYkBd~s~dZLr=PT|xGG83i!lo}Z zkRbj5PI!=kk8PIL%#Cc88KLy&2umZHsE$tOX%TxgjX?6ysfwd3vg}L>D%1sl0AI8D zWHqxwnUTE70Pr`VY*4v!np!Eck}_hR@GTy}t2ER z&I-Kg?QTEU5>J3%vu&3*wcXCYX@>9tGW!K3J3lwLu^OI0BE_L2Lg#37x2HpU1~r}J z{LiwwX<_56&?J_JSA#CR^a5+f_jkzPTI(sZHtp-~SYHqI%goX1(`}xks|3uI)9J6; zZp)3P%4eJDYM(LZ9D6&own*NLBWBOG7gH0zXCGt2oraRfr>-P>njnIu+x>F<6O~5Y zcvlYQ^I*#;*8zoMJ`6e;yUYly<|VvK#fN{=)K?z%|vc1YXM?=Ca4- z>8h)%_m2ttgZRZyJ1r%Hm*yrBuL)Q8LRh*=w|8l1uHF%^(3wc`M~kJ0zX_o#; zi9fbz|h=&5R?K8uL;9aIfwi5X|GfUB&h$2LF zVki^FSZ696C9ex zgsTgRCe8`L-2H7HRC)Pc!2C1}7-u9ShLb%^yM|L!Xl2-%(ooqdDtAVm=Xz?ATB@az z5dsktJo=#Iy{S{X!eK84tl|ug0#SC8`)KtgO77x2^BD?cJWn*I+iD`|Cl=jh+)BS;!D3 zNruh4?T+mXBAuGyQ~&bu9;iugx$gY#)Iw7qrO1@)iZFlX?ZHe_@l)%VT8X+qiac8@ z&auM}uHZ-Vipt-Tq_Bp5Ir%~%ORg+2I-%QeqTn}P-Y#sp0(42JEzl1b6v;f{m5iCxO;o(7=dW+=ReoJXLWS(%n!Few?YZF4i;cSN$;7k zU!)KM09hlvLKD;#`;y@yV}-Vreke}ATrz8=BUmdC8QPv$u+QRrWKZg5fOZ-sPQruW zN{+sJ%ix(^_ZNSjebMtlTgj7Imay`W**@s@6u>EOf`2B}M?m!rI`U zg959vrt!C={Ht^ox`*7hm#%IVC~Mkur5v7vxwbS({&Za_xFk&zgnC#!)iOO`6ooLVKP3& z#DnbgU@(*%If8>4N`$@tmi0j>N`SoMwv6r~XN!w|M!)*5P4ZKgiZoO&A}Fa?H40aj zrzu>q+NCUGQJLCaCjlw^(3v0}s6h2NY}sPV!r-;{-%z_mqEOlb884JB-*0wi9saGQ zx~R<-x1(#cEF2}*Nf7P0ADa1|-8nZ2nJTe3THQAZfTWr_4SC^$wPufnPc)kby7t}C zjB3Qy6${)0kys7fpvwgj4>_8P3O$_9r%&j1tZg5+>uvvRo2h&1F((5zhz^0908ck9 zzP}O$73ufu#$QM-8r;SQ3m(=0^qh7M=~1PgtY5At8GudPI0%mnAGt$<>5-Ou4~C&78N%^f*2tY-^=A%` zTnW3$UqzdA<<;+-dLX&ED6)jP%$;NtfhT_Xo;|10HLN>PtHEh}f=Ued- zUC4Efb|F_RZjxLtugIr`DDaKWPwr#}*w+(4krdv8q2|5-CwqvqcU{w0v+V8;RC8+h z-}U$KoqoMxo%!0_YAFTbfO_;KU1G}wj=T>W%{CyFjL;U|8)D`jQFBWzS zQ~h94;hxASG*9ScPHPFaO-3@pocCaY2d1Sz#iI8A_YvsJ^Mx8nYd648!Z8Nn-Fh+C zeq=&#N3oV_3;Sx;YyacH_v2&WB@?R}gib2o`a+pSDLv7>E^|#!r7{sQrARtm^5vkW z!Jt);ok1HkLT->^@nqx#{lDbUaU0oa;y}Zd{B1Z1Cr0@0i5@7wT{9mdM~YGYgs*(# zhB|1;PI|rz^gt-RsD~TCgY*0Nn`fb?j()O7V-rs(ThDGKbPD4UyKP;5&%Xz02LIW# zsl*Y?XA7I=`z1V$kHf~g_49?_2v_}6_1mSVxZ-H(Q|dYVAK%(eGaKCYw(s-Dsxbk_ zI|GB4z}rDjRaq%->cwoz#daf~wFbZT+*XR zC5C_;9(N2$Dcxkqiu6RKYEQ$g6=pLROXF-BUGY6+$cYdIW_zyaO)UmIa_~pUr)3Kl zoSVbBC5FTo?vP{?FoL<6UI0Fa--@`pRXWbbP%I6%dQ$O3h@87n0 zFf}4m@Z@Oa|4>t+?#J6p+9}nOmD40lR7!&RQrK`stxfJpnt@S7=PWoAx?y4H);%^r zx41yM?}2#A+jTs5Nw8@lc`k>JUQys$<>FU-4il=PH}Np1_WM10q;th4i=ZKCDsn9# zIlA;tdn8lg3Wu7WD3vzR&?2i)f}Sj?`qs!D`~O7tw^;*mbGFE@^eJdGw`H5$P8!5Y z%G@rN411uGK66i%R$wFoi>)WvUFNRi6l_wa1KOc^aNywAL>SzLXQ^#>Lgut0U*AK0 zb^>ZE9_D00wNZQj?9zZyGK2Npr%Ulqh^!?lVoy0HkwhyQODjv1E9x4%9LRNy zh0MvUb)NpBBp75s>pa`mrD!m=Ez#_}pJJ7dCPZGsKv+$GA5gSS(R(8Zcv~oT~5yr8CnQyO%bttcG7Vx$+C5bxbatd2!oDHf&vSL$~m^5Wmk;y zM|?l}L)h(Y3rV7+xVwJ9z^Nyxy@K#z9;o-7v$^?U& zts0x3)6sghVtg+$ary_&>_XUDT`-u7}G=LUFC&82WIQOi1iZ1ZgtVHr_ z4sXIo&?%Od(XJ3_r@5VLPRMn_@rj`$xXP>eW(B!;MMaS}hEP9QV)RdrEUxsB;bd!b z(ee=Bil8#%!Z@J(TdA1Dcf*bwf@FLz2%YPWQYp>|vn+x6&zmJ!KUmtw{x<>UiuwHj zY<5RY^TEvU$L*soLavwZEC~8f&@B%E@L5Mea@%|AVsVy>iQ-^m$>D${nS>NgR!9aZ zKIc#Y@U_ldP)dRzdNc$TT@I;BrVZMDd5t&S7D4c+r+XVI zJmw57mnVeC6QBKpY_rO6NTBcC3j;9q9tIGzj+ukYT{3W{2reVC(tXM*MU#hRdm`!P zIxoK^Zw;_PbFf4~hJ?a`1BeG@8{AJas01s`qGsq#&WPu9{H205d^EoePMLQvGD8>Q zg4l`3@`SMyymh0&%r#O((v~gy#z|zuxpO7=5*mU|EF^~R?>Bc0(~;NIcw>En_XWiF z6<VzuhB4qJ{k_mmnBUa6LlvyGg>+?8tnzKA?u$bs{5(o6*p z2%T9teNkdWl83}KC6+Yxd&CTj4y+Pv7DR;aJ@Mb66DAFL0F0P4EadM054RZc{bfV@ zw(ZscjpqwFW!3qZ=Q7d=FAJ#-g=?hiP4p#XdaPOe0(KiV@ux{g}idURp}qaNq42&k}}N%M^~aeh3+7S!UCOt-JK+dL`Q4go4Q>K|l%ch?Ii zN+z)2`*B$QiSJ%Vu%~ce>|sISZ2*=m7y`_&Y#FPzM`PHXKeb^IJn4fJ^W*L?0EOz#ws3hXFbQr|h) zO6Q2%G$La&dlOFgEO7y`n$TW|Bzgw;yE}@#Qh1}q|MJ0K2<_W&^4Htu-qo27j?H1W zZ&>o7_=0Zhd;Pg29*;cC)NTz(wwc;n2pZ`wS1cq@!#n@EqLeLUnf@TAw9h&8;&R3I z`?~?B(STbIT5NRWekW>p_No6srZ0@1@+}^(RqTvjKjq?G=i*B-i}3C2H}_oAOq~+p zBVA_9*7Ip#p!}eDi!K3wZokzGzpvKlsVnh6HCKGv^V5PgCFx8aZe9kWYb{)HHeK8W z2@c*^=fGsABrL`Ih}%|6Yz~ug;bAJfZh7V^LmiGUYY$$strx&NVg&Tcu=4yAse8T6 zVU}Ht{Q`j!@QR34l@&O)^{PYD=h~2%^R=PAyg``5se{Sfqks!x)lU6iRb&Usr6QxW z1ur!u6BlGD7W-n`aV!V-oGg?C!UV?!@+S)x&DUVf)%IbT%>G&(H6r6ABoHAH9yKb zZmeaPFeR#}Auod$re^nz$l6&xpJt7kPxi`ly{@wap3`{t=C4Not&>OC{e`)|MD0F)4&4khe*W15}1n{k1p`W$!&U zsnC(>jmWUIhn3ot01G$FNC@oh9^Vy#g9RSic0IzOpN4BL>6h==p7h&wuE=ZP!J?HT z9%H_&*>m0%cRM&EwEEh zSo?f0d*60Cl9#KwL^tXePWip8K9s$&vt-4O?_ng&x#By=9W_|`77`uGtAEL0up|{~ zXp=Lag!2Ko3DFW>0fJ}|&`iK806R-kd_N6|(Gz1!p>R7Ra9u~_aBsCG_fza0=j+y9 z^0DH^IKRiI@cEeVsnrH4#-PP^&JfaVafKks&hJHw&~?d5=aS?#v3Cor*51awBNlPL z(RGdoV`-JodgZ;#r$I@(a>-+feYa{Qv?wNd@jmhnT{VM_jeWagQq+XtumqBa^rF^z z40ahZkKA+hVWBQ3U(Z~LfqZLl-Q}*&5?saPCh)#$>@3rUH?|=-*&{(s!<1~Ia2mTL z!m)gkIT_s}YfLkZQ~r>M(6RXyFpUY!OfuRtJk7sKTv~vIYWS(8hF?y3YT+eW&q@U9 zEBVC^h*qaqGwF+fE+bc;zP5`T-%BrM4Sv7EZo`a6%sJQ>;x{6mtdpse+s@hgM<2sH zmOdQ1w#T`N1c_|N;=hHI6`iuUXD9V{#4{N)2OfFuDD%MY|5+J;A=_dVBLGn2gTMBv z)5d=K`9;8k-PSnTG-|srsUs=7phwY$0He1B{$cLTpC#LVd@rtM-qyHL#bnZVCrCML zLX|oxHPAR0Ev}qd?9yvSm{9!+n8%2K{u2Qa>(U7#Tk?y0KU^>ZbfLq?;3tVb71?YS znGX1ENv?q7iW{y{fzSQNrUCC&kfI^{aiIPgNdeavMs|IfBHD4_kn!<6;K}eCQLI{7MntGQ3?w*Zrs>Tzhk~bz z8^a!=;>~!$uI*8R<@$9fIL}<5NU=s0@-s4>>=~q7v<2d0g$c`GJXqbwaB3sUwntw?u{%&$1y2ee6%} z)#evLXg#h?I_;{=^el6KP~GF?Xn&d%IB*UYBsB{tPUtm)y zSA@#%8jMe3ICM-@=8uqGLFI{%rofZjUwuwc-o=%Wu}|P`!m`Ivml?1>;RF3MY9}}Z zdl4}nJZveKK!fYNlgHKYP-+EQ{K%l!e^otqYBP}^T$Ynmi8=W9cxJYMEKcbDU7Yt8 z_(dG^*L$+WJ*;cH0(!{4A($iY{Kv z2ONA8vbFM~UVFifW?ceSR>_eMTeb`1VM5J}6O%%s6Q$0OYrlu#f&5~Jg(OWjE!MIw zwBmx;Tywfqhv@ZRvXJcX;Am8tFr1xL&phQ_dklfO$5#KkN|w02Ha+qNkf;7#D5Sg6 zJZW7`cMV81S{rBsLJN`&;y(B(yu$ojQ3d;!M%Id_vf>+8sM*}Wf}C=RJjYlLmORs5 z-+rew*t&Qyz5rN~WB|JFEAHG8-vQ{ZRwIj*cWI@HOkH4OUtI}YuDn1q7d>vn=_6WS#yy_Q$nVyzkpFadRZIoX?V zl#+j3h-YCLmp!vEJ1Q<_>#*$`|Hw-BN3pRhY;Y)$LGc~OTQMA>#R5)GZAFL^Rt*^8 zWL2L$8P~$o?_Se^WP=f!fk)_Z(u;dVMqsvb23PXP<*+_|m|t|9lUpal49_;P!s_;> zc($*5A0wq$!FYFu)p3L$`!-z)h)JmJeyt7dLYk44v#@m;Xw=VY5vz1`dGH3iig>|# z9kr^2l9AVO2Rry2)${L7O>eK+n(;N)c9dsV*&V!;RlB!7fS!tpjtxGD+C?>k1LIG6 zE+6zjv7Ijc9=(Q5V$V5#ZwF292S46%p;S=_6``G#?^xDO!um zy%R>&t4<^Hska`wG{m}%$}=E~eD$A`yPjW`88Cep53L$&FBNO_DIq&NBDdZzz{6Zs z#a%fk%gx@s{LsrSI7!(E_tM!|+_qh>`5@{7zTbo0{=pZzll=%p%Y!9pm-IAAUo6)Q z=2o!&GC385_jlnH=~&N8)9-X!R-Dd066Px#HF|3^tCaBg(0HH(k?jbSWetB78&}Z( z%`i%kNbm9k-!%b-usO)`5>cUQXybbp8=9KiC^T zaE@q&e!8w#0q6=bM=4#QsS;|3omCi`H>zqp;-E?F6f^Ta&s2K*=|AscKY8}0#y#I? zfT$ezrqB>q=}_{Tzki(pooIi!%PHq-n8|qO^yK@-#|e0eUpE=8z(4QyYPvS7lyxIF za*YSvx#jU?N8+CgQ*+jEvFJGMQ8`P6nYFG?IA7uAzNbOsf5eCsb+|{ITZV9b8=g2h z;G6PJlxZ<~Ym}cZ#}c=Typhi#PX6G&=kg0gNlasnyP9_gxz_UKJlo5w*J8)Gkni!_ z-z=QBbuUj34k0Fe!!}v%{_`bKEt_N)k^km{)^eL20+s~oJ6hEX z^A@)``Cpf}#P!C?Nyevgcyql^DMC_blJC@LI85LsO-1t$=rBAfD>I9s7yC7I#)`(| zG`U@Soee2;n80#YBO$4NR0}_>?@4BV|89K`{cNoOJ4q0?@EXp{C+qNe+=>l@*Eqe_ zM`7~`u#G`cYhsm{{Y)Uq`}Hfy7ZRW6>z6cJkXx-m<|f~QGCclckQ?u_ z&J?*&zWMBaM_!1otM$+guGDs5}c;^!Mk8L zw&%zruUpclNAlSpjjeGuj|cUP?i6VWMYjD!=DIJJr}?VPWTnnI2mDhQx+3TkV4Y51Q!&fVKQQ>unNEN~5&S@*!m4u0&v#TwkH@{9{9j}{D4 zx8*91wgawuhA$32H1&7Gm_{Fa>Jl7Q0)1ITRHVJ6zj$~?u==s|ov7h_ zv>^@jY%~UE8p1^GmID3`eVlrlT9f-m^oH7O*ruRtq3#be1&<%KrP*2xLZgFoSdQP` zn?dKtc2Wc75EBKE9;|%XUm1_kie{W7z~vGN>?)3DpUfUssM%8L+h!aotCaGRg_H^i z(Tj?6zY;~R-mXp&qv6_Itma+*qlii`MH@476;FcR!*tI;MoBDOOQ;qZYb1gOK7e8(oa*l`lSHl+MzpMO^+nuBZ72{h$a& z7$f3q;m0pJRo8Z*@Fejof;fw9P598h?^TD6_A?DMCWRqv4A#40*CmSQXF_t?YTPoL zut|=4(@wQv`g#XPYm!0NKD*~b)X=@(GHibTPk1X5mT!TYZFuZ?V}vA4IaP1f#AjX)XKM}4QZO(>H5v5qOZvb;xqLBO{zN_18{fI!~NtU z%+}M!4@N^lbpmni+jooLoX${5)oQyNO1GM6-cY<|>Tdz7w1kA1_<^gQgoI61^g88 zRVdKW`zN^AU~9R)Rcx7avw5k$N7KntdUoEo+I^u`YQ>#^2TP@-D!ps7O>5W|{`AOZ zI%Jdd8gI3=Buz>Pc1+@_Vg2_oJ$=VINoZUlk?czetmfvbFIWCR1SNOew~*A(7Js{Q z(eXyILO;QwZYq~iv&|9yUnw=F{<=RoDUj)f9KSh@W=}(Hc@)v;^1iH>!)EElsXu8r zzS9_a7SWv6+<%YQjK}uzZE}yZfal$;NvpGhR=@Ctli%O*dx)UY$u6Qwslv{<=Wl9J zbg`Ls^VC1xpfD%5@ek~>kuK6m`#P70E>sksOro0P*#uYUbCA$b$_pZ|tGT>SmCa3j zmFv6=in?ukISRHp8D}28L8iGUT)Q!``~hymIW%H5Bv~vm48thgZzU21l5?8oJLJxEOsST5mAf4#?bxpUp5s1k*pjU^)HfaFUAm9+tOj*JPi>?3rgfZMJ=S2{r=$s9*^}N zWYY9b`;aFv)Z4~RP6=4*dR=$XtjHXe6&a6&Hr83-VYgOcV>0Wb!y2xV-lNcb_?e&{ zsC6EnQo+NpWeQjh8c#&t=gD7>cV`?F z1VmkY?dyz}>&k*MjLF;GrRbFEDjB&Y4^>1Whp0g3?C2k_tSqqf>V88$=^kT z>acFhsI1y;;Ip-KS06?W0pG1SpR7|(mdjibf; z>cF~AZ9<~W$)M)f&Xr{pIh(}qaX8p1ph{`AW#!i$p@PFYeaSeBN8xoU*GhdKGQ*R$ z3}k7VfC<_OG`~Y*vnkVGK&tM5YFd6W1kAkWn9Zg`bEZ*J5TjAETXHv?6hZ1t!PH9# zz-89=!wWYfX_cJjL?A=Byk=a%D0ARBZB1D&^S;hdeJLlk_IP(4(&wk;3Qy%xfCqd^ zNKXz+#F2{3OoOIt%GpZY3XOv6i~aD8h`>6%AOhL2m@>(lNm~b3%`7%G!fhw z$*HTRx$01w6aBf3M?z2g9-No>HHUN&>YBfqnh5i*SPnWw|4$bB`*J}zEkI$jgh}F{JW>?Z0n5I3sjJk)6A3M zAes{iV*EL{F_G&_GSgznaZsrY$6JA^ye_upRxgQDs}?~EgnzZ-1)e5F`xW11XACn` zM5Ln*XxM5RDVS0ODxO(+%u)v^(<#gL_2tO~{Nxoc6vM+W1}S_@LW&GtQ{SWfd9joD zmcFtf$X{CKRPVP$TaV0P zg=+2jeY{z-pmK&ohVkfhoX*)k5}xTjmxybG88hwCcHHo)jE&Rj8#BS1YAFU-r*A)) zM+C&PpDBo{)_0H%wywWr{|Pb9&+Cbnhz_w#ROK*HNPvpG|DtX(tBGl?cB4;2*$K(S zKNThnf=CHX$wJ_e{`VBfRn8A24>k;eOS3bAJR%geJ!7tXC{k?vdZH;=ioR5dYL}#v z2cl_OMEY_9DjSss)svAAVkZ5nuAWgUzMJbz5CuixtG1nLn1=V+G$=VHsNmsqGHR@Zn|u=z*-Bt8-&Gz|FK zFAK$8uKg1qnc7tgbc_7yFDl$dcf035HoiD>@0>I$H-kPD0$v)4T9o8Q&s&C}HR9&; z1(^0y>aa(iF$>PqdDsDntA*xmZFCFd5ocI=>HsN|j)a5P8|IFd}a%Xp2YXQU`Q?5RH8^PMM%vqA`sV=ADv1h;83>makKEu=yW{h)9Mxt)LuDOniR*Aaj-v#opuU!y0p(&q5@W19t z2D*@8-B4fH@c zOVXjD=7nh)Y1lVUjU1{YtG?J8GoMJVU`w?&OsAq%P2e(Ip%P1_ZT~#}IVI#f0`znM z;{w`-UQYtyF4wmvrsNdEwdn%=gRY`RPj3#dzPj2BcCIjPbsBU@3${3(pww}ySqW3R z)Is%(K!P(yM@X#NW#JP>sVqE2IDZt$XUN~g=v+~y%qU>X zIjC{vAdcqlqwk{tkp?X~KTL^QQVD=~OCVXZOTK68OVdh?)+O=rVef)JF1*X!^vH-B z?WaQ-n=F&a ze^Es|S+BD&Zwl9q5*X~&UZ#})nj$sFsU54U^13Og9neJTV-SQXFtXEqdU;U0u6?Ap z{2CI)TiyET)cgb@0O?DHFPi*3*BWm&z*yTvwd0aQ=&=%ez_#${F+X4X)+TCtNz>}L zp>2N=6pIbo4CLSIzx)c2750VvJ&wX|{lKesLW1cBY;69SYX-i}YdsLlc!F^M3Nojh zDQ`WPtTHUs1vKb1u|tjZ_v<&G_mWdmc8jGO`hGgxkt&7pYdOK?Ake`v(NTCz6=dp) z{L>q?wDUzdhNn(k`Z$QC{!Kv50>{T+TtRNsjSdec$q^ z^6ur$o(w7|iPuSLPlh;^rI8;KPm$A1m$%B+FjjJ^ z?5^8eEhR#OgeJFD{jjc9?@`OoW`BrK>_?=YEObc-Tkg@*fbz$_Tz%WUHE-y*LepzQ z1xXdCUQk(s7KF4s>?AUVSP84sX=s!?cJH-^7mX8_bau%z%k!JMp(;stjKNylpcHzq zTs8yUx?fcT)12rxnc}BX5Gh)!eh_T1Y|zgk-x|q2PaEvCX_qo5gj8R$t0$(37KMiVg!E=7q+67L^)+WWtpD@1CzOueb#KXq14Dx30_~;wenx~xmetH zPak=u(C;p0H$c8m#Q)@~TvFr~y|%kwXT!KiqsML!LReuzk{M)J{0=nH6)l(MhU}wA zmROVpC6rhvx0=s8qw(#4=K6rsNki!VMUj_sHX_mu(zE*UCwIUma~zGg;5 zv)e1#wTwJJ-@0t^4n$QtHm@QRV&B1aTg1erNlibqa==c!>nRhapu7V#|3hU}uzx_0}tg!v`sUNIE^egxUD}*HIU6IYr&%l+}TE+Pn>$!PKDd^Ml<&OAam3 zQtjXyF`UJf`vU%06)QYb%%~97%&EODKrZh6ux7E?7Jb*}f6ytPS)&LqcU~h7 z1|Oc>Y4gSr2dA3bv+8M3+D3(~-zH9^S5(Agq@S@JDrA|B#T}9gq#6bh2g^>Oc!X9A zjcj}Ei^0&meWiI{#CgT{3fcd57aXSX`G=7B@BUQyFZtCT@Qz=Paij zf>s1&g8b+LO9nONv`3X$&I>6|QTCkNjH0p(M55&~NtW5kWylJe=f;sdYz~{KO}2mqA$6NX*V{CL3PFk0hUsw??9+ z9Ft2WdyZCOO30Y7FaB7*{AFCzaD-`wu`I-!%9;xg;d|sK%mr&mE;uaLL#BPs`nmcC z(?G1r+K}aZCQju!*ifZ{Jv_&vQksc(rn~k@DSMRnr#{JzigiF7FUGL+x)mWgwB-&i zhLj;;I52=Gz0&7NsLv$60l7<$OKS1s%&!t%&eitr1Uh1^f8VkgfIREuty4qZ!9>pH zUe#ZDwL1DE7g<%=`VP7Zj_He40}4M5l#FVQKX%!X7De_PnF&FSGl(+uLYZR0Fkiz= z24EJHT#MX>IFtMw8~uFrYYib{6lHpYM9GzT6LMH?xvknPLi~`43TR2E~Ms3Pmim1 z(mK663SumCT=>1xy*jXAorxs9TT-)!i24$c-^7T*!I{97Xesod(7gPwReg|^X$NM& zVj5GXkk=}>rw}xe`w$rn;UB|1J%k7tnisJ<^nrXn-4FRG`F_SKSGsh0&%s2ta+jJU zDu*}H<<)r57}UUcMqSv%ytX#53cdIb?Kk~vuQZZ<_$O`NK;yNWHNAnRdT3BIB*AJ3 zX9$oUQJ*es$~)j-b~Zl8Hc+oO?yOR!GGo+EEs-hNYqHA>0I?P|H9!=*QdK0h%$9|1 z)=Y`qb8OLn^MEk>iVc2ldyD2P1mE}ks1h@7$(`^A_gubsM|QRU!`-#o+>&czTtIrB z!9IoPRg-1`0-k|eX%;IUncr;KWTuWHj*Xrvtj6-AAxx)z2kb-dUo-5agUlh(&*f3c z?F&T^f7@k$+AVMX65J2N5{75y;NR9x1eHqGCf3Z7&&8}*s%EjuKZd9~r9qp*k%iu0 z&X-W0&Jb!`ULI9I(@0SXh74bgXB&q~Ud{N1q@pI0)yGif{F66U3jz6^uH)5A^OYM0 z`Z6T{i;Yf`HW7_Nbf$^@<19icT|Yt0EeF#S zxug}xIJN(`pK6Gl*?;bD<#x7T<#uXS6u~=T7d$VlkVQ&6cfb)+HNAJ2cc33t#39pv zjGuA+jlRk|K~vrtPT4bz z^(2L2*i0ZA1eoU7p<_zzZ)Fq#Dint{cros{@tLiYjjiwZ_AXtXvhEvp%l>}typmx; z*;iEo;|zRg6%XQB+6sIHPaS@Q_6C`P)15USmzL@TImvAP^+Watb|bQKAzz911^YOa znKg`Ql{g zw1uYn_;Fyui=|DQ!sMH8Msz5$1F6DwcGH9vu#gNwDz`qZ;h4PHdm^0A2=YyIL$LC? z)$#7j3%fS9es`_k zM#9vhfWR*aH@_}+Zkpb?iNPyCnH>37p*Wt9)IGYXIkx64MOwNcjYM{p(PT=|n*uJn zqrk0LpAo{FXtr=*(2;QIo-+FnxUWL7Y>2;j|L(^SH91oixeDm>-n<)kvCnqt%%-%@ z`o<+9Q970Idufv}WEl~=Klf6RRHxn1#0f^(!Zd&CBqPjnFU?hCyzyKhYswn7W>T#< z8i0E(SCuc)m}*cx^h|_ZRDY+j5-h@gmME7fv*$QZfa>5(akz4azLuQZfseNf+RrXu4iHGKupJeUE^Wp*g*^1E}#fGsp;7{P*m8ci*?8p&X z?2OamzQ)viREqAx!rpZxViZCM(n}CSysa^u_7h_bKKLb6{9eb~Al#}D|`^(Hw5Py|WZ9!V) zJ-bK+VUv5!=qO9+atGqoi8%~gMXEb@`4=D!uF(=2d#J^zhLZZhvk zoOd(YWWdQ=IIWhF`c4!&gp7?`BJgTV%nZMI+P1AaRlt{B(@pr#MBncF_Kxc@rf zbcviWfCas9CAjLenXW`%Q@M0VH zqM`>1re0f^K2pmci6~}?QwmLu-cZ*aiIGt&jiF944zh$+bIicfJ@8C=-P3!DS31Bs zP|I(bm4l@9Fn4dCc9B}ve3yte#!td0e9%}}hmnJ7$Xlv()O%)ElCI(H9xJ?$m8x8h z&Yh~c@jRz%Vu<=S&Q^nK(8zA6$1P5gVo@QT$R>l(Vg3j-L#P34v=T6v0WxTEG`?6Z zBxF!^1g~D-NNDBa{>a#1^$7Q&-0wm~z@H#DQ5_CwvJma*L))|g6x7%3;wgpklcpM7l)eY>3YyZ~>+mKUT*SxsA zB7)l<{q!my6FyWWbGlG6{~!m!#Kl?Ba%7={VB?)yqe8kei)ji>L!?>=Se6O^xvXP9 z?`xCNa#!bl1oR9Z{$<%2PT2u>tEFoGKDZT2WaG=FEY;e@>%ml8Lo?G$_$9u(!MPH_ zWkEH*@F$VImC!IUau$KO*N{~2g7Dczo;{!!BSZ7|=9;8}GS1DcS5|?2!P{u3TuA$T z_($b80ai-ay9a^40eRmc=A~n%658rv(D|}e9@arP2DDd`j@T})9@;i^Hm?)R&(C|d z@!DU)PkS$2pxASzzKf3QV{Dq*l-TZ#czdHVq<~e->6Bt*V{hDxN5el`_^Cj#=P^bY zq~qcBU2?pmN8N7)N?d`yCn7K0tb-gxNzu)=U5-WjVY6VJu z3Er>msd;DHl&v*>D^bgT=BLBdooY%A9fh7(UyV_lR4GmjN$H?LApKo{`mWpd91lOq zEF1cz2^t4xq79Mpm$f_%rdX_}02H%ZwN}A$CC;mrd0G43eCCWTj?HlgKe8X#>ALHA zEA;#a+$715ZBPKtPg~gPI9>d$6iB&0yD6;MGLuKFyIt^8RcV|qnRRYgbEFiQV^FGf~G&sC1le6L(rBA}^IKbAK^r%3>ppr|c zztT!!I~?;L&qgU9e=Arp7uG|qjW-PT$d*(SWkpdHFpb`-S$L_#H{-NJk#pYYc`Xyi z1Cz{-Pe&Km9BBGWT}P0t57A(YkE_vmU9j@`KMLl)4@`gU#6O(PooSFS2mGVFoS|-M zPgT0C=Vaplb1^eun2f{jEd5kofVFGG|JwgWtDj>CBg#`V*wSwHrB0}w@E6ev4OzYU zZ6R2bEB4;@yw;6CO>LFrY)@R(7PS6Pew{n-BYqt86N#pJ+3dsd1GUpG{8M(1U%bV? zS2JGQ%xP1Fd~<*lenn^DSX@>V&y=ytX=$DhZ$N9n-7eJ6Owv&DETJ36es3Ve7FW~$Jau132e0u@c>x`{sjR^zuVj+1xvTWI14RaKV^A1hbu#eJLQ%Iw* z#l_JW4EYOP>7p{yK<9!6^Y%{qm}!*kjbw$eORVaJ`ZzzL8K-UZ)Yk~bUl{WP=fT|MQBcYYFsaRhWmCpUYobxD*FDEbV0sm+@=yHG@_^p+? zl@4}up4E4%8+~?SHT$(p1kLD*GL4EP4pee|MC*m!0uCEtJ=h)Px8-#;0aFJ7biWX> z`kB!s?mkv(y(mASJr{(@XBLFezI1@aS25F&EHkEIOoX<%uUd+H z(^`${5N%)!&P?yQ|}IY_se_Qst%Z${wA^VPfsNDW5ZvK#A?qzg{I_Af&DM= z`s}6&Y#uIe=F8Vih&2!xA7d~I$KB~7jD7!6Dd=QoWR5w{Zi4*n5zE(h3)Jm}^?uq5 z&)ru35vfxyL2Fr|Go%q2a}hCcAi)_A-Dq*KfBmdEOg&SY4ZQMH5Z5Y1(x`m$E9|}V zxWE%KeVSS`e*~6hnp_h&PRUGMn3e7lilAihD%I>|=N~q&#XO~}uyH6gfq5v0bsl`9 zQ7Y8R*Phu6>u)AYb89#9KA+q^ETt$1XrQ*H#LWO4E|`USUPBU8RR|P3^y3XSs)qBF zUH>V&xLdFQtlm%iuh$8-rufrQ)w>#y;==rRj469bZyjXl&mzGU())-P>zaXgy4q6A zHIH_n74UUm^&C+IS8&qR`Rly(iU~0ifXF_2;j44ByZOBK%CqCG#^lQ86ESLX}HPq2}%ozsY z_FGBN^95q`NUaQr%@dDQ%4VFDZdf|dTBq8$1mKN0P0kA7U1#iaH0e>!5Eiyb8xl%)fJ!YI3C`m{Bn z5PuvpYsubsA7qTEm;f+8GKQ{VCfOtc$dw>z-rmy=C0AoCW6(QQS?X)?C*+6teg-C> z@plunu@Dy|#vecY{K)E#N@s@@-da0m-s6QY0g+7}0X*4W03kJQ#;MR``5+wqieM;u z;=NK{&BBbzr2_rT`pH3JjPzdHFxd;y3IP%$D(({%=Hn*}loumGLy2kK+8u>ehjl`M z@8*`m_ZnQbU1t^2kB?+E>zS3>vzDhH<02W=;6|{)Kab9)U?^*+pRl-F$`pwIoQUP% z7)u>1e)91`2T;1=_d?g5 zI!%9pbkw9yW*l}N6lY=x8J|d&1o;X3!J?du-W1%K0VDOra}vVrSnC%{0d;*?Kgq6E z;AWImRFon|_jyS4%sTScQ%Z7tWpHOucQBw9+vz zw*4|7uW()6*$^%+W`6*bpx5BVlN^iH)OXS>8zJ}L#CkX)5HEh-0zzO0*mf0aIm(dW1Os|^d`E4T+MAqn9{ya&s; zzV}@;J6M|$y<*9()d5cp#>-$aYgwU0)jvX=$Bb}1n(Y^0Gs5Ax!`rn=kY`Kecz>J& z?D*~fr8pF6?vtQy!(4dg@nxej9H9lxG|Z(`sae-o*o=D6@nGmu$yZX%>qaEQ@EWFw z0lYsNQb6&L9}%bnGucDXCc#UpBjZ=2lKl|z4|mJiDBFaX7vqQ1Ot(+CQ&OnzATFM- zzFK*g9B}wWe@Hzb1hSzSj_Lzu*f^7vng-c62Uv4(+FhCCr*7y{byDUAo&Q7=Hv}9= z===f9BQO6cZ++gjy%kniaEOBpHLBUWf%D@fx&LKMXn(oqgWT=l7ETzr4I8+H6$WVg zv=%P5mhJ~7W+{L1Y@--j{9I+z-26~c;QrhceEtqB>VUEjM?|S(fM9>EKS{D;djoTr z7Q~eB@X1Up_MW=+TbmH~++zKUoqCgP?cv&u5 zg~Kv+oKGt;k5Eaz_F2qpOgB6d7g?`=fEIGK38Gj6OIW2RA$ilrwgP*{zeYY6ri}C7 zq0!pX9hbMJ9wV%pI0v|Z7r~X>B}G&s$LT-pHkrvc+Ff4Q&3Mtda69XWO>k2Tb@>rm zI3+S5q<$WF?xI+qIZP`$4!&R?uL$9_919z5`l0{tClPf9CZu9LzEjkq1kWI_5zG=i zU>oK~2I|@^8xkhK6KVt(Y{DK&-K&0$W22C8COVZ9=_Xo=m_ zcF;WI0C5H*I?9e4{{0c!*&e4T>;rO}L>=)$y-v+PkO|=4tlUw%+@>y-&R&mm_xBES zd%%AZ?DD5$=uAI_A3?skjMZgI;fan5ME4!1W;#}LV8ljcATSpn&ymH`86wg4pB5zl zw<)gbPWCUh1tpbc`5+$Vt;FJH@1+8qDV&x!g_L8v$#H=9)1(}>dsZZ7$9rqHy2HJ1 zpUu7k)xV3LW?!2&oGD{!QmU1V;i=}nSu&|7lSvdKZtxC4u>n7_|Rj0a|5pqq6COKMj_d@h$S> zt1%RLWuWQw+!UWQZZ~@!EKKp)U|2Rn+$2@&`rVallcv0e6q>M4Zmf~>mo`ViG>iH*w&Kb#sPWP}7iRL#Z0F&#`7TOi2$nI{k;SLGOURSo=cPMH{2@+`Ci0wk@ZM-fbM-x} zxW8ZKajvqoGv}j8-dN5Dm>3Sh_UP}IwX)h;@s<_kXJ{tY>tx1 zamui0-uA>68&lLzZU|m`V+l18Ocx~;lFv_vDIvxSpPO>nV!YHk->1Ecm4f*~f(aL_ zG_kjqcfhvf7A{|&VrsxvQx5HrWLZ^lMses`ZhPtQjV?_8cN@*}muBcc;R7^}e#VbP zQ3Nw_(J7o8*yT_jSwrn2tR%$7I3xF`x$k-jM>-GF-e-e?o`0mmd)vFjF@&^Nnp0Xj zbdas~cg80hQXNF1zkgL>-G3O6XcqwR6aOwX!k#w5@e3vDITbeX+4{O| zr8N*eTuP$(DD(K6WB2s*0#La{**#^ws*$7q;u6Qo&^{PY}fCiey^bplua zTNj)-Tekuks?H-g3F=E4>3J>3_jht59~=1s510Eap#aD84gV5~E>}IaL~*s4Di`#g zOkw(d?Dvkbc`Dkms-1W3udHU^0SO%;zzED%ny=+4luSR~rt?rf-$3Hiw&`6Q)1v=V z(R+mUi10(SjcL%1J|vUDdL%Yf7o+Ee3Rlqo5no~m?7e*Vu5Od zkcS(Y9ldL9MvCc7gIv_(6|%X7^k7e?NKLNAW43L9*5;gdFC*BlJ#A`rb11#}FAT4~ z^b_Qk$IxEo<9|6HA7T|)#%PWdS2BF6L{YtPy<~X}NjA{oyr^}yx&*|bSb?&BGEK-D z6ifKNL2lahgEao903}nTdgEy>qD*q=6dzsX=k*@(o_45xrO}{axnBw&8KvDg5G_aS zVZcqG>0cNqzZPW`5)8fQN@M;>8ybCyikTMs~N>YlzL+n ztKi_S`d@YGXAg`fB*uDA$IP>5pEmDS4LsLh3HchS{r3i2{dLZNMN&$B#Nj~99I^WW z1LYmD0_C~6-NQ5pW5n3e$#5wt6B;4~WYYZmc8G97jw*e?286&*{8i4*d7d?q z1^2AIu1_CR3{C54|9kt5$mA{Yj%*40&$s{kNCyb>90W7M_QQm$r5^!wf+-r7_aE~ z7$7snpCJwOhK!G4c%%)AnXAC1)MQO4f^)v_=_mmEQQVRyGRsf^cu<&UU zP{$z*c^emkwXJKJ+u3$fPG@MydGmbNKaazvFaNF?&rb)m?D~?p*K>aOY1tv7!Lj zFcWn#T3=>ASAri3o@LqG1f#w67@J!;lY;CY38ihrZJ#pSYUx5UNWyi-lc4}+_|V3I3t=^#e&dqc)+ z*)KpOSit_nj7|`^ZM}exdAoyC@^-&|suZ2#YP4PRqTeIJ=U!I~y!;`pNIj6~8G_ri zaSI<)V|S5I85Mb_u$gVYy}pbxN=lllpNty31{E)E65Qe@;0_ZW z>2B1#T}YHX)?`q-e-lj)J`4&wv1vuZyS#vc$j$Z*2R?B*G^D{aymo*HJD^p zOGWmAc!lJrm`sdLv;h3mAC}k43qB>SBfU5?h&GG}HvW;)KX0b|SA1z<`#&0e49e?O zQ7B3qjYjz&5OftW`rG9{Cp}y!;?zADA!R?#%PwoA9(g7Jq!_cF#OMYiKx86IEEDXg zbqo&XtqA(mg=3@L?Bnh>GSl&FF;rKC;rn!Jj}P~i!SDX1#Rr`lArQO}6`TK$B_^GI z4J-0KTXt#wlQXE!4Se4`+=ebYP(cfwQX1(1kf`?Ig-e|v@69teStmniqH4iPMx0qtJFzK}Q6f;YN~w366n<8BY04_n9)XvQRAAtxzahR2l$3rmgoRFRQC@|60!|VbuaO`5|(qk^l-In^ikYXcGaOC0i`go^^Q@Mi#s# zRitbK&^5xtS@70uBnj9?qj@b50SPP55IK^W&$)fL5HOZ?uX1-g=_bZtBSMGkp~9(Q zV&Qx=?QE$ifKEiKZm5x&QBo3sfA)8bw=zQ!V-e`jghf@iiY!yVUr>Y#>=`=yvo z?>Ld!ahuj5=^wN)y-dmwFPveJ7dh{LouIzI_}m}@(b*mU4WjO0B7KGY1jqE}%{%xp zFKHc0^%8`XG}k?9k~vb(RKsL`AdHR(GqEJcx49u-`@od^ickOarBjG$8K}QhvZq{r z^rc*$j|jD4HTkc)P;- z+7@qHr*-Lh39wch5r(OI$c$tTyTE)`Ukk-}rG0Db{$*s><l+H%MI znW#tp-o*x}fJ;H+Npg)!P(|9?h=Pb9MNtT#fRxZXlBj@4S304JQUU}-nsh}Gq>41@(ve<5 zZz8=5p@)Eg)X;kffjjek&+k3wp7q{y-``p5o^|hC_n*D??EQS6=d+(ZnaoTwdwLs8 z!wRPVe3Z5Aj~jYSX?$&>d)pnoAbr%|W)-;`)<;*Pm3s+Rm8O+eQdr*boh!Mbop7I! zPq^=a_B}a#m2+}qk$cZc3yT>n$Hu)Z|F ze^u8*I`#s-uElsEL&>Z3oI^nBHAo&QD^~)$YoVcWsS-D{zEJhkbt3q?@7P$ui+j^q z^g)V_UQZIlTCu{li+xJ?fk%uVwo1_~1=aaHi_*wo^-50Y7=oUggL$Jtlh;r}dHi@u zMM@ptX{ClANH@OS7Mt1r zVHLCY<{D`q5<8m|e#Q|w;$_mes;s^JJH)Zp#D3LdoPG7eV* zU15!X!~?C%NAXE*eY@XB>a^-5fvV$w&MfX+TMls9+iSNelf_Xhb(CQ|uqcg6P1?O< z%7`4_LB=PZTt+w)b;45fiAmCHE)tb&sKnHIuIpi5jm$14g0o>Iq35zyx|dJPQ~qw+ z!T3xnL~J?#ih5>5vax|SqVwmtF7N_I3N4NMA4AGMY#Wq)*tKR)(9A5Ci<6iRIY{8BZL!Ez(AZC1x*+51n#ziU?_JT%I2p0 z=%s`d+T1p&M;;zKX;I8;v-dd2^>1XZqO;PYeA#F-(X#E?1Yg(DD<1bvUO$(HQ{}{D zo<&Lx#Pqr1pXU2B(0HgBY9qg z(K(0O1G!`$?ghW zpTXH*KQib6OJZ)RZb0a;rsJj=23~kREe+R*BMUDa=bi zppBEJtNU^sP1I#=O~QcWfB*3uljV?H$^W~}R{)}`5{!3F9aT16!F^lvOH81|9nwnqbrOmgGe|;~s&DiWZ^4bg& zaab`BaR7D^asinif~(@0B`1!UFM1>ak$JA4F)0$4b#;F`7`tH__iAdFr%74G^(vk* zkbckmK2_n9b5m(<0XTZ>=T)_=2Gym${^su%?vjYIJmnc9j^N#f$|nw97)n8%d-e9C z4@H+<9AM7v?vi`??vftpV7XY!IQ}a*_wQ9b?vcMZ$T}EqHZM4xmRH+jI2pJ0i4C`= zro+CxCT#|ao)T;ref9Q@BTt0q7c00;-6Xth_kYN6Nht!yGHmx3C-g#FVV)WO=~%9s zzz=5wZQFT@QUdmfVxt&%x|l??vxl*c|0S1+*Y{f5 z$uTSFc=@^amypZv?Z2_Lv@(`@yewd z<>j=IHpVO!-dz707Z;!H9G2|9-LkAc;1Eq^>+zPdIXrC;jfj~{Xc+1 zz+Jq>vKYdt5shG09f)pLnZD5}JXI8Zc~E6~Ts?;Hge7|v5FQ1D!~Sq(j;_Z_qa=vC zgQ!Ro6=S!#Xm%ye_sL80Ejt^r%=D+|B9}jA2#<1d(=SsE6NR%9D(Rksay!LkDoo?9 zJH-O39)&F4mcH=8Q0Ktx{srJ;v2?Y2@D1AXPGV`FuEMCp>}`2HZIie(oA)uAx#~Ih zFYif)W~YdSDu%l{y1g-Huyb|$DnTi@L)ykYw~2WHpWs?6AFv<9*ZH(o9$tw2_2%#? z^B@AcwarZKvQKpPKH1YaonFji`>i*9n#kgAUR#{vmn~4H1Xxb!F7-uQK4bc>EHJ1m z{49e1gzHUa(B6bjfvsI$Vwd8HBoR<1g35m)&)@g_)89>P*#NohuKW9BsEB3CAltv% zLC>_#o3Il+T--MUb7$Wh=a88XJXMcTapJn!_-OF)HnFrJ9ASW&05 zo%c>1&E(<1b)_N8b<`%(n-|Nl9*GZz`r{vD0Ee)K6g2&$-(hmBd5;&Ib~^tDcHQQn z#8Yx^PE7{)TjHS1@RYc|Vma(PO4^)~`3SqbmYvOrjG%nvY2XntvTCtZ$s-`2S&QEF zG8ocfl&jsU87QnMPk3W}Gn;X*EQ@g&_?Ab#errX&=8o*>Iq)nwTI`2M99m|EZF%1( zuC05+4S0Nlao!K8-8OCvnzkhnHmkOOF@J-!tmrK#^=y3iwokX)xcX9)LN-Me{xv0U zsQYy^+HzoMxTZ|agPg@-D|L8_CX2$~Ig~=Z@=+AQB5qGo?|X`vo)Tas{Eg<-R}bM| zV=+Bmjf{B?xrSf3e3Q5d&4Px-G7H#nawW>{U4d`vvfrjQd}J-%KT1R%2;2>5KiMyo zT32I$m&r`7O4vPQ^5Bd!5rpS`kF^j(_M(O-a)YR))5=`BY+Myk6E0pE4i>jE4$}Ip zR`(?H0PQ@b@R;$A--ae3bw8#gAmYd|ZRv-!e|EkkL}tTFw$3~Bthu@@73QH|JzPx< z;JIjX-nVl^S7=6ymAUASk5}ie#q|_}<9xEQP8gwmR zpsUY)8B@V&IjiK8xB^V(N`_*>rA;oi(b~H|7A@{CCZ6C`ONa`e*EKmCOz)rWvt{KC z9I&1x?%urz>>)q+Rs06yLv2+IisqnW8A)vTQYcR*(QVaaywK^nd7O-_y5EYGn%`i$ z+J#k&W)S0r)jFel4j~TH4f@6&hFSQm8cGx^*Q4| z>vHt=4+zgW=eUnJ-;+haejrO4eN~ClZjDLQbE>Fn!DOc|MIx;}6QOBNZW!bCZ)%2# zUO9z&n(Yr7UUbV~`DhI< zm*vH;jtv9%Z5tw3Q0%HHQ5MJTc@7Pn;TPhL%C@BE(56;Fdsc56Yt?IyW}OoSG(4}s zj{BQA?|-KoXAT;Ps&DPmNiKJCEuR+7Tjs zH{z{&ZvYe3!q2;3Dy_|ZX|T3z$M8;Fk8V8G*mtL1%SNt=HGI}|#(~8t)2qsj*cBTV zKdE|l;&H&PFkAhTH&`*_V`rkfucG>$2NOa0!istG!r&>yjD^xegp-vV9(#>@#6>MN zb5j9T&zoE0Txes<%;|~~n#=g+K9a!-T(ev%GmrJ(th+G%r+Pt7a@yYa(hSj&xqUf; zgvDVOFXOYhE&#joPY;7fpGSgH0>5VCz4XJc`z;t; z_XFnUd2f(0!^qATPp7`Uy_fIzwkC_>F9{KiXpVQa!Aq(O0xI(Z@!bf$Xd9h@=)#bG zVEvoaVHX-NsOlOo_s^DF{*FBT_icH?0q^|`O1jzKm>}%8jj}l{2G0NCM93QQ!DZRN z@51hG+Sh2y>C5F;)wG5R)K$in4L{`C2Pq@!uj<6#jGX>B7;^nJkko4+sgfQbsqURp zhsebv^F3+Uonu|pxVO}_bN0`EhI);`HfP$TLn_+Hgu*v#qiQoYZ~+4K?sI| z&&Z1**J`d3mYA)uJ!O{Ir2)>gSo&H%kHyT9g+x5?X~pcWTZK<#XHQy3P^P&WbcK%O zJJ*U&IV)g9QK@n`hSb6?_JS6jTe#uUZjE2Ub5RNIBT=^i_lHW&V-?owjwceGyuBZy z^7J6Y$qN_Pifh`!O$7p{vNZ%U6!-(DEC`|qr|%OLxf$Gk&g?KDv@lF&DD7U7Xx~SB z6zU||ww)kK%qNI?puKhn%^4LOvIdQI`=mxk8HZehrpyDwHQH%xkd0-va!lz4RM_I| z4d*(>={ChbqV{EKrV?up_fiv>3gk52w+lmsnY&#L*uzHnc-Eo|Qo^=22_H9WTs}wOB#c*+&?)))}lKTQw5{pKrrcbdDbApGP@$u>PevK5iC%_c- zcMH3sEgc@s8HLRH7?MNtLo^ur=#d_u@GS^r%4j09)#_@QcC%ab8;F>R&DWbF)AyDs?5pfuiV^ zjGyuiL^j>kUg*CGk9!kU;b3*bFOuiqyI?3JuhzW zXJSYu1#W4>`GDVJj-@>?+tLtV_YQF{dH#*!)3m!msT3DMTFVaYWFOLr$2pe#!E{3lVSwrNdMYFY-daO}yXfjl$oD^3GGxU-# zNRnHoh>?psqI*0K9Yp*!nzP4pa|J{!xXh#IyREM9AIImV9N=`W6wIAV5EV>G?n?uX z7u^=idZPQ+q%(Q4@~eStw` zC?*=S^<5OYl&;NWXc#T@5;dO>yj^wsmf(crQ5Vei$Y$31`hYT}X)%EvdY`7y`FyQI z!-*>oF&>&IF05P>@$msOLtgIsRfsFGx6yoZsx@0*`1v~)aiT38{=y>GBHy~#f-7mG zMpTm*N@uF5Nfu{hI^5Ti;?2xL{lWKk&Rj^e_ejWa%K+!O=!F9DVIm%f+HJR)t#&q9 z4`Pr>+Gs%w>L%Oqxt*d|yu^H-c?@S>CXjM%=o8Aj6UD6JZ$OPYyQ+zYR|y&8$C9`oVVjl}JdH+Vz2h^pGFR)w5gYw+L?*Trgaeh?mmw zxY8Def@%pDb1aPLH*vzd*=>I{}!U zHx)}7USs<{!szjckF%!Cj52seM4-l#gYg35W!U$}!fpX9GS_Q%ob>Gtt_F|P@f&JM z4Kozj*B(B#OZX{aB0ms4Tx0L7f5Hga8Pkg*pz3ca6wf69o;Oe$-* zUenpX?lN~A>p5~f3eLt?`Ub(biV@Y?@ z$JBA3h6zaFNCqbXQR&l$o>0uobpy=H>xv11 zI=Y8H^^;L04D)IO-)MzKFNn4vuHVuIlF?P9#hBh$wH)R*a% zYuB{;#T5)!0Pr<(VWqU?MnQFX#p|gGe`xI?-a+dk``YjMfH;a$UAD&2h+AB3lVzN3 zoMGZLIa&s}pB^N|-U9P`*A?dIP?(T#2=~4?KWpagQ4<0j`1E5lyRCbhur)EE_Xb~m zJ*?xAr?J7%=Nh*gI>s(={ZZ_!a;)i*wXLxOK0Hm*(Y5iHM%-_TAXeu!HaOplYVGF@ z;|o_txn%ftDzQ`>4wx*bgc)x=rl42HcRuOYESfARK!M%5hhHUrAl~?CbODB8KUdtJ zzqV%6*tqR0>OC^l!B}MLuAq86U_m@+fhAzU3s;i~yHZ`+!u&A-$i9%S9x`%%&2^`t z*1o1llY(QOp<&9E*z8CKER`-6$0w@z8+OhAhVv7v{* zoyM^YCcf{LR%1OJf?pppR*uDGG6OGJ&QdX?EpQ{|p+nd`xrw_lzR%N4gs6Aq|&|-0?`P#8$ z-aK$20e%|q83Eu{uC!OVy0rfJV+R7h$rR1mRyn|F!p~O*AA?4W^pK(zf?Ml)!$^p@ z)(8F%X}db3N00GY-5ZbR+i&um=HJZyl&G0gbd~G6Xp$>|E*E0;?YPYH8@Shf zb7mRoZfv|&Q1y7$$>bc5*0TMVJ@jVYoM65vBfh~CH#v+|D?@mn?kv8PXOlHi-$MT) zW2@oYlDDjj9Td3h_(GV`#_C-(Xw z@ZmRQp%U9Z%{e#^7hkbp3~L+4VAA1?ibpTT$qd~gpF-f)5``YIe|QpEYRLG$frnCH zv@qxW`bY(Dxeb?}Ph!jVbzXuRnXKA6gXAlMSDgvfkkZ!QEE2vAnELQ27dEnwZ5#{|-jq$ABq##7GAjiDHD@u0iirgzO#w z|F$mJOe>&D+aXlu`y{q)6Iw7Ya|VYn+Bv0u(=MZ17gab}e`!X#S;WuP{o$mEY~neS3h<6J7qzt->0s+K&L zs|sI)^iBOigiMbwF3ud6-Un`!t<4rC7UCbFjhQ}T#txUJa%QVE-7{B*Fux?J7kA>y zfOp3_S!vaW()S#Q!^+n3*-YjeSl9HO8}wK8hgY6bc^b4?g|GaoKNaP}JWLTkN^Zk6 zPj4M{Fvw$ji9S3=jcxkCJA8e@Ww}WTOdZK4+S#Y!zVO6BNMD7os;#S@9`ZY8zn|Le z(_tre?&@rctK0XKHcy42@$6yO(Tue=i2z0<4`!W*^xUncUI(kcEgqWNXhS4#hKul* zS!QC5e$g^IH&|R&K5sd@3_#nP=GB`&qHMO5UCUJwbL3_%#d5* zRwQ=UmJ{fcT=wL)qC6j`$(itya2$*7pW%*#9)gum_W~D;RNBH-FfO%NKBV^iLny8@ zjr1SJGg) z1~EW~#>&U|O{yA=a%w&@dP5a~nvLx{DCPD>rz+Z=CWF*@? z(_WdoJQ5_J8DLqrvg4M0@V&Y+YubWGsff%z;c)YMbJqA&`7+tI+zTp)&c|X@0+FV_ z69O6AnSagr@1!XCx^LTipj*gr76v0en?px zTgqb6Du4bVlE^-2U|m4U*BMk>$n-~+Jnvf@;x+Zjt*m^8&GUI4?(NaBl%f#UyI*SB zJJ-#2{TY>(qt?c9y43QA20B*bz(N!0UCa#M5!+%rc^W2iEY|l)n|AmYp==G_eF)T;>;z7W`mm0iA5 zVT}5?k(7nWd{D@e_5O-V+LeQM7$+R}>&k?~YloHVn3a@a+~>H-F5tV}iX%-${VQxG%yh4O?u^=nSlRq~jhMD|>OU;AQ}M@ifdXp1PUV zK2Mv)y!5X{yH+No`_VMoXXs!M34ZIU|l{;0GrG^3Sl$aB#Y`^bq%4Y0m&mD)S z-BG0bU~z}Sx;MMUB4SX;e?*fpnnwI&K-AUPKPt4-?bBAEU$LG1Stx9P!?Ne6w^Y$s zo@xnY?FHuN*9=7;&1pH{)kOFD<)(AOf;}^_Cy)TWWVxN8rz$?tM{;)Yj*Y93WB!x! zWnUwf@QVdkTTxnjylKgVPWK4S{Pz_{C7ByOC&%KwnYX+pS&G%d6Zf)pY7L5Ned=@M z^o(&n%n>Lv7omJj;L&E&(t9DLeq@e{?Pa=M9( z3mOfhVFBzPEaYgcw?3K3ykObxc5gMY2r?eCHQ0g-=JYEzibVGNa*d;LsA(mZ`ldVe zF-bp3-9fp&FXE(omb^5{y$}ZlVbkORh7PsiNT-Q63+)`_TXM}ycj7zZ%Nm4$lj%l7 zam#ljUdr(dB;Af0dvBUS-HwXf1dKYcLZ<{v*|nHZgKw?AUT>P>UvstZz3UGzJK0a0 z`&=mLMt8o*QF7QwF@sVlCF}BJSo;E1^Ti{_oXRb)zRD)IxaKUjmGnDQo_DU?xo!?$ z_8ocB(QmNvm7#|9Pi!dLH!FRUjJj9TEfSOB;eJ_EiI+QlHokx-S!*0Xo&UR z%pvykO*%c4ZyxYZ$fMxq!YA|nuGBshyE@DQ!sAj$X*)9HMb(ZC*9(H-XGXq1x;0Ao zFd&Bu_qA{@Yo8NXoDs?xYF{aK0)nZ=UP4iGRIvdrqhBjYiy!wauJt z=SGOR8TB0+&bFd0xkg#499S4qvK}c3BPI1o0guKRugVZHk}JE*&HOOMJwoaXMxZv_ zw^0fE)xL0$HPvQGle>J^vC@5P#O~f?TOd3UaybI|>;&ITY5c2+f$HOLv20^y9b9J` zZ8RTRC2uW(hb~RMHp-*XB=6Hz&UR+I0kcac$KRRljwCbQm-t08hm1&)@FGIO@AkhR z3tW@2IUGLpnYXzMi;GcE1Ixn2RQ@b~|ACB71FzG~N=>PEW#39j8F zJs8P#w8PHmoUYJJ@un9k+o_xFLc&WI1g)T$bj^Z%Qihe?Q1{AiT^iR6tsO{vPF8oQ zRXecj_(Z~-jH{NWz_I3*vE$ceB0M!kCvU*<@8RhB0%^eJi_7 zShi1_uiwbUthCLDZ*lu@Ye4#h@>*f-w8O{IC%pkH zN2KQ83&+CHIEOEktK*#q4NG5sWOceN*XJl;Ha^~V7<|kaeWgM$Rf`R!f%kHiZiM0_ ziy1kl0lkajfSy^IU*tR4XD|4R4F-HC8=G#zmF>zB6)Ma!T_sHbUtWO9ufQOAMe76GjKp~ZI5&ANb z#a4}xufYcKm(-=kPW+z?3w&dC$Z8JU+siiMm#!bukh6!wZ&OLfe@KQ2#b1Hn_OBxW zw=D1Mbpt=K9|UVQ)-7P(KaQ}Uh;T2zm-`0GFJEVyo#0wywKxY0ne%zJ63ggoGuf~I zl4y}N_Hw9S{dhZ#+Ra9IaQ0-c6X`?P>b-l{iMY5vsS;_l*DgOE?(4PZ=#?ORf9uM5 zA;7~vx^uv6uHySnE}8`<6qO zG!xYE^k?JEf{N&GN6$wKM~Jv#Ym-?XnR5}N5tdg@9RmkPy$t`D$cucBXK!D1mohiGxx=NAJ>n_u!N0 z1)q81AIW}b3;@{bgh}Q7?pAH;gmqG!)J=PZz^}mV3VppxJoY>havS?=g{Fw@6!>YB zdtZj){r&Ni;yeLO7-7JnJ7wM1XmI~k`_ysc6Np8*>fS)A3QMCgB5HY5JEjDSU9u-`2|~TF>+~2L$^e!);uZhcAmiq9e^;HC#xJmGrqcq@4Lz}O zsz>=Z7Moj3y(FQqahxT+R~+|OX1NqXGFqgB_B1+qem%A9DJaO%_K80A{5E^#dzqw+aG@5`3bu4QGa zl(&cUF8!s(F-*O+fpQ99SC~P@xT*h0rhv`-%K?F{Slz=&pQH_ixu^#Hn8EB;F3*8{ zKLHUkE)N<~GMaIKwmo&Na+yPJryY_WFpv2-6C_cK#j1I``gOR)*{n-Iqzg-(;c17l z-Y(wQ#Zg&Ov=vXa#hqIZjNb zxz-!&`{yF3q+}WVcKZx$DO5#&{HbF^97DnvQgokKA(U2P?Dsv#JBm}9S8@OyfzH|ZM<+IzDnAS(B{@9`7a@Iyi z{$XDD@c#PCQ6G+?lf5+@>ceL4^vaUY&cMv&6;7S<=XcoLoBzzZ`FNP}scc~4F~M}C$MMRrq z8`dd1sO!)rqAe?>?cCy=dtzKnw=f2Mc>JdCw&V1`)8uk(?*;5)%=d*>mNy5*bHTRa4o&pjtlhbl;v4&Yc>tqQUPCIzLW0&7=13;@O&h)H&X|`Qi(!2h{bnwV37&6VmW1_-5aLYgSnNy6r&~ei}CYthAgtV2o-m%x7)vBz@!copHh^T)4fmqB`-GE(D_c+yVHnSHm0qOEwsX zBNj-|)n=KWsal!Tt^J}z4LgHFiMZ<>Cp|s=?OhfGeZfCzNjQ%UVi#2t3uIM6%sx*+TM1QH0|v;c0bBFFWbru_@9CFaOo<40YNg7hYopU zn|en$h=(WrNslDy{=CevWG!#3g&UxmWHYj|Ru)v>nc_*2n zZpoA6$X}WM{DFTgE*m49x;|uz*#x7Xpi)C^g1QKWPresx)v!T2=ROn~#r(=_T~yr8 zpT}6ydq#8bml|dpJQ(*n$4ksz>{@XSggwxZd#|o?7%Gv-a>4m_^5=^ac5XVJp79=E zIUCDT7+o(elQC(Zu1JPC*O@Gio~{aXW3XhM$S(hfPDu)>)6|AtE!5Tx6X|(v@G*`dWjbl0_d|--s?Itdqb^#q zPH_A}Tob%iMBRhMZ2mg*+Of`&w~2u1NFWA2eAr05AOaPoX@FYQQ@YPinf#aB|?XZi_S*#LR*d}rPhhAM_NC#oAXi9a2_0d#r%zOxNDnzu35N7l* z#9xCTob@s+3^XVqiNR|E4sd7OjD<_i$x#ZDrxo8T4rMRd7!m5g>21uW55$%n;aqBO z#(a5`kGFRPwv34HO`Ko3`@WL9dNOWh z6;7HTcaYp_ZQL>Sc3TgYz_}7h&_umD4k}*RwONMdG7!5N49j9-UMAn!M5*e(HSWI!!DZWEQ642+Tfy-B{~hOs zayez3Hl3bi_6d=d7~DP)FkL&SB^?S7P2W3I4DS_@s9qfEE_2PyPenj$a~U3!4h_Li|gmo z_3c%z!Ihf_kY|f<_Q#L`pj3niEyB|tLrQ>B5#qQAH-8M-0!l^5n0@%JBO@$8EE}IzDv%)xq~yM;X{L*#~s+E;TP=4dl3B z(|sP3eJfrvct@E$0NK8l-&a}2QduVbKkZ0xl)>+;+5NV6Z%FE`O4=j1iqE-@EMmt) zum&j(RwDLR-v2?zT2)dn!L?$}RUC-;*+2OAdKh**(ZNc_-pZ*V>AwU0+YVe+(i*|l zb+M{~@TkDv3mJy*lT*|EI)#vhT!8CcsgKxU+VTD$C&0eb4_t zkmvTXQP?f%&*V$5CkJP|RDxem4!yf+F*)+?Ugm8HS5|fI_5$WWZRKkhN|dGSHy)rh z!*1QbRunbIK%LRrg!Cq+km$_P@1m|E@I^nyHO@*ZTgp+Tu=ifI!wdWbwoR1>H_x5X z`V!+Se}8Z{ui6thpxex{TEa_$~?AP1S5<~22n-x;jQbZ3+w%5%Ss z^82cJhKKA~<{4dzS>@C%GIFHnw@lUwy0pI;Tjfa1@ z-zNKwX`O+Q4P>A3p_tV;dxl>A+qp|Tfe-y#V?8t0-lh6UYM+rOi^w?>L}C8y>rHTvikMGrA93c;4pwebss6 zrKCQ=GR6~VNcKbLS~bPDJXTlww|WnEdEOTJ9qODhBcsVb^OM3{|7;+=e95^Ryn!#s z9_U`{r1+N48bklq;Grn*!!o~Dy63FOw(>9ZQ=CIw{zfm4rj_Ttgyi_Fdkv#3SiqVS z{TA_1oA+V4U$O2vTQbLj3!}=jh|7i1E#u1aHkAS7B_o{SDjeug%?jBmUI{?6S2ZF^Xum}Q+V4!d;Xc@W(6n}uiD~g2!6@FQB z7V(K2ER?_k2^OEg;yYM$0>ytWqklT}|C50w;Dnij6V}25Ojw`}?PxBoVRUH2dtHt~ z9adc>qr3n} zuLSuV3x3WN1C*iwCB3yekmRpKAjxl1K#~ufK7`zz8qy03)PY07l3Jx-0fogJ#qQ1P=cNYyyGr{~gduiFVYcLlc-5Dg$MJ z?O_}MN*DfQE5;M~FO_>**GFxhW^on{e^XTh5%BK&#CoOV#b;y4_5*{C{k+NPA{>qbD?(jgZeBY zR7)CQS6{jNKO_dS{O2J&| zf6)D~gcgir1LNdCfsdd76)3<23W$LMHXy_BwSNm_^#mKMMu5gw1wiy~1Q7kB9E`RF zqesE$LNMCM_P-Kn*m>E=b_}8Z8_}%m^m9IF%tO7(jK*-_ax9;@t@KQqg0l{nQAHqH zmfxsF*Y#&+@YsZU)f*bef~NUkAWwcX`Ts43@sAxufL53PWpxv1wI66T8E7>nXf*?9 zH58nae+X>VvHkQPbd!xDK%Vlyc>V&?f;=3cpo)=gQ+W(12n7ZIF9g~FubL{bz%#tJ zg&J1hh+VL-Wt^L>v)eN_N{%fs4WZmEr4MoZWK#1{h<{LJf+cp@0)J!fQ9WQ*>|JfNFZ7jW=lKH#8-ozCF?zi#^JgNFVSaeo2NgFtdn z;3_D<3<^kt0xo9HRE+RH(g1;X3IHQ-iB2c*a_|4Xu~|(!(3bfg28el@1;l()1!A7Y z0c6oi|5Axs{tH0^BJO|)MI-!!xG;cKnAx%5yoEF%-{lNM{68RIPZjqSY$|!B|8vjX z-)(|+u`H8JAJ;JN6Pk;YJYIR;sL%rz!Zd$^onsKPYh;pTR#o~s)3%s%z6l?+o--CkW|Bew6RW*{X@Cl^84pMW0 z5gK4bG8iEXMtFcZ?ERI){{#O2w8s$xT+)PNV`xV`Caa>>9tRu7mXfR;cQh;RKg%zs z`p7FXQJ0gc?KH5o4*K~i;eA7SbfZ}lQCw;KlZDkX9@36&W3*5=dsHb7Z%7XhEbRMsO^fd zwBI0OmX#b&;Kew5m2W@*F2;=XW4{)9miP|!#?Wv7Ja((%!a8}yJnHfkwOv1!_6IPA zN{&E4!9j)9*9Uv@Zi4og<~ zLGR2v)O*99GH-wEH$i7O9+=&liP>aeElzr+@`mc#m~ItE9r-0Y0U+$cg^HU%*tv69 zDj@9aJ5+$-&srd?89HMDgw4iminA6oJF2{4zBU#Egi&9z(*VLQU8vv&!Y-V{(gR`V z-l2j4wRb=ETcI>gjqO)) zR7n++997;rnceym!@BsxwFCOD?;R?_&@btHS=kvGa!aeTu2*~d&aK}5nnX4xB`8B# z>}2N3V7B;UmG4L2yK#fJ{}~|5)MnyoVtaoH9$2z@YAca+d(-_*r_+hkIe0ri*%^;F zy+EA;s9(J1@n!(1Uj*vptR8QMf%+TS8|nTn_@>*?yC&2Zk*S*=f=ZPBqwk*~?$xpM z3_hCKGyBRwQACbGKLw!K{y*_e_n~wE)CPn;1ECQJYXCa*Xl~Cehk>bxT&w&S0L}An z!#5d0MFFU7>XwI~0cGgu`+>ipBOtVj;Ud6VE(k!2{G0GiUeGH5)b2UJ`keCp=zAK& z8vyIr&)<7y9UxSz0)&?Nx8j=;p?m-o^}Hl04(;FSYB|KffQ>US)VH(xh?EuhO2YQ5r&cg>EusfR7(t30n*A>0BNm%GrnmOdK(~hm;vcqhYT!0s+F4nw9&sE-*gPU4?thd0Hb;bLTQXZ=x=r))k}(f2b(6m=}Bi<*GK{n+ryUN8Ou zoFBm`t(I)3THcLv!RgaFL(d{D4*Ip9qsCA$Ma8+&3>Ld&-}GMrOa`T80qIPip}tj* zZ`oi{8emd?@8R%307>nl!K9F2QW!A%NB}4rJ`rb3?OY1>yaaln6(av+^gk{0Ukua( zM_Bj^9APRb{Rp(eAGCr3G>IOxf)}*nKLeEA7Tu}#_=5x)WBy`{0~v)u#+M*tCn)^| zl;!}XRsPojcg8@OT2RIflvxM!!9jt1Y7BvVoGZb6?7@6+{{Z;6=zcId1&oHp0@2?5 zK=hFjIGSoO+6jza1f%~~0{=Dfe>HOE8Lm13h1f%pyx}ECB z4%|R$Q<`9EnO^~E6(K-624MWZ6!-$B4UEt^4jiE{V1*DQ7Z~=D8aV6(uu%f^#{u+b z8t|vhD+g@6|99kq96jKg1P|aE;VB4>4I)f_695_?ngWgQ!AAREsX(I{sC26*0BkMP z=~=wE1Gawi1)-;4;|bVE%KO?+b)*L%cZ&4K2SCO&kWm3-3slHsesS8hnwVTp}OzU zFCAc6G~Xbu;;FT(2fl}|B{yr=U%8b{tV!VZQl;%&M|}yamX+|;yxy6zVKw^xS=@pt z@W+PWH6okOifQd($y#?pFR1zu+CxO2Y}}MJ;L%#)FMC#QqNIhJ?n-yaZ@5gQlN;mIb;%^_FbCWvoC8=f9#V8c&mTEJamWcujHv!L)&chWWg7nzuR^*-q z-8M0x(`mDPgMg-gX%F|}P8*+}M``cD=QK_?PFH*vS~swoAH2*<^gHyu_-8qgo z_UNsV^N#!KY$IyM+F!C&J1zPaLRGKpirdV;^W0+LB~YR{P!NZ^Yj7zR2_KbR+risR(a`6}(QXhkbE}?hJ!F`xa$2ey+Iw zjR%3{m6Zbjb6<01ZQDa-NY+7DYL{}MJ5>J^6aL(*=x*0lbq?U?nc}rSX;XB=>G5|p zmm`eCoo-bAHvoh{d%x~_*n%~E7aZ$AYpBP@i;W(;O2k6s3E+V5f~B=+lATKqsA4j& zt0HOQkdqHRLS;6Ob++N~M2VU;C7Z)}6#n2+Wa0MjVyZ}+5U^wMsHBM1TVs7|BK4zC z^+j267{*gy0UAiyUK@nEV6VI@c>1{*QztT zl$9tEsJ_t$Y%GTK>cGY#J7HrKHvb%`9m|@umL(E8%W5@I0OkkFE;Gxn59nCT=O|DO zf$^j$wdrJ00TyJb@XU3;n*53U@vr zaq2=Ya5ubI@wK>c-Ke+5UrkqDe9~R{;o>ig3sqe3Ji!fhdjZ{lXmiCwIj+9?BmR;D zR69oW2lU^ma2DVfn0Kn~tv`J&vE}|&H1O)bq{W=4u-@}{^}*MY^bA&m>C!F%!XT^= zAzNyMFiimAa02<@(lc7UDqMP|sy?v6lT*$@GkWGIUd1cez~WkOWtKIf)tD=I4c598 z7Q2Jg5>~$^PmHzM9_#%p;1xZ?)LXXzJu}u?R&@gt)nbUgG%|iy<k7B&AEOXD>?tL zsx$8zM2{m`1U)yrfxIg4ED^M@(qlrqyM;69D-k!9tha0lyr@(R&%&|InmC+ z*ZN%bK_AAg{@Yu4d|?!0QJ&3a^P$Lc8S^x5;5|j9F&1$8s!R-1UBMh(h-&iB|M#D3 z@wNW`_u{+RrMq9iW4IUo#hdYoy&WE^Qi$ZctB>$-3jcpDHhEg`s^7o}fDcO_yuI5?R5DRiK;NOwzJQi=}rLqsOjZwrlATtt0q^{pou^bM=+^oSWBU zv8^qvBF%@nh_3%wFXpOR~BU znlT2N2(@C9UsO##FN((t<6G|qtX&ifbh7&lB)8;Ze$EN3XuF-y=apDX^Ami~$wdVn zA@4jD6)>!GyPQp<%j+Z7Jag6NF|d{3X}yYk z7{@Y}j1XsfOFJ(5<;E>NrgL-+R&b`{l`Mu9YRe;hILXnUJ{=uAVF_2OdBLm1yNM7b zLVJVMjmfP_3$MHT?yWh_U)06=Z~yk|Zy2h*{u?ZX@|(E$tMPGM{3Ta%xvDRgh0K>o zf?Ndmg%1Wfa`PgcL(ik*+_@WG$LJ`uL7ljExO_e9#Wq3eK_|dFdZw1w!AZ}?@;W%* zn!EfgE3x5edI6JaiAx7YC+p1`pHxjMl#VuT=V5a3KRzPn(Maipr`~Udx zk>e|;ZsS6w-`Z?T=i_0n^VfcB_1#!h=5-fbqQu2c#fUHAqm}u?tcTB-H-L`=58udd zz+`+N>4(%9N5iU_GnmLsmBpjaWP1Nzyg?^{qUREN^M&S~9tScZ57x2Xf5I00iw_Px zs&japCPE7yofT(#|JFR`Z$b%-w$l54yebMME^vfqJiTyd^9%Tv3(PgS;ANRwxey-^ zaz>aZ$KGUcA(fe|y94>22m76U#(>aI+RYzbeV9es?T2y}`s1U2`9FX8%znPTy}!A- zy<>MDKTg^8-QAQu%z$lo=pyUi z<^lOYkFYH4S*UfX>6mTn=XIO757v7z#9%m-<0Wu&S>#BqS>HD3gG$b;bQU=);al;i zp^#RQnV4fFsEJq?rJC5Q0vKxyCu(1tkn=zhXp^^QLqjE$|50OpO}_LQH6GrY>--yB z(RTnz!+6vjZ8hwoi%Pw4KDLWWd}&~D!VmWmng?=(=ByFeMKkDuXAJ=UB!CBcE~dV~ z+2BcN4$#9}lcG~%wH_#umA4K0o?gDW^C&kz;lji)A-%4|(qu1fFK`=ACB`^;e>gqE zN+y>mg3%qokAxB^1?O+QF1SQ2|7mD?`PNkBx28l6r5A3TO!W$mrpwiZAy(LLaNEU7 zq~*n;Dzb}@aa=Tceet{CnHS7kbBxcx4O;|S=cJjdxRQE3ZzGam!6?=eCs(93PcDq! zpQxNVN)V}>UefasoxFkJEQN($3B!+AYFC?Y(2!pIRFj0B3OKYjiuM+p;~LoGZ_QYS z{E%JbJVWZGH-&&ei0LIgj&WFSraj-SMEsb-WYh*Sz3-s~zL}#%6Bb;B(>5rQaC-S( z3^X!_{!G)JdFJ}ZtNYu_AMe@p{{D(x-+%hZew_V$#qK`MW|udgAEuvgKZlrSrk7(; z9^K13{SWI*jFy;0)Lf=JE0GTgK_O(v1FQ;y+3&qL#^N)FdPL+vO`h(THltiS;lG<* znxPC2ezQae9=8Ae1&1=QB1{FB-^8DP|50DRhv5wm{`&V{;FX8=?!SIF`}w1O`11-@ zb7PCH4H^r1k9HYUt?VNx>Zn4VMENx4WvGq$Fq=@|#|bC(WbI|yS7 zmWF;$%1UTkFPfpetcRY8aUe`Du(1e9E#eg}^-T`Hcn4v9NgQ^Wv)$7qVsUUA&19YD-Qh?4(KcP8ypH(T879#fql)pkBzIxeDEBo^?4bz{>Oj+Ewaf*3U;*2 z-M-FZ#$nm){MYU1G$+K_r=NeC-riiZhfkj#*!54Je`FtTXE$s%y_(+59v*(Wxp@dW zA&x8Je6V%?_0xYu*KjUg#a~$it;3cLj0%JM$NTHq?ZfSl?Ec}WpV{>kj>iw5?ylI6 zcX!j9yPt1vFK=$baE}@<^aSqPgShW*fBf|M^5%hkyqbPw*O%8*_AtG?VIM#J{Nv3n z^!iVCpTcmD%IZ$;@6SJe{_*)@DO|7KJM?mk>b zYsFjbHy4cA8^RCMpQfKa-~P<5u0G!Cfy;jUG@G%jpRVsOVXeOX`TkZ9;dYn(#Tb@g zpZldXT;mpKzQQW?eN1p$L;*_W_D|SQ|BPXi_WB3-`{4urdkz2pj6qvGsBlnO_n#Jev?C=e^t~0F+q~^Isy)s- zGy9Cn$bx*Z)`Ac40cLt$PCs9L`uX~feZ0Sho%P}Vp50F`uh_@S>-)RUx7XLxj~|0} zm^YV|zN!-TYa6cW@2j_FdY`b&SX^J2j`9Ayw^3M+lMk zXcW^~1Y#-u7C(X#$Aip(jhGw6ef0f12CtZESz%?drUZ45;UgrU%M|TLy~nHv(Tj>+ zw9|os%etURylz9mLyrLjWsmz96Umo3aDN#)g(82i(bFgFBXR{KI!)YOK$^MF9Oc3k z`lkfNjSs*z8Q_?j5R#NIC8%iJ2Nmk;8cnhII1KzIc>AKpp6LpiIQcIG8OxHVKa_G^ z)arX)6=v7>*Q=ir6g}?X_H?q0erCcNKcZ2cc1^z4KnB;|K?i9C*!<|dWq30Dy!lTAT26#z9LOe-PJJ6qdLg~F%SFJsN7U@9)}^M z$6sQs9@I-80#b$^O&g;enN$xZI2)$$PHYTwUet17Tf@|JkG(lp(>GUB4&ddlC>}i} zDA2r{Hox;cG}mf6ni}&7bGDa&trZWH%~Vd9c^Wo#=@Fns1%Q*HsLUgV55qf-J`=L} z=&I#7&V)WNu2kU66%TMi%Zb320 zS+FhaUt;|nRWC?-W|^U6Sc^~fph}~&shF)M$*b5tOk4;1hwi8`K4BY0EaL=r_ENwn z!7ee(eeIT^_Ku*9V>D&vKqI7y5^(xW=Cp~G<_y_Mf~`EGsWP9uHgV@Oh*KW0=Dr7p z1HT<6teuMHX}k1lVJBAcd>J}oM~&S+BNlgjri2#-oPdeRD16Qzonn&T74R>+6YfVIs^G7PQU5Fwe_7k;fH%KD&R7 z=Kwp{p*0l&Oqy!gj3%fIeG2W!1d?Pcr|-o|k7D&bUwqAF>Rex#;oj9Yp6tKo1^W(I z)qydsH)0&pGGA02SahSgh#TRsf(MRkdfe(L=P~0s56T39M*2 zFV(6D81AFSQlCOk$|7;p1Ro;TEHIfMtf$`r3medCG?yxjbA+239O!`~nx2^{>=e8d zXw3*!N}Z0TD*fzXyGEIK9YyYZr&UnTjwU&MF01Z6v6LeW=R2TThkN!^0zI16^s|vV z&xJ!e=`YJg!V;X*jY+KM^P;K$arn*N7J3IBJ<~$?Ly|^&z6?}*0dI!}Y4rkBiPh$` z3QS$W#|09VHK@J%=0!-}@O2rrDY#Bu0tTn3 z<0NcA(sTMHVu1<_rW&A*v)j4US_Uv>yeg6=M9_UoP%r!7U~R?6_~RNKo)sK@nUeB z6RWw_iiqobv?7TvU=y%=r=@g*SS7G(qlDVFLTjm0?hP3m9AF7LmhmLg7!D%dE+m&3E+zr$?_2 z1Mgo|Tus!9V=R?j#4$h;cC>HCZs6QEUhwqHUViX99`ZI$&+_rG#E&H!luy<9$pI0~|C?I|q`n!UM#c<5Oo=J3UO-oXMaRb-yq1RwMt;`Js+5f|U0G$SY^9sshe zL?&U6Epd;9BR!~WJl*Q;0)LAgz&61#mcpsMwMPVrKql4&D?p3*;jix6a2+CBBLj6K5 zoXi$YuI&mO18pX#rVv)BbT*pw_ldnX%u*Yk$-Ec|vYj4AaeswS`x>Y)2MR~Q3#iVE}W%_YFk9Ix&q?M~2^&FFe4-_1VZr+T3hP6wP_<^gd1kNSg`uq?{LmYlWeS zwcEN(MEo)@O4>B2*Nu4Db)$~7b!QThCuJf1^+9K&DR;kZkJ2Vc!{gRm>X;lgah{es zRnE)eM@pL#d64Q4^FpLeh5DueR6uJ(Aav0bUivg(W)x+#4^zD&10pc#F4$TsE=A4X zll1tF&xPOb-4lHHv(famUtJ?(Mp3mo{Aj}S!6Bp-8Mh6ADjI9baTL#^Wi69l~r=hf!fZ=4xTWN0{qXpQDQnkfbyhv#iq4rEt@;Y8In5k6* zC$G$pixTxwU(zVaIR4MnW5e1~Y7Aas$@~X|_&q*0#jKF_pyk5@ks#+WfdT+`Czn^b za$PVBEB!-qtdNT$1zK}qH>Pl%>Fi(AF#1#BLnoQYusk_d`N`nb#M?sjDAQiMIImwT zblkPiM3=+Hu(`Tm8BBB?HQ3AF>9?h>m{sXSOfLZ;E9w0LBPVuces{)>ZC`KG(Bo!g znuZ>iqtY~F6~+lP4Ly2DrfCSWOe#%7kd{(u8cNKTSkt^qMm$HkSv2k930>w5dXrXi zxncw15Of%8;U`!BjIDUm2}ABQnEBcwPY=D(ogTeBk)Xu;NbR}*ev?m($LxIgf)c)B z05gJG@&WBSK)I|66q>g=PUz9^0v(2J_fI@4|EKo+TUWPN;Cx0r`53=HqTz8bfd?g2pZJoP{%4xw9Hs>jh zwd&Z!8?>HG=iYXr#MH5E+y_AOBpgt1g(gmTgf5s8m36iKe&@n@#Elmf7O*+CAoN0ZPm`tOcyfbG^dtBYtEh9H=yb?OD~K73}Ta z2B1V?kFFBE$>CD{tcGkmXXaaG%6(wNd};Lg2yXM9HAz(t2v{a-k(J53eQ9EyC>ptW zsoyFvEV^~U+Z3a!zIj9&dPPt)i*lv1BJ1gH#VO#7C@S=_qKJjj8fMO`a$2nYXcY>m zwg)9*dBhFZN`Ijaaa=ZDOk?py{rh(?iJZk8vwUNWj$Cc$m4xGg$i+g|krxRiz86e; zaCL%l45PS{Rzamd_-QhBu`4!DCPkj})X_57Ffm%W1OG_20Xz|giDF$`4B_d8k+ya% z4Y(4?ihIpe1Zx}|h*PtQLnxa7;;jy)Xf-ZmIjh4;iJXtyU_0KwnCW6`usB(ljmOo#?Z)*c?TTyR~U6lQXf z8x2MqNXm*n4bv58+s^{N%CW@TmPz;k7!rN@CLS*1*>u4l=9p0IX(4j#Ey+~G6EzH# z^1&cj_uxDn^vKeAI4Bv^ysOFri7k9rx@BBF!YlAh>91o8{$+VaS)#hi~&fZ(CBPXnSp`)5pYDX;RI3k}%cG;o4p+dSTOJ zTRzwZDN6)k$y^PS(}B|?Ug10P{$z291GPk(+lr%AQdBrTV(9+OSm`2!ZmEF@vS!_h5RwDJ%wb6wthXPx>Rvp3Vo)-=?Ln6|oz&Rj)qY#_ zwgHUj-Q7J7#~$De>OQ(I0uD8!m0@_AL$oPjy>{4dgd80h6U%0Gfut6E3?C3+j~uNg z!+B>qnTcV=pxxjn*ibmb+qC+Z7d<5cdDJi+7peW&2=NtqW5}15JvsM`z2`iC-e`p! z&Km}a=qnD{QNO=Lp1*I5R<_|y7Ek@Q{gu8^-e4CeVj#dF;v)SyRl(kwF zn-~YE#Qg(5RNHXbH(kiIYE<31STg{WGIT<@5Ai~!M7CbDODS3CUK1xh8l-p`Vax+Y z$SZtyAoZtDm0F7A#Y&F^4Y6weqvdehg6f0#R-e`Iiek}*0m1{BY|y{v;NMRX@dBk} zAv*|ko+*RNX-jz_(PKR!Gtpq&s71_dy&33Z-+APUVC9A(*keF--AP_0JNY|BQ_qXW z98Gf(B<*)au&~1b)bJTwacz0%*|?3*@cTBNAaISMXQA2)QS5iT7tdIXXrKJ0@L@Sd z!t21C2s?2>;l)VF67*Ua$6`6?4O1WBM{9Jm z%jsQoc^6G*8V52w^bFyeq+?M{*4Gy3xE`^<;1U({QW$0RuODtMANqj_%9l`dMX`Lt zseRj1cOKq=q_@EAH*YJ@<4sSu!iwiScx)3a`7opwmDJh@?V>wzXKP)o!xRmGj>X%& zSjVDKOZb(|yn~pCHHJiqrHFp}_$yBHd6a33m>$J?SYqUP$`)y{iT?J}$Irj~^da+w z>R(YT{P6UI)niqse<5?M@dtHV?M|7j;354ED3`w#g3-PMiZw*58eITm!SO}RoiH{t z*ud5j(?8MlZ5l(%o&`4qJ+@^~@Wd)IEGpocI=2&!5Xm;e9U8%6FlhgD(FNkeZ)1CT z-rj~FNXhy!E!u>tS9u%_n^gfUrX?$0aP%xrF9?nv;rh}PH5_-%pI~zgscI1zE*kMt z;sXpjO;D8Fg-uy#@bVAy3NEa^hmPWLz{#Fq*@(8YWcDlGmLqqzbFQQ##TH0VV} zDwybNnHD&)fFyBrZNn<6>Z&o*tuzHp6so_VRzQ(^Pc;NfLLA*ES{s^PQG`mrvHsq` z^DyC#D}u!#Ogwi-e_Gum4s^g5fO18uDnvhC3J#c9_Cl+d!6hE69IZ#;m3FQOR)aWY zeD>%H2I+QUO|!6ChkI2=A};UQ(|SG@MZ9E-H{ zOv)cMy5Bzjif$nNg#8v*vaC&-)c>iGtVmRjtOUvi$~^l28jb|!6N<@tA=0zB_;{Jl z!uH~#$62P z5A;onbQ-UBI=y@eLp86pvMMM}JV7^dZv33s0BBLjnP5qZ2lDSn%jR{N8o_%7@> zqh(-!@y~%Cyt;s6`_|Sn4v|JyP!jKpS$83 z7W+U?5r3$}g$fSDnj_h4@w?g0^v)--ctuJq-RkkYOcm@aQZneLFIw$hRFnnG>#b7= zXhTK3_~|jGH^o1i*7^CoqZFd*OCozA(xX;S(G4#gO6*BXt|Rx&3N$;asPFQy>#^&< z4bP)9(}oCYobShq+Z>vxQ|)doE3OIjMrQoaC!FdCs+JFeA9{dS&77&Sc!XZxpu}qL zHZMwgjLQ?qV}|!oqDD_F3{II;!wDgG0Vjv{G$nSP^3$QD(R*GW-S<`Kh(;dtm# zuf0Pc%Ch(JK|0+(=2mDgN=h8-Fv^!J{&Pi8W&A0D2^~na29^{&X6bRH-QIMkzgDQp z2!5h_Pu2`y@{ifE7*ZzM1jM|+tijpk^yUU#98dpXg4*3Ln6o~bHuu@xF&4u(`v=n_ z4X?OJ6V$2>4}SH6qsJJ@>6BLX-#rN0I%CPSC|En9Oq=tNc(GB{;{tWI>BmgZ6yx+tPZSE+Y5C_{@vESsc+qmT6*-k{Chb$E8g zXiCw?fmN8OjEg2LIyybyi3#ti3oBL@sf_)L>boULFSV%BBTNUXF8_g2;4(L5schE| zPcXwb!63lm>Xr75Fz&Zp5Y(1_<8eTbP#xJ^yG@nhLT7a0;UmpB2udEmCM7=o2WNkj zN0;uQi`EN_9!KgR4RpQw)yG0DTGs@Hr=Q(p^vKfjZFb(sR4>GMiyzup)M!tV?g1s~ zW>cf=vwy&Dox8rA;%ich&?0Az+K+$H00moTY7pnrG9>tNpuXotx?GPYA$_O;+Gp(Q z_NFU6(Q*O!w=5)lRd?gwYo-KF0Uv-qjx^c$gBq_1DoVeYzRxv5Md>%CLe~T}sQXFS zE@KPMIOk_#Uyr6meMsTK))0v>91G5JDQ~?PiBOMqQAX?OKQ6tCGeHIFr|aZx)=4ys zI<|PNQil->V)HohRZYAeO`jU&`=4|~xh~wRr{aY)7BdPe1i9N|x+tVg^U=}qh7Atg zQN_a5%h{_0d3$v`!(e$&n~X)NUa^}gQK~~p_@=*WC%0|$o$WG=S={(k|2-W$B{p@e z+<``o+h+r<0t<8+0&FaX^orwjEM9Z~(n4Wc=vQmM#)wsnXx7Ixj1Y!b>#?3O+m2qDc)f*#MPDu*gClZzp;&chBpS%yPZ zR-zJL8i~wH^)2}mYo){7`Yo)Snb8X}<-`0YNPrN``8q*HJ*LWRs;_Cg_0sN(mPV1Kv0^4T85e-}K9 zb}#;0S)qdINBOcIg@0vN9Ds%Ap2YD#3YZ!i- zj+#2WURY!Cmsf^G-bQjBEJAh?KP>*mi-)|O};R9W_CW7wFrW^M#9 z5v@zANiiQO|LHVw$f({!_7ov~%vcoETcVFgMOcoEWfX9Yu{M8BRn^LB;h zc3ys3UvB^Ab7bbO3F<@d4vj`(5i=`#%))9AT#u&vd@x#fcdu#fHcAPl^tbo`jV9zA zzV2$TrThk4XreU%OH5eu`z=S)Z$8vjhwG8H9r%N*O#1x}dM`*q{OCxa6|Xs*h2t<9 zFq&fXQ9LhjMDl_r$9)ESPbC(j5;}dOcUeV1?(!Pbe0Y*5Q>`swNr5G!yol*ruT029 zXOMF_9=v)KwblUhf+S?DDl4&;MFU&`Ha+|dM;;;v_*b2#9~rGVle5oO638L+xi>hH zluh6sf-F3st zU|v9UEj|JJg-M4KNjHRp)gTBd{iLHRGtFz=aLH}LP3u;Ci!8& zLs4z*p`)|CV~!jLvfhCW&Bh*0IQfK;oMbYWrX0e$i{thoBdD-^nB(DBc)?I&KAFg{ zepQnLBfvx@{8*m4e9aRLI-@BspR|+~D(2}4azTXUncEzKnpZX3_1anUuooYFD)S^h z4DXw8t5t*j3%?Gw$~1+wRlpxK-@)dwfi0AAJW*Gei&rXmhz=vzT73mWuL;UJ??rs@ z2 z@_|Gzxm@|psiWyGpCEt0mpRNW87r0+OBicB-QqJZG;+SGr>t>ZHTqsW8Vi#q9ZhyQ zxD##Kt8+F2Bd-F+CLyoX3C>1qN$pir^a7$jxD+fbmzaym;tYWS-)3y#Qr5H+^L1W;BuH@C9@Q zBd_EEy+x1C?DJ8l_=~c~6QO`}!@jU$8UHG?CSx+Ut{YQ60?)TnIZlIB;xRzSAKH0C zN*OtLBS}P=7F(SmvrZ&CAcf6yq;^%~ZveV(sy5dey7rOvYD5Hv;@^xWho?R`4q!yB}C3*Ue?-9 zU}%uvXnZr8Lh{*Twy0OgeB8wvzDJMLQ^E#sMiW7P);f&U+`Fy~UzaG+rB??_pEwQ1 zvlq|%V^2ob`T$F4t8sZjQ=&;hpyMJ<@!-juMAm4S_Af!?j6Zv4vN?}^C`QvuKD(zJ z3Fx?MPY=OXDe|JG#B-iBv1beJ1w)D6v>U=VQ5A-LTHp9E1C8;ucNHP1ro87}G#MXV zxj~n$qb&!MVI8op;KQkQErL?ZPZ>;9HaEt~c*Ws}tu-6;Px6=ExfxA=`HbXAFBbZd zIX3XYjpKe90X?3*5XmVR9uz#+AorqoI|Gn+w;xSwIb326%^pfip!m^{=PtOQ>A{Ni?;M4S;V~t@PekqW*lf|pJ0PrmPx0*)0)Uxi+h2x z?-dhY zyK@4ep`_8=0@G1SF%TMY_8=t0Y(h$OO?vXV3Vx3d-)Pd!XT+AFeA709mw{mQM<#bkS1fRYjD1zRA+u;*0)jKkXkl&IA6 zTEGyG7Fu)v3+Ju~3TjZ&Z`+)jV-`^k%5cwUfxScmJKN)rBv-o@a`}={pW)n^NfX zK%L}?+U7A+HDBtI#yS(o3zi;T-UC||IugW1Ye84TN9C~_B3_8}=~3d_ zH^Bvn8)FBZWUsl+hkP_8^yA2}FWH0l?G3#MQKpqddr)p7@zf)cN=!j$_gZxhm^b9+rV6sg(`fHQ*D%*DrrYn0rO(p`U1 zDmxhjfS8!wAxUNIJo-;i)&05U7AEWLgr8UY5pvlY#5KB zhG?W}%Pg5oShOZ!xu-_}JtM`MI0s8b)MC$h<}Vn1Lr{jUh4#C70%k$X-l0=l&EWLNjzUJ zc$3z9t>$eLdTjN@+Qcfp=<-HICBFrQ#S)bNf3iVB51IsJ|6c|dL3*hv(`%ODydkLI ze=Mj1+5w=MPmdH|V>&}tHZ}fLH4^9UbuVmsL~>v)>8s@OltU93r5h7s#7iFg#c*#3 zs`?-6+auS5rF%w``G4g_={+g@KXJ^f;nAa+re4HjajT`QSIt}l{b*z+u#*H%xB<_c zr^P%%^Q6wZiY{mDV{hhu$h_Jj1U3JI`V{yOP-U%z1J{=!%j{@10S-YGIcwB20Z)uq z7bRs(3S^lIwiLy(;^j)BNh_>f#^O+ilt#qYGA(eyI;c3}inO!&)}r%jkBnAC;AIyr z^!XYeTv@`gD3!1rc=z1VDh-T&h*mEXTSu^h0m=#Xy*I67IA6kl!5n3@+5~!5uyISOoWZjyZ1e|$7d1V~7KA#y%)VCBNM;bt_4?nklX!Kdj!aU+da`mB1l1nVIf6egHE`qIew(UiUH^ke#W z*dVKk3%nY>IQ8PE$L)4Ev7P5i*ZD-@C)q}uu~G;Oq3)@cU@#tMYj~56<70_j=s8te z*6VE;dcLULB$WVfpKK!AId~*1E*v|bpqJqq> zx1@?Wyz{1{M>stz5_76NW)boMBv>2bOv<%t=1i5vqcDXD<5YUF)1#ZmX^CYSUQG1J zcuTO3!=R%~-z>Nasp)k~u|PwayP@O+o3+`p5((z8VC^bA7uZ|800|P3 z9>CsXwt@pdy5(ywQ#>#GkP)od@KUxtf@K+w1q8UvkR!G%{Ay_<2E3@>6BX$)pIIjA z3afYrRe!!ESj=I7vdhu8_L`nmA}o*lmSB~J0Yu|h!mdMyS|Sx}7I5gpxJ&e^v5l-( zL#rG{(!(lc&q$Ma#nV*eOQBe?V2#qFz&T(CZ;WLXHv#9y(W*VXyv5TCl^*>$wj)`d z*SliFFx6zaQO(>7l{i-#P6XV4ncaT%g1tWxCN{^!{t1^^z8$S@#4EYsWeM+0uweoY zq@$IYpa7m=F^V??PmjrAI(NI*bsFkA5maPSp+-PqeNY{%n^Xc-@q6gK352(!6|H!N zdnSjWptrQNF=GRIe4W|cI241CxvDXa(vO}V(MxiL|2sNkaH6Lz)agR1V#V9{C_R#f zJ?eTBdlrS#(M9Owd%ck8k+C_jaSZIUf5XQnJ+ie61%1Cj8)0aA!O){i7ZFZXVg1*= zaOshoXE{a&NtRvm-cqaXh8QCW>c79xk(Zzd{L5!s-V)S;e+`uM_>e=n;W>P}$ay7U zUCy`Kk(YbdU4oMDeMG&-Vc~NGCEcHghaMMt9v*rm=k>*{ZV9TM_j_@WpVy}2c|p zbsOM=GpQ7QmDbA8ubBJ2nCWqvXLR6L4CauEpF2olsjZb1Yol(Gm8r!1#e~-!&stcN zA~vc|tvyDk9GJH7A|8vUoGH%fEHf(l&D{@xf7RX0e&kBPw*^Rc-jdS1Hcn%iCylDB zZPya82%7<{C4Lt0u+Vih5u+C%J?esSwVD2q-b2>L6tAeM_yT|yxab!}wR5V`-oZrjWez>Q(y zwIX?wqM~yDsuw>!p0|JgvZZ;J4X(~k6~Qc3hAnte(&KsOig5Qxl#!m7x@3IUG&FaG2S_Jtc;nt$Z2VI24hGSXrYWI0xI3@Hd#Lvko4a^;270 ze+d$yx+5=v4I4!c6S1>@*n;!u$_U*W@5riP?=ClHnGJ?TkJk(Y@OHfO-H7!9BS>XB z)3!b9SgTCN%M#6TK1>89q4yb!)44fxkn;kh$6{XZOwwC@F{pod;!P^K@a{nbC8dX& zM}udJj}r9_;RC@v zoUh@#BtaqR9S@=!!1LmvM`qH3Cv47BTpFw4v+!=BL}reLNVO3du;SNMfu$E?4A9U5 zpCx>o&(L`{n$+}WvpI?q#aV??(Kk^Qtgafb+Ws9uUFk=$Woyj2kKoJzyLK9EfFY

T&wmK zFDgnz;)Objo;{@H4hsz2(8=qmihwOuTXWdvH83J?XAzV=er{(G6f=G{BuYHuiC9|1 z+1YNqsOV7%s~B&ppcH`4nD$lAAKdXk`S;+56iIZ zEawM~%r3fJS!*-e7PSSW6UOwSq{LV;Pi=nhlEXNg=m6n62)BjgP{OaL$#C+0I+M zO+b(2?6cJ(6{=fWafi?YpSYEx$3_;cH@SenstHvuHaz{{h`{glG;y$haGCW~`pkDTAyL-kL{KU_e3EskuHni{cLepcPaCpHfx4oJgAFQjJ z7rNb(65)PwyGPB9pQ{P#VZZVMMNsovtZ~Iz zHFFiYWe0em3x_rwDZvy_FE)D2sE5r2uoo5Z1ilp&>#Ipv(3#9-)?^GbWkULr9&hU5 z==c+KN|L@Y_Cv^Np@^J{ewjZ!-atTAE7wnFc}i?471SF~+!)vQ3y) z4uSqR$!;m~Dep0llpMCd$4!#TZlt&^O@!fFHP$22f#W(h-n`I#qPIEdv8`Tnxa9Tj z5(}**c}GwYyN9f-5)eofxNQzohk zM&yd;NveyRhAyuJdD0Lk)~yqXtXoKCS;ZeR!TNPrScwUnj)28eguQhO^OL8I*=~v| z@p`-O3Cd6JG=>ER=bj}#_jT_*K@I91M6i~M+K~d)l*psJsOZt7rzhvC*ucod(K^WP zoU}wgAnoyd zB)X8-Lt z(dxP-z-E#LN$K1Z6!8v$Y~@L`mDHBY^CBfr4OhT~*a^zO_oTG9X>VL@@fxlTQ%*CR zm!VDlKKW;iZUbFF!@%)?q(nZ$L1J;DU<2YkL3!|}K`I#ZsbGs#e3f%}5G)6LPf$5L zh*vdrp=&IA@x4!W1^e|{>UuV?>@DD;!qny^Fs=>vFGS?oRtcO819_h_cPibc*VS>SjonNyqEa|NaQDpXkN$Y>Is zCqZ;iP!4|wHgGE35>?$Kvd|(4tZq<4*?;gMD2%@Y&gx0w)xHcyEwVBV2+O@ED3TvS zm9s|EoSvy)S;=7;;^ZW#qkkr9A5wz4`n&F2SxY?QuwuhisYf!LWCi#4B0+)u{XM7) zU<O&ufq?kM8GtnMCE8V|4zK7KU(UZR7nEbjSCCpt#jaP#2mvwQs+lr$VzN@ z>LqLhOCs#lcx2jwi7{vDiI-Z69%Cd-trJr!QF0lun$qK}!-AydP`}O;TBmir19WA} z);7Fj+wLSC+qP}nwr#t^j&0j!$F}XHWA>MG?swn&-SfZy9%Jp=Ym7agv1-+D z8Rx4?r%3UXt=tw&ti$dfhSb@&LtZxtu-D~II>|`J^zi+-@d`A7e{6>u05!z*>m3D3 zj=@0y6OSwRwunqGK$iwvXPTcDOt!s(LZ?|duZfvRG%UE6lSoHp1>oWDjEKg0;nGz6 z$SsfK^LWYDHweI!R(}WYLJ~15w>)okBcKih0}cfjInK8fLH1@>=PrD(bdFujiZ}6do`c#1AFZ3BDO>890zgDWyo`?#?V(b$fyezNlw#??L@LGL^a0D(t zco}V^);R`iS!M*?!u$kdhayvI*IArm&I^W%{(Riux;@@r_lUTV)Rx9hc;PO?gy8S4 zR@_w;Ojhij-x!zINPp!!xYRL$+}e)1FP+X1C>imL9WoU0PAD}W!01vcnV(h6A67*6 zZM}bv1rJisZl?lm@Ir z162$+rlU&6+}mtU2|lu3bT8_Rv~a<<2287FN#YJYf<2jwx?Wjp`3w3aG_Y8_1=fug zM0XtS@G4>o;l3Gy$IzvbCrR7@&v-mv9NeZ~I6El>_NEL4_0`Yu9po3GGM}KQG1W0m z@?6|H6X1q+N0)=v&V$yz2BsDsCF$O;9!6(DFQyEN>|h2F^>@ouresox;1$*+6?;dO z=FoVvnP0D8`3xJ0^?IS6ASRM`<6l={;^rUBN^# z?`#BUhc~l;;(1^?qX77{nxNO;IorRQpN$g&S_s}Iof6TMEk34fB{LUGZi#htxT{GC zq=n%6uNk4`%-e$@o>&IjMUNtbx1;FDyph}+;w4e>j1mmY<4^I^I`XJSJxd{xt3fLe zQ*|15*Qw~@kuvHHk3K5)>xz0oPXsj#PLnZi9uRU3MVCT783A4!fsuM}d+-?-xabL4 z8pf>K4)cbkli(w7e>wCmCp+>fy~q8wHLXXs}A0e5hnq;qkrrp^RKa1)2h8^l0wZ^ zqs)3qq;jaW*-4e{hhuJ(+8@+7K4_RHhWlR~a{SWVzo~QWoO}~o>WkMK!M{)xb6?)8 zplf~z&_@D-=}9V@)NE;AfYHdC9ntlL{v`08?8)#c$B3MyEqSsAmlF&F(Fk2?f>=_L z%y0iOUQ{YeW`i0PRw=A4eM zxxSenA+GB%Oi%Ypri5J*%yYc|wxKZ^Vr2|KQ0l0+Jj%MswJFI~Ovk_Sx@79h?@JQ{ z9p^2U1Uj_Kve;_&f{3m*v$@28xQ1t3Lk?~xh_3dzA`&P+>P<#NC62C;+)b8k{vgSuOp0P-(oC=w{(1G!aiyb@pG*NBjg)HUZ{ z5S!1~qu7wYCBdeS*1TbhEfQ>c=!cJZwAD-N1rdOH>++R5#Cc(sTJ_p#gLx)YTd*Mt=w$?lF?%8DkXvkHLIlwKZDK)#}E3S6H54h)Q z&P>P`Vz6rYP~B9lN_}{l$gh06t9Cm;p?Z1V|qR5Z1 z{5;_ZYV2na{+k4aVdG0MoIP7X7@rwP%SwV8nNU13*QFuIszjH7V~u8E_%sM{Ic`K{ zZ31z*@S5W9HB=+$E;H~TOB(q=ug(aCsH-5q!b|BWgcQg->-B_<8EaNx(}}8^O)it1 zZd~n{@p{9zX<0UO?cK)wtD2mY48pN=!>2Xp8S`Zbz+|K{SCsSiJ-HenZe( zWkx8gGQd87NW-r6Tgc$jBkZWF-_S+7lo@i_32OM_eVo@!-}B2if65ElIKj812LSaP zDQNW$K*N1itcH*I(`AxxN2v9uBr(5@wzsZ#lKa*z*i1GMMlV4AsIK(pA>^Gi2KNyvKUAQ9M>L2WO5q~?s@bO|=9FgWDTzwL zn&+N+c0CZIeM5#JW+8=d$ydE`k>0EauAH^%oWx~zHV zTpkqzLwY?=iiXz$2IJ_GMCl{Opa*aktK25#(O`EBZ-k1NT&3-@`@8Sn?42lQ-xXtRs>u{1-(!y>{mcVhvyfys)498iZ~2MYJQBvo2VTGBSGD%sXR5Bb@PT z84AEbtgDE04@ESoTc~x>*79xVc-%wMUqw_|TR+%`0wZh{)Nr`bBIYZY;mV|3GzQXJ ze8?G;`6$@bF9|RSq_q9p7nh<^klVPisv5WlJZCjWI>RXx#+8sDYNC@M56iyI4#7Z> zX_*Jyf~Dw`8rZ;=(ckdb_V@P505!16(K{kna@>3^1EXWo*IGl0gNk`IRFDgq#2@rE z9}J1aM|26hDVS(aU(yB^o`~2h5HX2`7Go&n^ z4?YQKIRE&;E7dzDWmZS(?jD7Dbb6w#YLK@Z&}@sMnZ}CVzhMFt3lyjV0)OvbQFaMU zT3aq5;vUumBf5XK-1Ol-XmkyF?}F-lVHz+W98!cGOJISV?a`Jk`QPU>xx~(Mn?xF52tq zs1N&$0P+usJ6>NqD1>}74+ieOKrL_|%KS?8x|dWs1__DalPCG9Leo-Zb1y*g-CV~( zU>pj1!(o5KE3 zN_@VY+kjP7Lv51Uu~@n8Jfcymy`|`6wh5%0^isWCWNOz+A5P7Fa;)~G;x@$uK>sjM zBsLvuTBRIFwoZQN5%|bQErGSlS%#}yU$ksfu(I+9IEL;s1gDz=F4L|)QvqriTnD~S zTWzD!_bFkNxjm#cZP}D~u1EIda3OJZ3-s@_5sBNLwW0FNOt96OHOh8iupj5TPYDwx ztqy{MpNudNENA7K8AR6_i)v5(1Ue?47<>F$aI<`66cWw#Wtw3*pzaVdX$|no2*+DLZe!P)q1HH@5>tS$hI~p(I+d+z-C$5`5 z5er--%MJ>~XYhu{mPEZOJ>-g7)FwN6Y}tdFUYRi7JUC6kYVy$uQ6ocqR+9=WBFdgm zyl1$4~Z@#hBaY%qqxziZ3Iwxesz#IvyU@xeAkr zE5bE;ao1@Qxx$KLN`2tAlST`E$%X7^@CDF)d>w}~Xd&&FMG7I?y52gn+j0}jh-Ea* zP-u0zCH=rzEc8N~@1MZy;%y{4H|06)QQFSfgX+EsDG{)mD=_qeN~^f+{2^i7U~L_b zuC&fQ9OxyLs&WiBoS}(aPk* z7%0`;%I;36WbhHz`9da@k_VC!W}8*40?t7&tXbrvH4%dYh=9kmCCo0ZZUcVFx{u*S z?yR)Wzf2--3U9N$5@_ZZVJ@WqtPdRH0%GM^?Q)ULy>iBC&!tU`0!72lvp7IH?(T~O z5t&^Go~q^$E6Qft_$&3b`R_GcbCjjDE31=Ys(CnUy z!9wW0*~@x7e%-p&fPnvA_Fw>o`vJML9?LL7Ha>zEp(+;zl|lqvj54xIjf?hHd<~;( zF^_vAG)jAbD|VF<$nLFVBul^0YM8QPNi%4R{{CR-TniJ@(bTVKbiI)8{?a*{b)ZwT zwf5{nD(ooV)Oq*7`j848K4#`5sr9q-L0$jUTb4KtCJLWw3t)B>qrInXgEUb|Nk_ex z6EyAizeW-e@CdpYuM=?Ey!W0UwJtN%Uqo@etcT(+du27x9-SvX9k})G36}Qk+J|25 z*MDg-ywjkXJ7zU4nM?DiM%!bnGKckMSL+e`(m>2^G?^ zw8odUP>D_cP_VE9t=|tb7r&@p`jCw6AbNi$ zCRd4Bj-G3#VWS`2OcsB|kFSO`K(!-zwiMWj^ng9_Y%qOH3dY}eY3Ixn`@Z3u?L$R= z?LhTRiJK|G-FIJpDfz&I_N>g$Z!aebKX#Nz`{s~o%X|lBh1D;4uQ>t)nY@8Wd2~&L zcyVQzv(!YoWCyvAWSN&LgL_n6NbzHJRdS{-d0AsZ^Yu3oQjqbEj)kBI;m&x_rXMJar=3{_*z8>*cG3V=JuJ) zq{N+fLu?u$siQ3W@N{3j8FOXG}f` zkF|!AGumYh|KLAGA^{o5i*N}%hvE^7!+n6O`72|_S&PN;1k}t)0v_4-G=oggUpx=D zFF>;eEEaurxU!Kj#w^~hf?{9yTzEsu6H1e#a^are)WP_<>}UKMgceEDtiW<&F>DOz z8b;dQRgS4beVbVQ0d@?1o>R_02Q^EVhNNYqbv;1gL2bs7`_4$^~Rl60xzgPSu+Lq zrL$221!6HJw8?*G-asGqZ|zPaJoq3Mr*4Hn zEn&NtRYmG+1YiV-#&O|cS3*=9V9f(h4_+?q0*?R>Q}Spowy>Khs#y-f+s=Yt;DL^V zcCOGDjU@jllus*>$MI?2JSNjG_}cudTtBJ%se~-=T)VfWf}Ua{E&1@L>g&V{Kbc4h zPLDB;{`H7d+#4>>_-_}&x_o!m)HJ_nm!lhu)^Lu?sI&Bbge-hE&)=9eSTwj+I-~}% zaSs|Tmp;}&S&|CMj#%-gV)Ffe%u!nREJ+vO$yhdeS*h|64$xkk<*#5*lLTs!-3HX10d2He%+&EBuE~Wgu zSWdhnE*$C4z7RHZtWZ}}GEABH9utMcgeaIxOEg)F3+bV3L0E_9P`E<<{YthZcI~w9AVlFJF zVg}>UeB96osK|3^I%7qw8fVGnIB{q_E`C!hR(2*m_eXrB5HNWf+lua>YKm3JHN#<}D@GgT=r|E?%h*#~pFai~5HNyS)A2 zl^m(40ATRG0Wqpsnr73zFceb3`p@irss*K`tXX=;IN1bJcCd1BWJ> zp!SSh-52=Qu6OgvemTCdGtFYB>B)A0r8djzd$41%Qh)u4DbOjnaH?%=QK^aH`aD7c zehiM_fk%QJ(?QcpNS9#DFw?>^a?TAi4XgSVEXeA^e*MpqwT7jxMbx%64&c}I2xJ8A zJVAM@<**cQYd75E@1`3$HB3dNW$^O!pGL%Yg)8LElpg``po{a9!%gOnc-`gsk4RqD zM>lU^=q6sMP)|WPQO6{ml{fBZe?sm@F>zx>A~hqC-q#}c**IfA+!3s#p`|FPOJ9u@ z=wOebf6^tTsm42pr5sREl~u;7GmCLmQ-xFA4Xd;dyQs8Cl;ZCu<#Kb<;)@D6(Rqje z6=|y_HuR;iBZAf?6^hanmbv@L2m>rZ3_o8n_yawUTbgl zZs%tc7xFX1+;>uULnSSBNG9|ZHDQafG4_*$L=dl50&pJ6xzH{gjaz)`r$_=co~>Kt z(i0>|HkbP&rD8$4HB<0YYtkw7n^o3N=2P7VqoOg4SO-5dwfJ)Jfzn&^*L~J^fP;@S zu~Hc1i90kpRfG%4Qr2P{G!;812|14~d}ezqf&M~Km`CrLth~^MOydZwsS+Mp$#V=O zw5OF;&n1G+Rbij=$gYVtHLB)u|Gq5LnRg2my(S;#v=&#Yrjf6C60gXtT?-s+MaNqU zbD-o__|WdohSspHqw+sQCh={<>%1=R6HN`h{;ZD&q3!UKqT#i!-1RgVQWJ zZ?K)tr{U;y))Em>t8FCsJ|*H&&&*jLRpSFsK0xIg2;-RZ)C z;bGBW*TqvSV;Xn4WPUzVCi6-?JIoz$xG(clf`B{3qr(b}S(C-1}uZ zfRI+7$hj#SX~9_(muJ(F57bk5Z?v6WqM0M?4U5!dB~h|Y|Kw6+JYZC9G!$hVM#nd` z2gn>5iiT$_nAbk^7yT6E8QZz~o}#4|BzAiys%T)8_|RPuAF_q0{7)$*Qqy`RKYx_I+lFBYAn9dS76HdU z(rFPD42aw8HaUJh*Q2H6dh(1xEi)+CXp_sU`jdER_-AzPR5dT_F3=L_ zwZWA&8smaFBSeg_DQ4GP(s<AsJyfl5?+L5t$cw=sFYhZ0+Jr9c%U@|%0?}%?m>ko&NiY1W2x{?KJhZ9b;Qzs%ozGEgPaqej7x7zOf@@<&@leomEXt-f@i zA;c8)&;kM?0wa~L3EaW-kq1=*&$QZiUu1kOqAp=4%HI$9#$%G$l?+}1NJ>Zshva#4fG5%Vdp zbRPfQ{8NriM)btAlA+&0vJ+Jmz{{ZsZN1ZJI->LA=B{Wqs*JjIEEnzSOrWwVGU@bV zdnyY0b0HE6!@hS~yyTRzf@(e%k=XX7VpXG&oF0~YOW<$V>3l+|P@cj<%bTX-lBAD$ zFHizzK9Sf3UCt{U<)#@lG^6WG>E)$-ih~#O5#o(%v<4M|A+T)e)cf4)v;tYPT|(kS zXw>d3-YGp!;gTVH=2mmEgQ6(R2v?3rBityd2jLIR+|bfg zDCsFNtdEb>9Hm{kne5qlmP?mJj(f{j{0bHrT=%5X+1Y@wuuWDq!&L8`)-18zjLY|3?bc`K32mE(yIf^23zz_0zoWd2PP*0fiO58jaX|J~mdsH3I_N#G# zq`ICAEC?kyeW52B5W%?9h#dTlP25@T)|nN-ZESDsTvT=(8M22R*QfR4p0iiOTB+Pa znpf%<#;{#VBeaiL(cm5utUvPQWds-`<@G{UT&tPlBpw~a*a_<#_wGvhIEYQ&AM9g4 zeIK7Z@eCpre#&O^&_{)4OP=wvVmOx03d9vR-)~wsr(?yzIG1nZ$;b&mJme}KF`<`3 zy_sj7_ksH7UX^Re-4lQ})Iy}4PFp>Rk=}`bjoU7sydyTBGv5T2O!!)l^be;&*hD4$ zoU$LN)urV7{_B1?`zy_PvP8H_NcR1i@1L}Br-Uex@ae4VqqAM5j!^>>a>sWf@E&qs zSWK^bP?el*orBRa`YyYsEThUn{jRt=+F$}K4qD`J>-_T!1Hwk?+V@v$=DY=lT16r< ze7m43dB|z1fD|T-$k__*(F+Z?A*uy(M!U?DKr+skG4O>Qnxlm}L~RT`QDx2YdxUqUa$IZv)W4*0bGg)wEY>kRTxSKt9?v$lM{w%wD$7ZW_1;?quTYE15S0#%q44Qno$TwT28W8#`IVcxaS zk-N(~>U?63n?U#G$W;%lS0q10bA=}#i^a4m^4O5t6(y`!Zzxwg^asX2X2uv=x)`mw zrsWh_2}|KSV5XB$Es3cn?H|9UG<)z#3iT`ZjQAK9mZCKbRC(nBEg9>RUiBKc=|2Jb zc-`SrEfiiUE1J?8;4S-m*<;#YE~$s4eAHveFo2{VgVhZI0g_MAv2!A7LG{RJ(?xnW z+F_);?Ov*T3X*c`mEJB_Z=B%s;|W3I9pR_ifSzRXgoc4C=hl==Dgad-b5V4c)+(C7>4p%PlF1e-fB&Fb zbVL(Xm+q1z5B57fg+rZMutbiVkA?BOd87}Zrae>&B zH3>7yzNWHP<%SU`B?OE2J(>;|+;~5flk%0UR{A0w<#sSWa}A{A3;xEGJbhKE>*FOQ zf5As&Ztpda~h&%aI!+jx_2|1Ir1r(v^?qavqKxo5rU33lqKZb z6m+RhisaxboH3uQXXPnBn_;akk;9ud8-=`2DowLLQ_MtaWEB(NT-|7bS!jCl@DOP; ztE7_$(1l?T+Gk}mSYnz>&*`)99G(7Zx5t!$;k0SPn^v^J4GS!f?IN%Svq%4JfybH% zCPE_d$MZ1FCHr7lKMWG-2&~t{0XRscKZ>COMmTs()2{!Mf>!EO8 zs7x7T;^^q?af-^@S44i>qh;JVp_!&)P*9nO-}N9eH@(4*u9l^0paffh#*9ET)%zfD zO?G7yN|KYHa^@;G%Ride&cVWwYx!g51SLh+qFhNzP!~zr>v4)-3roVza~y7bc>^Jl z*Mh^#f3ARPY5U7rgY{6jl{Sw~-ic`7M1ZTr%t|m)U&Wr5aWRli^}TVvWd4gTBTU7p zlc*Hb2X=;$=IExj+P&JCOlMXu>Go?I#gWyJ7c$v?D}mgdt&kjN6U3ORSPbMtIjs=v z;u+Yg?uFPyG%?ASEBGFBk}z1ZXqP%B*Sqm5v5=gyCnzFG)A<-Qq+x?{zqX~V)0ae% z=Ey1($MF0j;A-)&h%et7DBnLVas;39pRH$9fs*rhk@&V4w~EHvN78=b1UNjLPKa7c zMfPcI0Uo~c_vXI@1_J@S!{aP49cm-V(Cb6tLn^??S58TwXiUzl)5l_k*IwNaFlF9*N z0rVr&ye9E3@bsHYLLYDurW|7~2zP80_+`n>O7y4iaAh_)P(da>${Nh-ay$5}tlxH8 zIvsr(*mwr)Ky_pYm*P2iKQ(dE>2monIX2`|f7#pcHt9X4vUa9jc$swiiM23?LW9gL@aX@rL44_oY0@c9~# zzIl`$cwEBe$_hRWgAQ}IL@3ul7euTgx2&R;nj?hKMJDie} zQ_CE7(Fwr{p23F*559s^n;d%K;Ez??{rI(LST8vfrraZ@nyXth9+fNl+{-hvyC&u? z9Qs>|g#ND(^EmvkR8x}DH;aAUAWJQSKBObUSQYuL4KgnR-5}V{$#o zg5j7v9@kF#noDOQT}o^c zm`wTSXcE6cd>|T6P5iq-ei=_mUaCf-sO$X>@`6CM(3cosQDaEGn&Vn}$?Jv)T+p~> znSta}_--HSRF+0)s^A&84Ix^|--kA2J%h5OZEt(A#lpAX)|)_IuGl|u!A0jev@iAZ zA%!^fQ1QL?)S(#UWx)?1#J^9wriuGvgSx}o&gD0{HU~AV^1gY2qT5?eVg5USYD+bj zjJ13F1wfzhoM*ncD6=CuT>Ful7K6lQ=;8Z*?XQH_drgVr3b!Nn`l-H1>&0ArVZDo> zQdFvsKT{Q|gGaD1jE=Pcxb}C*ng^JIHd6KU;B5hMa24Ra;_Lb0bb>6o=E7Ou(j8?o zN2o)DWJQx2e;v#bAzpwtysTf0M6ycA-)f23+_C|=-@v$$n!#yUz-eWTy*G~~c;(7< z49j};v7qIX_FT9eb*P8a42G|i2Q|hir{tH++|a+!Fq&jU#h;XsG}(AuVcQ2Z^$Dmp zla-5rkAz{r*}@pzR}f&6=r$22To@Hk9Fw~TDIBTyWSL$2VSX-c01kd{u8Eqa zy|=tWM2_37)kw4V6+%fyUpxp^mIAss0HNQFhP~Z_K8rxENYTBtO<)D{*8X;G2Nd{N z^|^3CYJ5Q1)w`o2dxZp62r|_f>@pa}4N2v0%)NO7c)Wu*?s)>;^-w9edV)e`M_xqwOF8mNSkoWXl(WhBe z`M*+m^WV9(U0x8+u==Lmr^Ur`4j1y4v>v0j6?hOUU4B414(g&T9Q!86B+!;|fHzzZ z{ocn3+Qtn^t$=%tZxVvzBTnCvDM4V<#6+iQB>znb&{JJwV(V`d?4uVjP|xTknBuEE zo6y49PtR3?mGAkwaWr!X-jV23BTw6fak;Y zWG)F|YE=E{{{CZR?|WIa)eq=3bOUf^(Uh_i0~nm(`!uPq?O!a88z z#q|=E2b*_lbqUHvz?_jpObrzpLoh6jP<3yc2C2#UYvINWdPqx+Hv=02#c82zM8$!eIGXs}!0eF`(rvi>&EGx@Ggb zeI4KIjRswKyKZI8@G$DEhLY55Ig907s2bB2ar(0wkn8FKQyjx2kGOI_G^Jt4b++3HH{%exw&B>*)TZ-piqiF5FooVY#4Mqwkv{BLvf~bjgMfc z@bPCcOTj6F9(IIJ`s(q>!Rl1kRfjJM1l7Bs*T6j8=T)LvI&&^FbE_Ij&gL5-8CUb4 zl%gEcyJ!tx3h*(fRBzwU#0nhx(owPZ{bJJvok=?rP{ZOsI9==*;TgqFF?FNfl@UWo zhjRy&0eQmRPF&YE4A=ypp`W4hHe-E^9s^*EW%ICljvhZ|OWMeVS(KiNDxrhY;8mve zagW4)v?W$s1@ql3{ZgXUo?i3dcZ0FsrFT;7I4BghbfJyZ%rd9##7hLAlJs!OQ`wzV z1y70L&z#wqdrhF$!rr)L=byHFXN{!y%g((>V2|m%dium zh}Y@5v3UO!1-wz*WEz5B+P0yAH<3J>hWkIrS;0mFMY~C=_XrzQ(Xosh$g;BXuie)#yGRxWgZp)X?RTw0F;^^S!2u*L-4M*7MAYGWmGGg;S+M z=IBnl@m@He3aw~6hhXg$Breh%rxzh`Qa==0=V|%U5hXDB?4z${uf1)kuLMt6)p-)S zY@(eEY7^Obn&{|vEZwklc$A9iyhZ|FLEG)4FW{^~S}_o%bqsDFp$n^@bg>^h)hQ^r zz4l`LG4KOS;n2y)a^TEvoakA@Zl%eHm%}tn*qS$1Ep$PHyBY9h)kcdaD+jkuY~Tio zce2M1%ZZ?pFE)ScrqX4F0hNN_m{D%eN>7{~=~11T+(*^y=L&VFYROI7@KOWtr=`J8 zNV+7}qQ#3ReEtBUil_9MEs=0?aN39~E>!hMJqyuBZ0e`Esj3CrL={vuwA1UHX?I;O z!atD&Rd7jK`@JgX zxjlPlL;D4S&iXlH0noF~`tIdeQXB#w0X4GZH&G$1>|161rJnVKJz?-cMZ$JiOL3ztdsFCrXor0}c+b@wyyoNjwu`O;_ zH9Bue5`yE?S(>sy?Ps}r{R*`^v1mP~38Q|p>~~pJQi+^qUbn-x0(v1R1ZNiWs}cQt zX3ygY`T>|HN%$`79f{JyPeUwXoQ4jw=ULXu@ki~y&fCcCov}w?@C$Gi$@_j%B7J7w zjPu}mQ_n7UD>hTL?dbk4_6kTEYF^*|1Nd(i(IQuo&o~eOU(5 zXpE|k(>g2SI~68xNj~+sfbyBclg#tyU8}ZeU8NN`lS#=WdBbqaFQ4rZ$GA&T zvqyMdLH2JyjrCxl69)MOU6mHVC`CKXTWyNJEA~#KZ-lTmF{Wkpaln}qMUB;=68M!- z8mwf5Njo4(qy9Vg+k7Ie*RXRghxPTTT_J zvMY297cnKj-hWfg%e;LuKWX^(jrM96E4ufRTO{Az+H-z&e{&hIS%Tuc{P9SSN>1qC!x7-;->Is3Cdoe<&L`X3 z`DUu>5C;Q+WMp|);nGkWN$b}qIv*uJgqh913U@MT+->l+-Azg+R*d5&D$@gD&|mamX3%Qw>Glog_J^9T z-8kj%7{s4`_r;%H88%g~r5UQBivHOgVWAj(k7l%56RI$w#tt7PXAz1*t5N8I%cwh% zDw=S}9u1v`sx-hVGaWAU<7D5UKDLB`s?noec14`cWfBts!$MI_14L)>X4oLQ=_x+; zUP63~nylOf6Qy0{p}F#B3G*b&@Tq<^T}7l_d4LK!*z%mJ^bh9LrqIAPunF$aX4Rs= z?^2O(Lp^N`HSRwRFKedN3bJY|y7tm06tS~FYL8{E!S@>GhHbh|@FQUus)aLD&aVA0`aI~aF~QHapm+blkA`d*Jsw+wnA9(`uD;Kq8@omjsvU`LrL6tU4E zT(fNXI5!dk%)GLXGrE}|uQ15tVw#uY$KwLmiIY^%A?8$u+|xp$ce#K54pjWn6juNH z#U{g{(*)m^#w$0crf(!j7}%L3VeszIx=`-Wic!H8yPZvo1p--V zs9CVoUKFcxB(jxN#4^9>yE*ppIi@^4AT&8 z=~1YcHl*&6$&6#i59Q*qNj^Hj5ks+xh2+=q8sQ*zQaGy1xB7Ev@EFQg>9}NiyWq{2 zy+;F&d*3_dYw5cEc9TuCkVcq^ZyFxz(V};!+jI1RKjHN;H6?I8ww4UP#+^_Me?1`9mm(v{VmPmsz=lHLj0=RuQPD|6a6<9`{gxPPQd)9=|f$n zwzG2{9{0T9`a!s_W9RhXdL0tCTUR-JVR-|&2je2AVudA(!!`X}PdJXn+VdQv7RoPi zMZb{M-L0JRm0qZd`C5c@3H;$$ctIY1NS{+sGtn^5Nw)z@t%Bvk#0p$`&pzaxLYwr-jC}>`mu&CJ9l{_Z-}&&9#x^lJU`yaVn;cfD^&GFx>Kso zj`;=yygb;*UL0$Gmm4Uezw|PTj#BF>8tD~YO#zTfi-P^dAqA-8!Apzo`6~(P^nf<# zNI4=Uxa3eU|d9-=)8v(!0+zk@wBN~%C^HT@7 zmK}2e=Mr1X4uZ4)$}#|PZ6g-$qjhuF4F?cF;|2Qz0CmCe?Bx2wP{@E3NEZHahe7rr z*gocKL_*L=;dtQLbC37}?pyF-7-^yr0Z2qBLjC~<{si$AcqDNlL?DsaR~i4hmTasJ zm#I>}ZycWl|7{6d#Lgpozbqg+FaQAaRsM?x{crN~tRGUgzznebHOMA<(q)6d43#Uj zLg6s25yu5T2NR42?;m4UdcT-2~p zYTQUCC5y3KDI|lTv-M5%&2>o!MhR6;&cb}r&bD)(4~d7IPMFa?Keo88Hap0w;+F6z ztq{f}sP@&W^?#J=6qVJGm|xY{z>qFrpEH*LHhG(5f><_I+voMkCmSw|&iEY!tvUyn z8U!x=8okf`Vd#LwD+DB+m@Bp8rhMBAn}NHX;K00+PTcIkQVI{-d#sUSKjnlF63y<_ z^8`I9)H|v4BSeF+^#o9us`;eCWW;3=&YXva>?E-u2zdQ#MugBpMH-`J9Q@|9d@J2<0ZdeutPb4V6YYyu=_u0N2e>pC!0pKVbZ!zmTc`14B9D3ee+M5{oq6D9kpKQ0#}hO$kTv#gLWne9-qn! z&VM&*g{~uQ<5y$Gd}%NCzZ&&l3hZX*X!Y-={acxbe#k%v(Ibl1AUguYY)8z1=Ye4xSzr3AX(KyFlmAUT3eiF;9sEn0 z@L$dOZv=m!lP}OO>*Q>1Vq@~JZ-)O3z*`|6+eQ==kdBP=_eAu600J5y|Hr)jJs)+V z`@8sGQ686|Fu)c-GDBRdC^{{RQa z>q+-BVGQ{g(J2k8MyBNtgY5O+(~`VwHoOZx_}*e?r`cgE);pZ#czKocgU%qG z2}w7rZl@NKh(NWJ58VZw2<0o;KqNTz<$T;s?*>jOS4inP`uHH#Huz|RwJZj4Dn2)k zUwC%-O;D1d_!{GKGzblhQ=VWU6(pxfh?j*RYKk*a{B1+|h(L`oQkZx(RtC(Dt6F_m_=lWx4%tS{ z6H>L>O~pplT8O}{n0-NM$<}pViR{@?EI3fc6An4m2Uzo}`wqWd)};q^%-{0#TqtT0 zc6>nn-?T-dSV(6;0a+sf0YL}S=4Q?4WNu<(^1nZs|0C`~L)s3H6Qvvbw=dvaXSIb; z{6J7s%6+vCm50WmNIfY9%atZB$%X_*fxJ`~4ns0h7w&#ZM3GGpob7k9z>r`7$2)4a zPFD(A@=7>*Q5l6`2YC;UPZkc6M2C7!Hu(ZqpEgR$lI(GW4K7zSAhqbd-QBK7`DaE* z9Q6h1n36WcJb#w=-Pul?xAx_~1%S0$p7tiX$LEI;DD zUfXrY7@HZ3=10jfN>*_fR7r7K|O4i&STKO1=^da>_4 z>Hdhvd1H3A{CcJPBS)pZQVWu?0Y&#GPs6HN<-He7Pq$b7TztHS`VT&aasratjEll! z->T(t9AP16Rlv8JiB5;l~}$*OzCVOPxl4MInzl%<$yus7w-4xsZC>EwCz6(A(R=$ob)E zd7@9BmxIxheZ5l0nz2nmiyrEymr}cr=UwUjt8E{z_j@fqU5uL=pXbv>BHwPQE){d{ zr}M=-Gsd3JmzvyM%N@iRq=;+p1bu^z-r*sglwV-%=sVy({Ne9kP{qIo{T4vhS=9Vo zhr&*O$W~@t^M_XEgXPV9=@1$D7c~TpL#Ua(4EU_=qZZ+Wsh+>3r8<__4J65ojU{A3djoKs9Qj>Zq~!MpTjE?D<@u(pG80 zV3i)LHcmf=UGZmtYB?e6V2KA!MCV_H~wk%GPK=pZ9KjL3`-u|;=u_=+7&t}=uqJ^|!6 zSTYzsm@C_(((t#54(!Vl=OLBU3(FMsJI0B5xNzata&kC>Fa1LG8{WO$)r%#PS0y-INL;$-{=}k!i~90lag|X?+ocCBf-`rsPg*H zGsf?*@o9KT@p zmf~4;bd!r&cZGT!QA;n^gHsZYGQf-KIU>DVMY?~D%{Ra`wpFV&ZF_z1{Pb7IQ(IKN zyI)w!Ccp-uV3g3+)Ma)oWnQ`C(o0mSmNDNgjb+-o{D6ty4j6M5El%U5=J8kJ&FU)6 zG7ji;P0^7nV%{sV^~9C&u?{DeZRS%3kXwt$Y=v}}+4Ma?3YrO)CD z{qbl1=AOcLtLL^rAU%0goiqhNUlU%X&E-3L)oSKBYll)h*I&P0?%rhDrgDdyov>}G zCf!uKLEkiHP`qdnEY!5*Zj39zy<+ETzWLvqe zb2XQI!j&#%lrLxs34`ral`_(q@T4jytB9(VzR*efamX7he*G@j=KBuPIZ_ZcIT=^T z?kMMsc82)~MRLOq!VmKCQnlt?b(OTnp;_XKb$LsQfbKo*h6V_|}+Jft0^GAL(2ZdVKCJjj@?MBVI z!c)P<+x1fqM~(Luw>!lmm3_^}qll&MO`{6Ia zvumA`vGe0quVqiI*z$9_iXqR}Yf}vP2a|Hfyrm`=m!E&uk?lHrigb5wN)+x&7>i%j za^Kd=uYTHHxfH*tmM$+Jf9#x#rTlCfd-~4t{GqJ+WWli1-W~6GyHDjfd-fWYb!HA~KSrFT`{9i@8H$PeA^S7Vt&TLKwp zMFLz;hb8WZx^Js3FBYp`=+B%@EYwqSQj6~~jTTG@A7+Uw;rntSd+ByuP2TV7nSBpm zdBcRce78Y_u*tY$d;ic)N3RB<7+{lnErs+hpeSOKdSH=yU_xvlifh)#qPjBg-F-3e z^F`eF@Z8a~{ME);1-Er`cK`Ou_D**5!kF@Oo(bto6%+i*nDjhc%ar?O|3$zekoQ&7 zf4*udUiof^zf~0a4t}%ya9p7|K9xJvTQ=$XJUi=}ve3A+o{>(Fnb0Jaqceg@{=c>+ z3Ymg^p$sZatxmQbPNp4B{0=9b?;-BHqnwo&3~Zbu&+1d6Pq9^l!#!?957_c2)oUxR zRfsp|2{r!9c7Ds-U^PA9y1v`0?;6UETFS4@B}dIA&0Tk?$If58Ach~`R_(S%a=f4Y zmj7S-<{Ic}Tv)evk=Jho+I!RfRm@&mMk`y-<9F?dxMW-$;vj5L*DvhXFNoJK>mcR` zI}e{=dv9Q!A6l>99;Sk)<7xwfAkdT|nan3^U*C6oGCUkThmrGejDOdo{&0{|dtqD;$wg7jWmUezAUnm#I1_?-R&As%m&g zT{&j*wZ6&W7u46Q!77J^+;vN{*VC@dFQ05t4K-O8avk%gSCaF_r_%-6SFX{r-46UG zkB*P7!aY~jl@EfpUHsi$h=n~VlrpM~0?TWhPLg%ykFM>f?Iic`54zS44`WA}lF8d= zR|S)-`A=sr--awAm83FFkmj;oNHzW49r5enUn-$*>(KWccjpD&a%7F`uvs$_TStug zic?Wh#TX0>b}NYKZt0u3d+lrhr~GF(f_-pkXp)j&`+h0z(ZrzXO)19B7{vr&WbaVl zC2s4>IwW^mNAEf|F*s_4wMd3#PKI}|DSr3v$dQrawX(|`mXRh!s^8#gA8*o0J=$_5 z9BZE#YkEGfmyk$zJ(26PFd^(|p}mU#DYyl?>73>|5a&7o-$@qoKM&y((n-g}v4I@< zG084%0r{i3sOaxD+ucJ_WNY;&Ed+OH@=9V7|DXj@gwFm6nf)V!EoYjiUxu-(&}uFL zzVwp5fgIBN#64bh+|U^** z{knbgS$>^oJe_?u%n9ITbjtR1a5~;sptESFd(q0@CdOwCU?;p)?P)qGI56Bd9^*c5 zntqe$;q-iy(5v%hTU^jdDE)a_JLTft`qjBAcvPyJ|7~I5it%yx-0+n!W_Il|dgWqV z_~7*=`A)@oobxK!_AM8`PFH=~^0@9>8k=Dcw!3nvCOh{7lU?bANk-%xq(cKj@GLpU|iVrw@^RS1Y#(x{6($u(X#>3V;jlin4<(fEta(LMk({S z)EB1BY&d{q(3L0olVd8~rAOV>I(=QF)s3ivhW~dk+HzT(mjcdF>@N5hQZ&y6?D%?R zFMFRCyhe>7FH{=OhEdnp^{$4q%=$W8hUKd7fj~MgW zmOm9^zo?wW4SC?cdL6#KtvEvI^q@sp$lSSk55Z5a$fsFVKb0^pzo>4?O~xm}S7(w} zy)BTJUb(HRjI6kLuh=f1cH;y$H=WYySGL=z+KeeZ(LTT%djG5*EL>ZaMYY(9{hku) zS@Bi)D0r;^daa;k0E=(tzo*My%Zc^mg{4#!b8fkCf{8f(fG~c+b(8nlV92QAt4H2f z;W0QBGzBS}u^Frra;+llMltfovah5j0+QaGY4=CAK8eRat1~q(e>N?W9;+Wh*^nB= zk51cF>we>G2Wxi!Yym|1p6X5wUoKrSOd<$4OGtW-iEH_?$`=K(DNAjN_Iy++*xowO zEj2%1xhg9?+A1R{Eln2Hq-Vc)0c!Mo`4?O#AGix_jt$i}d7j&?E9H0+9|uAT8Zr=+ z;A@Y?jx`Y=zlJc>eS!O*4>4LYDnDrZCF7Y=xMySfB(tQx2T_@q38R*;H2r4)rKFaZ z;P>59IRvYpQUjqQZ;-f7;wu!*YZn%44=txTx@_GSa&dv4u4*UjAt$rTiNmHATh_LP z459h)mFhup=a!B|tvGGd*5xC2va9jvXRhE&Kzi6>uT0ExjCF<4Q2wx7w8ih2>Ti|B zIAIyHmaLd12Xw=&$+Vfe>sO2FP4-S~^TY#8h4ro_o=rU!#+#YNi*a#314AGT$jeBW zXW~}SL=5x(=R+%r$(Snr+`Ed{e%z1gamgVtaR(Antf6#liKW##hU&>UViQPO*s>xH z6LU$g1dLfdTS?wkI0SOcVu`J*|Ikek?q3-Upu$ zhBqTQuAh;t4Yh5;ZbFz^zKyDng>L;1~w38V|*A6-zrUUnpmqwU;ys<0q0w0BAOrm^ z7*`LL456Zw$>NmvBLO@Z+ld&Mjo>6EJu3Mz?BNU@yTUo zGvNZ=ii>uS^IS9b`MSQ_f4%9Z`Z)r!7R1EwZlfjhv3tNyHmh_Kh@FXU_Rkn6` zETWk+!%kY-=fyoyvJx+1{3v8zvDSIx;i!Zu0+0LHcYLP;W=2!U5?TI%S z)8&iZ>6o^Jx@VNHHx?61PTi+O9VdrG&iyHwAMEcg?+t{K;SWa2UuTgbfP28s7m~$= zb~!n5Rr37FuluEjzlZAi_py1}P9#qB2!^RFUvGQ8Dx3rpM*#bBi;D)ORdpN7mO3kn z1m}SPUDgcKd@|hE^%SD6L`!=n#PfVA^wYDDu?5<+33t@QS*Gr<_?zP@U$EE|y6cgL z1%KkH{2vi~rIsP>IDs6srGHFIH82rq3Is7DA9@IQ<23L1a_6CSxxncinS40aXT_qXp0_PtN7r!mmuBW~*aL(myiLsQ5CfO}{4I65?zToEhwj3sQkPPv z=*yE%sS}8hqlU$wJJpwEvnz=EBc?_e5OqR-CDJHS(Aq-?1uv4%(nxYuilf%d@vk$Jo?bYyWBry)wZeN3JQiTT}r+pIa~)ea*l`QO3>iTWlULI51#!UVvD zm+Jf!#MezCoMnCmPZ}ew4D`G;=!n^$S7&X_O+`-gIM-Y$-0`37ank$pG%Q4?%LRZw z?}VNK3Q(!i$H|rBq)MdIjNw>DF^m&v`pB`}2LKaX;VhOzN-V^rPw;!5Y$g1$g?%4C zvIAsT$|?mZK$90r5VDQY5@i@i$c^eGvLR@AMy0U)Mu0A+YEuhdlQdZ`{QVUxFBAS$ zgl(QyUH;5u5<-sOl=bKxIkd?~mJR+$`pie-s>HiHP&2D?ZBd}ym#8tbaQp7js76@(=<5HC0h3B&)EbO?k_j0 zj`DM>hrG<=ma1LPiHW+)S%6t+U3>Js`B8m8hH)rO(B}tG&uCzvlpzp~HlC8GsF^EP zoLwnQMT0=e?0*S2L~PO`|aaSt)z%k&$)K}rQ9(wV0X zq#rSvU2EJ!8aRhR78tXeRyGKu)H~VEH@jKZnK(IJ>(HNma_9XzB}GTeV2+V9UWz^A znX$gt%M{DqWRiFtl45td)XKiz`Vvz0opJiqxCOaL2_;LBLnULDk>@3>CFQ%zfQ6rs$Nd=}wu2&+ zt$4_H-+JEdUU$gze&cS>rcK#BuCQ8vcMVQKe_rlivc!@c6|EYda;fz37aD%GEVV06 zoyuf9k%q1u(xRW5Ea9-pWCuMBnPQLC%#fula))_~>wY%Q`Nrv+89E}TXgk*RjUThQ zeWbB+G9-8ydYA93(Rp!ItnyQCQ@OfcX@56^^R^g|oN{TqO}P4$?CX#6^I_9Wm)+zT zbFefsWxZ@0)v9pVYVh=PS(%DMVs)lDqx48@WfaB|>1#u{y+MqDNSXlbVFLwoa5z}U zVu=84m;~irw9}B_35%UjUDF2&6vlu5Jfm!1m1Y(RUeM@ zS2oK$xZwA+fFvd{>Rr-UQB=6t1Cm2g#ZBqaE=jZ;`0rv0GqttI)`H)^{8d^)rf{^9 zMCx5JLO){=J`g(2S@1ZfG-&;cL`pX*NTa~@a`;T>G`**ieuXno(T2(7XPxcU;P=8+ z7i5E5XXo0@z^fS-cJN%E?tYSssj-)y#}{3WcPj8cHZ#|A620FolLLb3eP&!)p}k1VXoTP1WRBNT1pK+df+WyY(8l-CxV1cR_XLHpH= zY{d+ZQcFOa5{@PXe}U3{>3slcZxWBbjqKRB|0}WqK)11l0}873cht(sV~4FZNd#G^ zF!eX_n*jUDIZ0p36s7@G1Wx$M71`{_M|?F_`{#jaeniT4T}jW{01o8Y2eE;*y5?mb z`a@{e`8lfj*%qtW%Ah&>Pj4o1(hNl2N$(|h)u-}IzV(V|4Za^6Jd9_xNiH>ywziK% z9ErV_keLW>Ua+Pt{Yj;i{V6*&-YdtH^K{d)rey$eUPv?DDIGLumDfmYMN)4p6wcD% z%scJDF-sPN0lj|(fF^J5kAn`iR2%};0NS92)b zL?~7_aHqP={em?B6&{Fhn;rk3`1G|WKnN;cx^x>$oP&upwK|kiHA0a#j&NH&F}<+7 zcu;zDp_lx+d$k$0!x!BCR1tLDoisCN1spgaY(A z0-C1MqKQrL@GRsJW<-K~GU_!TH==FZ2R$~g_uRVP`E+_3U!c?uLw_cj8avF06n2&M za7brdAwOq7dulB@!^-&S$4k5!GQ^Du5+{EJRlBptlKuq&o0Ssw+P zAjV6TRUh!$7p-dW1dk#K`BygeWWbbG$%&og^@wo zXvWq>JRK6dgQD4vMfp6Z{B16S)a>t82)qri5gI0iBAv4M_Umv5tVfb2gJp1F((5Vk z7Fgm$Oo&6rP>>cUEwCI86S+!JVae3dqpuYnD^A~Y#{e|s35kC)49dm^YQs(V;sOgkadf?nIye9&zRVUT5 z=8OV`jw4ZI8dp=z#x2XhvTT`)o^spsdCGD<4&w9|<+SMs#+c)7%a6|{Y_`^N?0I!v zln2I#nN{TwhNwjo(<`s>qq#DKBE{8&Y&#s7N){A=2~2H)OOR6Q%7*hLeT_oC6WSqAhSLKIHAJ0hko1l^x-BP8tjho3&C8-OQ z<=l_y=Xx+~Xl>sWjp}gTf_I(_z0mpoRwH4d)c8P38FW z{(pkh3T=9fVXDCpr&`Vyv%=fJvnPeeabYD=_K^4O<|xs>D(h)-$fDe4@`D}gs$nfX zH2&~+x4q3XE!1~hq$EjIs!<0!1Qyj^OdWr#h@Nf+%v<3tc zQ^?5&^NPFyM0laJgoGLGOgWNZtH-5D!(2@rD00)kI`o?*F-*h7-VkftuN^_@<6gaI zQ8n&1t-?#fV@0Q=$=}iI+x(?rk)2gVEb*)i(KuJ%sD12Wi1j2TRTE)Am-)tS>5*vD z(f(P3rmP{yOUmpOysJuGTq7byHX$E=Pr?h zztthOQ(G=p4UPaPs;;F0Drctm4UAXGH0Du4w0s|(oC3zf_aT<^Iy`6YVE{;RV7fnl z1I|N{6bDwoc?g^M`I`zoD?{+vA<1}{guA3RDjb>vC)Jp8z)(8Igj_dEoY&uk_t(3Y zI-u*}dX6yp^#(>4`wXc@coTUgh5Q1EHt>As^PXzD^k65DW)9qJ_xbaB#iNK};*(Wf zn+~JaAuu6M{>q@B!C5x}D9Su%ii~;PwC_o8*-{%j=dgkbJX3}mJR$syM;d$E$}*QAF%s))}BQ#d5Ox78t1TFA(32 z&=$rRk(vx~6g~yV3P1dlhTryi=K4RF2?s8T0!Lvh-1T!eQ}3-miqh-2)<#RVnjNv! zT+?J5Zrj-Cpe@w8gG>*JC&z>`lF8UA)CYX>TIKI+MbQLez59Zm$CnaqGg`ifEywRJ(&z4vEXh zgp`uWiY(7D^TYb06yy&?LkKDAh>pn1p-)3LN6Z4v8bjP_Y(cgQP{oq(b;M* zkp_gY{(*>L3Ku)XHd6$GAOnKn0z(6Hgedys$^+JXb9OBMzG>A2UMb`{#`L9cVW90| zqnHQwOpX)FlIyAtfozHiTlkPTXe?E*3_nPL8z$cYLO7Y%0X%njAev7+4bI30IbK>+ zjskvD5VG5O-55!@Ebs63Plyx>Z4Xyago$7_=(?g~04p&GlbK+IZwqVQO@gA?FWg4Q zkeJfnUU@;4z3tI7DMkZ$M+JrWq7u(&PDz2ksi9{TWAX|We-#r-8k0M9`5hSObG+XO zqq!Bp)RV%eH_o8~ZT~3;V&aUVkG&JdxSt2O(np|1qQU2bYjpCU3@FXV$vEB$2vg3T z%QE4F)|z^W{^9nSeA{mE%b9>2)2YA6U1tGDC~4hoGei$Dh26ky2kg31N$`@BfgpI3kNxM=%`; z1LXa7iK}4$7MRjBQLEd?`3wLQa1guwbZ*@?UCh;y-!oGLPrP0R5KnN_ZYr!#)H>&_ z=WVH*4*yb~TIaQI6!#4Eu|4{tYX&{!MEHGnZ-3F2u`xDn82hE0JrRALPv#{+AInwFY2IjS{zrPdkkcC01leNxjQ^Cz;}&Ff(#5UX;tcDTNwuw|N#CSV{S} z4@5LZs~BaRvII&AxX_q9XPn6lrP|y0a4OOoj*uZf@ zm+6~SSgEi50Q$J!DuUVvFu6IDdm~6nSV-v1DbZ{GcqL2Tfeaks0y=&9F$Hw!91!d{ zz|E(Zz1FJlKWb^#O~{(=gprMXSjJx;Cu2yTo{sLNEwt922rJ;uaXz#w9f3;B`bGgT z1D^kw-H$m=f1$;qC5s^yh=CIp(@qm*Hy1bFU0Tv(yAp*)b|CuQ~;=L zTEvHwE;vvswVFdL=je3&?b1U<9(YV|CV?7kVQzsAMt)paf0T(vBZ8hh1Drde(w=g< zAsP=n=}*EmCLl$;Q4k(d{qp%?LSBf!oRaBNr*g+?$0uqZCe(5r7sa^?28>LmorUNU zSL&A`2ju@1IkreC{W4#BCZOtMKq~nx(5Im018$b+#XWJTl{3;_Uz)mg%R!Rg*H}Ei?{lo7~w1VO24mo5_0z7S%%HL@i_AmcuFjD>*@B$Y=#0Xu=E7 zu!=ra^eQ)J22C88W+x)JgcmHc-dTW9d|yZCqTbsytdKb#U--8}Tv24)3c z2B_1(FJ(Ot;15Cw3((98M7@HTg#pJxl4%n<37%2tj8D`z+J^2N0qt{mT+s3rxvj0WGdRj6#1|%W0ZtTbrl89sBU8xRAryw^?bE(cdCAtR|bs zzy(hoZ+_YimElzZOzO4Vy?vFhgQ)?oN4MuWs~f-jF>=ksQhoKpkYnj&dhnY!%GrIY zel~xY^9%9P2^qlbXq-Muq`^!qC7v36jUh=7Wl-hdMG<4D?i~~=%=sUC43q}hAA@yr z^!;Tz`b~isU^Lv8*peCp3~_Tu`6iAP91@*1#Vg+!J-)1OdH%xP&Fg?`hwYGMowTuQ zCw~~<54gwbuAe5G5NCaFGd}_f8AM86I#9@9{mhU46EZW~kx7Wcf&$`h4MJg6EObuz zpa?e%_eYy5FOxapkv$--F(Slg#g6L zUkr&UGvoePDG}IQLj#0mfz34%h*F}+Aeh-5ZzQV#Ro$vNPn572FAbS6>lmQOi&5VN z46casuPW_;^pab$v~sbBn|yHusXQO?_Ug(zM^tm!0FRq6GCsSPK zGjXD8X`Yn@2XI4IuBqovK!~jIp;l$uTy`g0rAKBj2%H#<>LMFjI$ldUrj4jS{6;xG zrDPuD?`f(=?RV&7K$|$E4yBRTAqVs+J{sh9NY?PW#^)R2$dqM?caMaPH~NqG4GlOE z+^_T{l9tk^Zg{Xrf;c4o&2p!BDSVS3_AzMVOsAxhtBTm^dXG?a>ur*^cbRl6(zW|X z&byD-IgjVjmou@JHUih+U0GdBr3er5RA}hK^xU((>su*~#j?VoEpqhwvl5;93^+J` z#>TZlQ3!%8EFhyJAS7h&lz<6H3VO3BH->4cqAye`a5OBa$L{9Yp+Fn7zq+c+6dr}Z zASZ5!Bi;oBBLgfzXQr3PG@cR8{h~A|sRwaX9e({AZdvs)0kVl5Wg1BSN z#E|Pnb*gDsnnu!W6=4ToQawq{1tl|H7{U=)JSdDPl(gRn2m~oON*DqPG0S{2G4H&r zJ}G6?a8^)vDPLfyk`fM-eUeNcsqf0V&yFzrtLAX!SU3;v5BYBB*`v zm}+Hb6qZX5NV?>|US^P-5*T3UzyN!Qys01Y+dd_wmgCwZ{j$R~C|0{vmWeJg-qgOx z`3E)p4>iY{Y=#NIWc%?kGz$>WvRHlQyOEi8L{pJZagpojJ7mz4ulrg(JsEIwR6D$e zU?me(r2(n7JZU&dZ1G^{-e>X^BjL(>y84QdC6l8{TcIMwp~~Z-#U;?^ZOwr2nh8D#p>ynj2t=!X0s2<%X*F+Zq_-=W}pB z@v7uF?5>x!=^X5P)7-KOo#{t&Yz;MmF>*=cA}CCIMqu@+TZ2wGGgH0FzK}b3Wl?8z z_AOlELoI$ewF>ljH?4B3yVA=r(jdO=V zQ6tTY4wgC`eyDFIb*!ZZ4^gn>UlRev5`KcfFy#c~1<@GD3%JHF4?~l9vt|I#@0$RF zIy{lMpEC}ui0#TPp-n4QM9%8^+m*X4Ii$Gq?z8XZBz~qkqyZN*SNiJ18Yj->;0kX-Ot|vfr{9;qjH$J207p=dx?{ zu+~Q3=9OactLHaS_gRh>Buk3!TE7sYGg5MO#Oq`i!7vW8h6EKH#`davX}n{trq}lB zpvvq`g9c`B(s!vfflDM~yT)j9wc>MCpO*5aMH`D4b0W$nXqvMSOHa1pV!kj38$!6% zQgze*(q8R9PH7H1($YKg{FQ^Lf`6RK07p*na)H9_q8Wkd6p>_mm_kCvyGQ8-pqTLw z)PW#D@_#k?w{+sp{LbDrO$z7@MG@PcwDkAwJa)TKlufrXi}LBk_6Zxl!j^el5BOx? z&}84+qGqI_h@Y}*eD>tWM0<(Mh^E%L{IRK2fkh=xPUjp;ItZ_M794Z96Jna7G|=7k z5Ed8xnqH8inxSKNK{=(b>;@xYhVdu&1B5rN*e5yi7#O4&Lync*V5C)lmG?UN2ihF2 zF22PeOVlfzn#YDZR&uw{`q0*7Zv@3Vc$#yvZxfP5EsW_;;Pp5p4^gs37ahKgC9Cv> zc8w2@tTFbOTD$|R4*t{pbkM0g)04^=vRfBrg?9@MEqL&TR)Vv&3CLAm$oE^^>UL9~WH;2vGIE zdgC!h{)@enYX>;)@#8jQ$I$l<-8uG{V_Y_@T^ zkK6A?Ro;UCIrz=@V$oZ|l$j+#W)Ff*Vj|6&6>mDC9^8Bjm7a@`7CcE_lG4 zPnaln35WZq`Q+!eaGcZMO`&`m8B(48$i!*@)Br}@To?^Kjdx(PEUWGFVdNstb;GJG zmEiX9k-E(XLd+6SbniqeSVw)m?kTK_;gia)*s-#d7G{H>*gW)7rKP3S*JDIK)(x zdJ@Tz5MmNM(jaRLmbyWX@)4_I_v z)LctFGFbFk#|1do)bQG&M@=o;<~B1um_l-~8&K7H~ye3o`!hH4!bwsUsC66kp{ zS$#~%=f4V6q1T&N^rf(3*CPszaA5s?BY@U+`I# z2p~Oa{g&aRcewdnQ8iU=+|`cYfS_6X0V{?VfMElp)JP&c3pH09d^}8^mrrhxg(*5P zK^8m$hI6MNW#B!59)R(0MI93~F+AO@0^o|(0gK2km__7!w7?ZR;JQVuT1Hn!(bsJm zS&qBVtoSrfzpTUdtwt&%zKc9X6-{ZrsO=eT0 zhFxuI4v4zdAFv#F0V~!ph7BYElOFDbp*WGSlOkf&$THaE#^h0ZoeCQHhTH9Qia?9M zK6HwbS^@gd8n|!E1vTUy@pfil<%|FX_eIhIyaIs;p@m(D2t~dlFP>@u;Fsy5J}`W` zvk?yM=x{NAZ|OO8j$U?UT)K+ec|#l&Bcbnl z;Z-C4&cgtW0nL&{Ph7hI$TMoxx(cM1qi(5BRSpSB9wi&gK({n4-SmdE?;^We?@*)H zkxE*DDI2Lr_^mvLmC5GFL00qw=SF#_rqqp!+fK_8YuGn=RbZJz+Fl$GH$dw6@dEx> z!|Va6n|4SJb=Nia_`OGmHrOuRCuTflY@mDTu({XvP#KIeVD?vc&2ba2SFiW}(5HYh zBNp8!cQ>8)r-~h%4}9-&lKGh8oD)$y?r?yI^p1pRlAm(PhTq*#OLlVDCx4Rfw3$9n zMYJjzrrbP{d5n!-p|U$xsgTvL{=oR0930}+v3(RHmTOX!YqFWX+ai1{NtXFK{vO+; z?7fbFd!Afnc{Ljg+FaH~egT{r3R2=4fir`cKlz119m_pWpOVR~1; ztF7w-tYw7KZmYmr#wV!j0zA$X%YiEZw2@Cd%uwGI2GlYo28|O(vNA^A#c6GVADH|_ zwL>^duFKKR#TaSw#TB{ozGl(JccD+BX*;>CsU=VhrzJjIJ+Fi7MgF~m@E(~Q<@!%s z?ieKSdnV4F@Y&vxi@d6trX+>Gb77s;e`uq6pVMuASvz_sv1*ssX&E#2o+Z>X3iut{ z=iY#NHr(}rA(LuVk>Rag>DXnS8E}L?326l!Hzuhx!IpsIMy7lXFK2GPp}P}yr0@~& zmII+QDcNO0>xdUA;F9($guQvkz&0sLn4)5_RI0Lb0+Vs73Z-%3&p%eBvZ1cS?wYYu=q7|SS37v zNgD{#Ce(n15O>O3YO^3Zny~v~lFNslTjD#h6xa*IrO^}^QOm!~nL{VWt^MAU{Li1@ zMfajSfS@JA;!O7O5e^!2o|dzej+o#@#2G}JOpWv_K!CN+@1d{Xk+8^-J1|W>TD2Hq zbay=OjY2k!8AR~>5o{WR@}mVqIKXh$U<}Mz$I|8b@_Dee6G-8_&@9187U&F@BOTSh z(|MrzBm7gj%_1}NclF)0Y;FAil+Go9fMr|mJAls^RV*^O`*}W!|Fr1a`QoU^;fMCc z-3eO7-~^~mhs>14$NYS2uG~noQS*xPdu4@<+z!u4A@4Yn#?2YIG=$}411_etxo*L!iGLFwsTeG$@zJTsf9Eod-IsodfIy=rA2TeUHQ`chk;oL13PFV+sMm zW?Oe-Y>HsYzl$qsY~hE|3{$tjYD6de-S_!VXzk^_S9G#ylsWALJPxYT$8t66ymhlm z#Ja5N)y4GCmO;L)Ch(rxmtt6tZC-00myA3!88xFc*%@(1*frqwQD%A)bKvz+BM{iN z{9E4qohUQ}uvXM3DTaQ(5d|!N+Ba$!AlY$w|DuIih7=gU=>G-qm$*5b$;zQx znB2iTIk%;#fiL`<-j3_m{Y$o^ON3swc5hm&KYEwmyE0eK`(e?KgVCO|!*y(TPL@~C zt=Uqu2}U(se$(jM`e%tbHsM>_+vE0TJfuP zylv1?U& zy%{B{bV>r_s*11q#2O|v^zRgnk~!QynsKTX=)6S1@AAyBG4dNjm`~OONE@Ze#5U@_^)^$_;z{&ijnQf}5>_PqafUa(3Y5sCDMMzc`g5jq|Z5xElmA(_^DeCVEBUp`#7 zsw!l*8^dwv0f>;{$z{O%kz#3ygE=1L?GCa5Q_7mWMJIdb_vP5vbTyca@GYLRPMx}`Ly^I*J8rb1D3rFZ2qQO zbD+(?0hxjFf&@s+7WC_sZ9%7-VbMA@}J8UCOJ1` z{*snx8h9T9AuZuF+>+91@pj#usXFpwvR}6zT;h$xftbri-nSM1pllcM%E?Q>ZvWc2 zxsm#stD9aE#;xrQ{E}Zf{a4!8x))>Tf>mQ{-qfgQAr=l@;h`a79K1kd>!`RovH0h< zT=;}hYD%%)lUaEz7Btvg>1~r2-z8^0X33#{*uyE~>uv@|0rcQ|qLL@bo2;@GkR&D& z!~B2_kgY(BjyCrHhpMlRs%mS$rW@%-I3OU+p}V`gySp3dPC@F>-5t{14U&>dcc)1B z9q)aw{=R=4IL3lC_Y?D(&suw}ZB^b_eLK1>Zclm!AnQ&xX-&K^d$VUgZ}@2UldhdJ zfFde7 zCc!M)Rnw;isrU|27A3giud4&4^K5*bm2kkWhEVZYfJ|s8d=r@L*HOvwbaHHc(R6md zK{|y$Y=eST+fO6*jW1!t;j3w8H~CdwcKmeKHdljn#rOAa-SH7ushr zJj~xwvEXUN2^)b?RSg5`2t#^pVj(JN_u0O7!JZL{SiO%z-u}r3aFz(s`$_vz+ln0n zUF$EQM9D#E?ELfg%%E7pob;1k|1sH(_SfG>jKY~+r4|ng6FiLOW6^##x>m@%4hRgV zH|w7M@`O%b0owB6S;Psaf#+=;222u$0BvJ?t7uW)39BoxFp6$V6JiSPa$j+wg-jxg zAabE2{GYx4AgaEqt07|zuxo^njh0}|9qSqfV29v{td}rz9~`<5D|zpoYij9U=4w+C z1Y?@Gllr4Ufb=uC`+SE2-ZMnQl9-0d`wghh3SeP+lXu0MN1}kQM`&`%&x+TGx2Z#n zzrwUTpBKJc*Iw*yPl@wrd#055p@cNd1h^Pb9C!OD1svV`+Ir#JJJc#}bKjA%>bJW< z3$FXbt2+&L?r+yJNA?WMUVgP>OqOOKjR(&IxVqUly+{D=jCf zOn2JMPQh}YH8r6gEcYz~%}&8v1WGPc;&S@^>N!|_>Q!gKPhwxVkX&%Q6SXxj1_1B4=@4aa~N~9&AIN%~L7A@0f?KQZi9UjwsfxiwHY8{#e?uyPsVD~NVbeb}+ z`WhqI0>;=t*W-fJOm(uU{4I$ra2w9m`zyGD5z%kygDV&(g!fnQ0f?bum0dEX$Qg1F z%sBDfPGulA$;7tS-uMGjB~f7K-qzfR+&(qG zX9nw$w}J-D!VUMkxvIqp??a5-n7~kiIIk>N=D?+gAO-_ySvoBlBbp`|OMlj=Z2NB> z);-!{GX+D+J=(p~+hasMkox<-I7DM4o&%6)3l@oPKyCPE+H?6m^pMu^LH4gu1)nVw z&5f|4`_V)|Ui)Rj1W$=DDoU7R04MWLG)$wXuTcG;>plk;!=$QIy6rP1MXv7KgYNNA ztnK~VJS1J0Y9&84(RKEpdH2ZhSTk1XG8h&z3kYUI+j+kAeOg8=eaSPbMdCR;mySW^TdNQt%Xr=tP z5N*Pn(w)L}y0gY2_Uz5>WFzRxV(!R@xyqq@ySj*(@PNN;p$QoOK*c{pAOjkyIl)R{ z&UM0I-R|grPj8wN8Pj_MbwXYsP`6kkl!2FusU=fAm#!~Q?vvS~zghz%Fs=UPR z5HZQ~2ul{^{|wE)fgZoqs?nD2pre{*xbS&=s<-ieyYe-kccPG2wuvZWgOjexz4zE_ zRI&ug^~B?#CzJk;tjCr^EvU+xV`&XL+gcv5ye8{fjVSgZK5;4oy_K^lYd=R#3<(#L z5d3bVip(~=f6XtZnB+U;CtcEI8+pJtWLZS|VvVE83@Wm2aM0PyFEf7rZYi%7R;q=C z3EfoU4FS}tVb9n3E;ltx;?hnakFai6e~qnJ)e|+cxiX3M8g;2lv z_UF%Wj3!lkH_&)ifL2R(r+{97h>4~6zV?a%$YI*SFP~(ggwp*S?ZmH*JtD9A?m_uX zhklek6avn_kzlvvP_6@tX4fFYRud56n{4M1mM|L2QsPx5CFCk@VydZJ7Drbwscw8| zE^NntQH5sLM3*2Q{%??2XeN2>f`g=)&JKR{}Np1d+^(6e^6Wa*&(#(`>K%`=%OTZW3j-v6~tx0Ny)9a48FT(rCR|NugsH|4> zP3dpopDj3Q*0HmXI01F*vaT<1VyR#YJEB{0N8WysgM+*h<)oO5VJ)ziNKEs|$5xhm zS#C#aM6+2;8y_qf-$egguX>1`Qey4)cOKu<+i@NfrmiNA0QI38l&SKOZrss305(UUPn$|-L7 z6Gsa0FsIi8MX+0Fc0*@}^-T`0`w|C{^=5LaG;vf8QDs*cgQd@UR~Mvo8&vHN>oQuG z+^b@fGW~3W8MEGbHs>E!^h2RXr=P>Ha7ekbfBa$`-tYaZjzjmy<;Bl{scsezIuR)1 z5&aS@(~|Paf)C#o!>CGvODn4@_C>9}-<0#;mi-btRba`KafqIF!%UDpFK$zSN*t3M z+owRtB+f*wZKal?C)KACdMK&sb(S4K)i?CGSkxOQ-P8#SLbm}ln!;dX_nqj9;2y)=ek5f0$TP-gL@?7)NkZ5$ZKJjb_E>jI+j%SkpZq8_7<8_QQ$cWFAQtS;4Q*Utn8%Zg4Et6QbdgE1#&C?GXm! z%u+$c!q0rLC9Ku3O}VIknC4|0hQBc?pS-x`DnY!j)~h8N1gefqjaDlJ!jd>cIdU}c z$?-TrIbt-d!#8sYGihfTQS;9nxeUR8-`Zf_K#mHLLZ4w*K=;mhRUAxS`y_%Ukt%Er z`#<_YEFqitw)e@LeyA18DC|8KBqo$Ql<$lo@nB!DUQ8Eo9&`Uo-m|hNksC5-$^fk- zHSVpe9-5-10=pZFJ-Sc&u4x4kwq zFs>*tt~7*pK}HjDt}wfYxGR_5>FhJ$U4q$o1~RoiCfIJA4l8F*8gVS8vgzCMlw^fG%Rd6*Tr zjE81Hpt}`%rc8!?<)mv8yp>xp`$R`grxxcMwpFo&{VERZugJqC1cog!Vsk?!w(|3$$2PQPbevsg) z@xW6vZBm~ni_3elw>NH0ovriH(zM@Q?}I{x&Y&et-><-9?rYB0K>dt2K2RJ} z>#*ERvvU<|RYejNm+^ul%9OS77KW|n=G*x z>t6}q3hPI*j5$h=`?4xpB318<6c$6c)zP-piciE1^5Mzq38KtkXQa01a?SiPEXAp@ zHH9>x_SODIDM5*I#kW0fb#Roj{>~m~aQ47eMFA{@#`Q@nt4E+KsDFw1Laxngvc=2t zwv2gJyWCpZXuuzHCc7J^yz%9fF!fA)gem9D1l$<~FX)OT z_yC2E`(Vl=(2E?lWRCZffAq&lOF`d6hPDsJy{nmIepmlFhiU=7nFmoWA^1Ojw1z47 z^bW?BWj?2%wu|CL1f#+Pqk5k{+|Dy)nz#ca(E+k^t*sp@bXQ&Rv^xBn%o8F1coD)4 zX(T%N!<3;}mv!G+z}J8C#bDjup+kLAQf!M(q8ds-aMukNb0f~2$M)!B`xr0Rxco34zzaodWgskA(9)>d5PU?A9lnyvj2n)0c z*BeXE3C41wIx{Gy2o9@fP>9cY?>r~m8%L5}Hh)f~j(Zfg;tk6lzbKsD@LI(~&@ZOh zgSY-8q$8T^Bacp@*X*Fd|4S^6_#|nJkr|Te$3(H93QLoAkreDxldx{8x0cFwF0}H2wOb zzB<9>6Ed;^M}R*^z~kqaEzc3}+1D4&1J6eHs0~0J#XC4*%fg(2BIuC37^NA3x*>qi zmQ`C(3`cr>qDz zjWE3=|15f%@Mc*l_;2fb$H$5z8#VEw#pSJDd`YlSwP%H&^|yK0vu_y`OG^qkw$N*= zt+0sDF25hIlC?%Y3}8ck%59BLeLUpQOPY@9G{k$jS#&qqm+CHO-(|VcR^rKoEe0aX z;MM10TL{xk2CIa^ni~vi?Mj5gr30L&`TD!^0CNZA(P4PF-Df-jC(ye3a2CSCG(p7+ zwApQwY`Dn=Ij}=2u^p2xxY)?f>e_VvtmObcyFQus46kjh;4>$U{iiW1-}9YcS4g6) zmg{(5Rx*1g`t4q~7CaY?8RFcVCX9JE)i~(pGD3&>j=Qw)n!l?jSWdzVAK9TN_XDW) zVS-igVTyqWG8pKe^R!1@4A7~(h480LwfTZg zTKH&BSP5)HOL}8-BV~5Mqpnz0h7~|STy(w78i>?vr#H6A}-Q7LIaAeG#55sFVY>is6 zlQsUQqB<=I^<4(qkhoTUo3gQI!)tS$s^myM~fP;nbsHg3zW$84mz zWOtfXIi+wqKJMJPzO4Dfq%Ty; zG?fyKT;7~G3~d;q8WL6+Hkncvc`9F$z*VcUq?OsU!8B_D%dxfmgH7_8=}R?Oh~lRS z!Tzt=W1dG)^YMlPlj=G11fm)}%rP@7r=|G#isMbGyz0~u{(k7Z#m)Y)f90=54a~zm zKoj5Dp4&)KM$Ux)`*C^RDc7XeO1qX10wip|8g#>K4bG6l~3+rSxmjh1F|B8&!wXj!iCAPicsTp}>r#zka%*PE^KkQ(5NJ zE&?tg{i%kGY^b)ypb?#V>~|wU`uSmw9FOPD$l1Z|6c4E1IHodQ4ZD~5tvbQyMqj#n2aQ(vO5Ynb0q23ET@?=-*GIIU#s&kjWjN2M)QBh zvAt)lIBuV;%GB7PACVrkAtxcVNbbvW{ zILXX4;ASG3e5tk&bjvoV6l6v6U;>O`AYkZ!{xa~kQxuKHQQHGf;5!Tri2MdEm*b6sCN=&5z-|G<7wdD`meVO@IT_5jrFxqn&DdWkM{e$j4*I(A{ zOztKh1WDFpxcdJ53M8L9!KP+g@hEz2h&WG7`iV@#?F4jE9 zdmZny`DN%F^(C*cHLtzSo!+*OO>OZhMqFpv=|JQJE>m#ZlXkqFvixvl*X)_*W+fT3 z{7s;4>Z4J!Cs@7`NNb9PU3`*a$@Ow(lvY3%Z#C(bjERNMe_3ZnYV7)h*+O!D*}%uU z84qk>NvW+&!KpES3*CE<9?}k)soFl&Zz4)e)}2{?N=xpZ3s)8G8Qc-}AK(;QDnD(M z)cJXQ4bOjM@QZH8d3vtVCjR1xyw*15ij9BjnNGUU-pT&1@t*$aHrL}OT@hh^CG-+_ z^u-q!quv>!ABNbjL%M5br~@gLIRWA0(JU^0esaIr(z>bu(#3YdIyF}+!zRNC08}^ zwI6<7jZ8c93ywdx_6s*c>Uc7160OF26aqdZX~jXsFq>f8anOKuKM<)o68julH?{yo zFTtElKQr1mdFq#d#i$ReqraCvtPiA?@jJrxCjmYoQNShj|1});yp*wrw+cSkaM(A< zhDjkAu6=eGc#}qqX?=P?(bmo2`N^sEv|ayGjPXf{dH-EZTAT^* z-AWX#oIxW-{6Cz?XHJMW$v6WG*46yx{#z%MVUCxn=?y(>xJ3-B&YWZOuQQq>Q@Llj z!Hd-!s_g+a4syq>5pEygG#hg^Tl?IoY|Kp-EX>_Lz}$?SY>x|M#!!;7ep<-`h6o!s zBVbzqsV9w;(#Z0hQe~wH;t`T+$h{NH2VG5NLO0uP#n4B4yG`lAL;otvPu6*0Us1;v zTZODKz|j0`UN3hv>1v+xF(@n^;WyhCsGldiy&KaiI%Mp3z)R{s%Itm_iOKvL@Vwxi z>3!FNI_sD7)Sz*vD33PY`NOzTvqQcm=SgeH0sqF@kR$Wn9C$W?JKK#?;zuCeXs zx(b^%RU{Mq|23*Un#IKnE&;E7+;mmRO=Acr)dTi71AZ&3IXc~S8 zd{%<*W9lBaq(2*NEU3l10$wB=O`jFg-Va-JDbe5nC43^N9=nbUdU}3puH9Mj;H?r} zr&9at3p%)Th)+hiuh?mU`sx^UVNO`^m&}1x6F@CZ31hjJtX;+_DJ>~+m{I{m^;2Ym zD)#b8C76t ztA@90U~YPvRo{w#SEKjvvq;35COmsc+?=n1$=P9F)aoH;f`hM0F0tV^)c93Z0c6Ta zjV5*=M|%8P!%8bdh_h}pLW?=jVZvxVm8_KktswSl8T{rc_862QI&OJzogB>MgbTk! z{f#5au>F5p?`Tr8WUKk~x|Jc-WKuGrAT6GLT@crvcvLdMMRUV-VgJiioLfdCa0<;r zr9VxM)#uO$)*~|=`i5%%$JD@**31~vVEfV8t=X8Q`ghbtfAOYr(1zN+Xp+JsSA zDnqah0m>o^euX)LS|&{f-H|H4zw>a7m52c|Rb?%K_h`ylBtwXrCwK#;h#YL=Dc*wHrUJ-Rx z12lU#m)~%A;kBb(m)>l*EUYWZzaN-=8=Pxb8Sq`c3xB@WtLowSn|39f+e1I`-8IF_A=HWs@az6_Y^jG z0CO4@>>o1MzO-he>EV-)F2-j@t~&J0fF*QTr~lFnH3>xr%FtgORN%R5nX|*)uoKL4 zEcc7i7#)dgWx6S}X?jC1Id_4)a_&-RAV|rYYX=&zA=Em=nBQz1n=_sZvc42IvnE|O zA?z|^j>|Vor?^ALQT>iiWMHAu)hg!64VAdZ$e?ABGrH>Ovjf!rtB6XNPc=Rh#Pz+ z>*=0SE0MV}4K>yUAAc_ z5Df5`zk!W2AE@l_Z3J#OEpVh}FPf0(iRXHHF;qHK0ejz0y2a#lQBv>90*ek8KTt;#)wDzlP9YK_%J)jYxnEp%EOE`(*Rp!QQ-f zwjs??P8PM+LYQgIZugU3fE~xP6+DXKJM3+{Tl>Z8di6Ph#vt<_MXU7+9+)c*$TwR` z0z_~2fW+f?efh-UqTDDEE--KIpgxH&V1a($fe-~5RW zR^2qXi0g@ge646^-QLS-W?i9iljgvspT!}%(1b-V>Ny6*q**!-kdx(F5lipjx{X?3 z-D+3Ln}MVVdyPR#Z=myiG0?}20m%bG)RKWpDYN7jIp^=N2`I@;1u%kLFh{wt>1Wn^ zZ%&&bp!5Iw0C_%8$=@6B+Xu)}v&#RQ)hC)EPgqB{mC@7U*F0L!TT-**Ewwu%3tXL} z#xEC%<8>My5kj+?Zxyn4$JCUwNs3KdVjkDu=T7;#q&@A%v?{)F%_ZI!;O_Tp2u2cQ zLQ0e*2SDxwdxe28a?8n6V~?5PjPQUDh=0_%2XoxhF6cl2>;jLVvqT;X@PVUA#*$)^ zdL(+GHR~VOSKy;{)K3hZRJU*U0lAtcrsOT>dAv9$A>2^~a3z5KkSt%0(J|wMBqk_s zZWI?6{M}uI(Q+hvw8!@Iz^F$_Xgv;DkjJxt+{U^C@O z>HOz37z6A&uG==!6;4F(h`)v~V2&H!1(h;`4Pg+3{q_#2h<+c(syYH1-FFRze%rlc z&8cyq?Bl9~10)}Wu*ln)XeEWlt}CF~4gLMZ2&rx3$W`fgf5&g{t5>F?vYvQfnqMVv zZZ+6z_YA=&BhV627%e1Z1gRVa^sr{UpPnuTpRUZFc9$>$dgwT(50aofLNaEeu2-@S z!J;(}*SP>JT7~?|p^`HGhw;@!F9q z)qqoacT=t=kSX()>aET^Ic*b~T_aVR%v+h%m9#n~*qe8l(ezYVQE5N2_Cx0YX7v}U zUtxbL08{?J6}7!CRW5(sD+gDONOoiKkt#&G7_Iri1uT2Sn0t-n69?5?zb1{T#wWHczrozKKO9dO~y9VVBZR>gSP0BK>;QN)-3F@%}I2w86c7i_g?&OHZ%gS=auYj}i zvg6{?Af(Hp*AmMxid{5EhF{L`5Ye%RL};xW&If(dSkGn1AVvBIU@rO6x$N1q#B@=e zS8XEaHAI7(k1fcr)~k&A#^ciuB(fg+nbJl?b0n<^DL?r+VsC#|Utk-NM_&K@Im5?_ zIkuVbO+huIC$0HV$3{)+)`cof_nLE%%My*H_lI($1Jt8q4ZfG|#w6A9618izDnH&A zQi;ioP%3rSo69a2g(jIM0mHJ@O&2=1J+-yF#%EGU70zr*D<&6Z0U8|#bz=9QyHrdo zO*f8<%8)QKq_RgtkGiMDPsdLhIQ1&JAUi+o=>daC`%=S%lL^3XKK5PH&9|RX4NDAm}igmhwm0$?f)y)qk zYPhr4c5O{gc{fTI2*I0yVIal!ZZ%+0tAGWgTpQty{TnHSdedIuUR0_ zsMKK-(#jzL(_oklQ=Mbv4$?+Py6S^fQfisJQt4~Gg1rd~OS8kh(v-~W$%-|}pmok} zwGSLTNxwfku8H2)_+4m&;FQ^QT{pgmVK!V1r*r#AS4Yv{4;|yz^l4XF#lkG6knu>V zdzFEdje~b0@sjnnJ!ojo=L|L(J0-9VIy&izm zhHGA=rk5xIgj4t8Bd(5era=gnPvKl^oD|F5l_?YAFb#l!{c-usQ7xTTM&!cI$gUJ! znEo26H_pvWf1d(CIDC%^U+)(Ig|QV2K~8IZ3AmW?`@kZnS*cE9SJKd zgazNh1+$WCtZ%JamW3{LZNHpkW9jc?bS&|f?be`fc4b&+KT)HLr2Z-lREo)1z~ zLU*)8U<|D4ki)xQ*VT|5(-9B_`nGIn?K(MDveem3pLXo=z8p<6iWLWgz8{s(=1$9e zKR*;avX2|LO;umaU8W=5>Gm(mJ%uuh-QOn9*Xp z5yfqdnwd+8phw&p-SH-w+Wzu}fC~@rZ@`+N>}-PrwpEnO6zSzI+^#!$>vpJxKYb#( z7p2JW!CnznnHYe_GWe^Bm_d$k@XY6@nmqRbUR!97>+U&TVSzuzhwjgAlB%Y&SL;Oc z%f&IOrlMJdM3@U&nr6Z(p@=uI$)(tIZ8nxGu{Z`CbVysZ7Tnj(BjxpF)*mx*Tdl3x z?^4f!Hg;T*guHG?3dV)s5~jwAWk0_MG0t^&xJfHitXgCiSBBh#ODuJ+fG_N0JlJYo zaX+TOc6r=8p2V2Ld&guEJM#F6c)d2|%=W2hHBN7ptDG%MjF$bQy)4oDl$=b1`}EHk}7rm z6ko%Nc|KUUuhXP~aP4f-JRelsCP;TXem(5XwTc2E-pTn>a~{Rzy}~?4bdJ{rszF{;Z<^WzBdNYXkqU<)L(l~x`qk{VR8M5FrJ7YEBqi$~zmmy-y~rdeOmK|xLC8e_5q^FlEWVc9SqU9)l=-o^I~ zy}pL;Yl)NofVJ<3aU7n&A_nIW5WBY!Urh{!>j1M`#+75Zab^Z*v+|26o-yBb z-K*ZBO-s6j!!H1~5Ei20X06UCc{0Fc83i|74~rT*77TYlg-kd|9tr*3+&TF@{b+Qo zxp7*(o|pqIrofHn{iHs|beEXC>-y(jdD+VH2)Kb(&@AA5PlyfR8z&qR#CT=}EJo*F z`~md_g-pM@Lmg?UQ18oH2-0;BuuXH_#@*|?_TDJ@h*UJ`7{+FdFPk~$+bOX1^mn<; zS^8;`Foe@%lekbjg}QgTs4avsap)J-5$3qCtTEeg~y;Oa;qTnw`kB%ERt`-h)E0@IAKP9DZ$b;#cJnBJ{21d4oZNAWPvvT(o1a`&!e zu#LA?9iL$V*@8bOm%2pv|qP{5B-GntEa-U7}?B3f+xxX!QWZR-`?uAvH|?# zk{CoTc3^*b5QZ=+3Z~%I0H3*ZvN`>w3W(AHpXIz=m>5Y=KP>1imXi(Ok4^aH@Fh@V z;gq4_O`wK85(Obb>#s5!%S?GxFh?PZJ;7mZqV{l#3t~g{b{kgTVCg~Z)J|9Gzbl|! zYy)soZ>wFBf*>K^A1Uv2VpGLZ9p(Q^OMywZsX^tbz=!FRM)b(msDF0bqJoWGr@;{c@;Y-7w^WqbYzb~c(Z9H z=;DUwWW=_D_D{+UL1vxeZJG5%0-kV;l?J^NS(q5itTy}YjSoM#bO6YiCcV)SDA;<( z{Qm-TGQwX01G^`Rga!lS`V9=e%npR-99Zy1B_DE@oHx zqz`13aO1QmLC1*_`jQF+5BUot&TjP%a=$8xME{99-k5suo#)aX21f7cN z1IixZ@f2A790mP?)Lh|bscYz#>3Rc>V!ifWopw)}8+e?MDS|)y7EQZ{xUSbg#!N}N zY3`F59gyWBeUWkyg5mq3lcG_>tLQL7niV0%&pfOaEs=yi+Xt=;T9^ z$gMASlI7?@5oTlflqJ;mu_xwKull*lh0IQKPc%sj30DvvvTuOoGS6QP)8fa;S3?l^ ze6zBnc(VIbQiTz1k3$!wvk(;{Wbq@=*VM4bUw9iUYfOqC%|DnsV?6TX{RBE zHYy?^bTtXVNhFdV0yn`a6TyH_v(nVR=H>aOMLFMeB0wT!jsHzzG(fmAL7}kPa1ey> z4?;xrP)+o+)4hr1H)z3v>KZL3mlx~e<+$lgfyS%JZX&LFrZ!lzkw6}MHqPU|6HFFdqCLDU5$63>R zZNf;IHUz;72ciV8&~K4j^!l0f`X>g7CpS{iHK^lT2>CUHz$*m)G3OC6-?lN#=novk zgydT1O=0gY1QNBKm`!1J2j?A`Y>ms1A5H78*031YWEvlT*lI4eC)XzeCz{>}<*PE> zUGB-ilJIVnSGc0!&&ll}6SL?Nrr5!@0k}yw39OV%dmsp}ta2#+328(^a5Z3y9fKk~ zpo;M-*b-scR2hpLK-R+b{`5Rk7HOf4q()0;HOQri`KRoXSfT7l57&++6@fjC8cpks z!B(O~Sw38P6aT%tt5EfOB3i?oTVy*ylC<2KUiooc>|nSHGFjMaJQpTh!!g2Xv<2>J zr(A;7Ug@egx^Bu|GcaX=7oJ>Go^J=C3xmaydRYA4F3o^RL58Ak%u?bK{=JimsuN;> zgeuoR(nagJk0y&*VJj99sWji31>jiMi{?6@Y}8pC&25tplj$WwiRZ^KHQxZ$V1P%h_dl|dUzW@mg38ZTvf!-ND&v|n~Nc;)r5 zH?N+AQ86EC=0Cy(ne2mbn@2$+|4U5rx4t!oE)5vwdSRtH%nhF&3f$}q?v&Eb_{kj8 z&L#;?#1B6RA=eMUPh*S!De3T} z18D_UbS&aDhVO^GZW<-E0R#LiTP8YZ9u<$p6iRAq9Y1^Tf@nNB>>24=N7X?zKA`*= z`9{+=f!?qSiBUmfO6sibXv4|~_#Z_mTncrUW4l4LnZC-`h!~N*>4gi>n^!|t->Cno zameUgj%>r;h0J|K>{&oKUkqHYoDr2Am9Pbzh}%*kr>6P3MhoC!`|>zX4Gl9HNu2?61qx86ys z@|HEVnNUQS~ z{x3p(Uw{vUJI%tTlZU!KXhr99vtrf4`CUZy_p|+XDbUE z+KajnvuIf{3bpgN+SNYt!9=dR$}ts|eD#G@Cf#b66*H1BYL>4IKfT0jv?QzIzZ^Z< zn_kL1%@>EbUry%54DhZCgcp$QG8$S3IB$G;2--1@K*{os{v%z`Si+eVcQnm%RJ#2k zSW3+DJF}ObKiYl#3V0G~4r`1WBK@VPn@BU^)qp%eJ5QfbulIXELW)qlmf{sEWje45=!mXVEwHuyt1 zB#qkCdbncNgDh<~CUiNM0L5#O-O(<}>4pCTXgY$K9c&Dn-+;2Qaz@<+%3t2Dc6UsV zweL1WJb(7d{>7yM{|44zRSs+PdZ;Z?EfB=>&y+{Lk5mJ#iDPswlr)9|Af~-2o$mS7@A+rE z6QJV)X;|k%!_Q9N;8&{1hC+Px1HzBfbY~yw*0C#|XNl~goLjjRk#|nxUG^&qWw<~1 zl!{JJ;Z#@P&(rK#k3`&j%H4v#Q#w2fV9CIa`dt_0@q`_xI3(|1FHb5K6?z8GOQ(e*6gulc6^Ab7QmJE0ObSwDhF z<*ojOgU6>}CFdk!DuPZJLNCw43DcB%(GYlp&Z1^UFPBK+?kA;V{5^q!D<9)e-TW3z zDq#i2@ zy%Pvjfij73sWrooUiyJX^iCSoG_SwVt3%sT)fNEkdOg8{ddrpl$p=WxBauWfJNsM4 z9rljJA}UzOA+VSxN`zflV8pnL24_2`T(Oux(qoL#()UwLpM42RBKTXTghzlZrq|JC z660Udghq-QmRhjZz){*!4>hE-zBJ<3h;?XI8}2gS-fET)9TZOIG)?aH&@(-*l+z!k zb7;dY^4ju@-SF&OLC$XD`xswBTTu9WxnqK~l$MH1otdmGx?ajvx%E>l9ufif;3p&P z3~zcT?+hxwSZv8_H~>i{p&4c$01P#;Dvue9zn2!dxE`7N z#^Mo${bL*1;>1r`0KB7JGKr0`t^@%Hobot>`V{q4*K2_*c%Zhi*48FDaP z4d$PaYk2vP^UHgEML5FBhSts|4u0ifYoxZ}jE*wJY4>)qI98|GrBD52 zM}pL#3|e^)vJWb2Q7Z1PU*Co$V>$BU0hojPArM}%4(1^He?wsl^cI*q7! zwgMeiiTu2Cbi6W85cXn?MOUW)wrmg9dONQq> zUEHN(jfq_}%D)jezSmWLJW!5V>IThLc1PF`Wj3`#ENPQ>_!Pi4g7J3pcQb# zH542da}pst5?rBn`k~S9W&nS)N)Fr%K=zH_2KT!ba)H0gSFP1M5IOd12NNaHD78v# zd+2`m8F702Z}lKXnKQ1Myv5N@Pp;iE67v38m=CGl7ic4=%u;`!Z4dKO6rswHlgac; z#n$H?$KvZs8BNyvZh`)Lk@O#ir8CH*Fq+Z!uPC~4=M1CP9r+;%?^|c>?g^tM@*}e& zm$rQ;Ez^Yfr^BGb-Pqp#TUJA1cb1`$hs}b*T$3mzMnfpZTSpSLKQ$WRme7xBG9!mc zg`UjJ@wFH_m2kbq`a^Lf^eBa_rZAPPo=i-3cRWC z-GaoP+5X66^%klei?E*RZTwuujP2k`rzilWQW8aI6@I zKf^NWpCqlZ%Cbz~=9@^~)ZQ09F81DUn1pW*y$Fj%{tCUCOp47a^$a}SS7Q9cSFTdwhwdu~hs>R3lj9{Fmo*mp* zN}I2y_00yJ;3O*48?N|7!dFTs{HdaU7ry!+Emcam zl2|CylEoS4tmXcMYW1qUhds1R=i`e??; zSki(PQ}yHQt@J-)+hc0yb_}~zu>{6%PPS9ctH3DzV3-9EX_9)q7%lF6Y$1FMojKOM z@BH)sECaF&#tNi&llvuJ-wjca*79hsah^SZ8NkQZ$sPmb@w_qlmD?!7py>Rby_#M z?x$;ZuOL-#bSB12Yiq*acoeQMrl7t)-Ql?&9G+HwErTsXXu5IurNqtI!sDk}K7(lZ zjj@b8OTHw+VX`){mwYpD9Ziy0Mh{CE{Fd11{4W%Ku%qI&yVZK6Z+AE zXX2R(6c)cguY&e0KM(H3N=S5PaC}uu35&f8%GbNTi%Oz^4&OO9o}X0cP95$hNl1zkDB)q;F1<~)MYuRXE1-qgREwvCe`FyK>z{Hk|8 z|DS4Z>xXa8>?ghouIAS|?+MYgPE-%0clp+tYIi$UJc6E$N0-&NWXxC;m%re8ed1@X z-&@h~zo!Tl(cqn?D}oEJy`LQvabpA1xJT2@ponQhwMVd))ejMrW$5dv9OqPu#^Ak1 zp!QrDE=fwp;1jlf4mDqr(qd4JP`#VFFVphq^nc2uIC7S^l^n-sKw3n&#Ng&IsRCq5 zRt77Y%$PH1Agt#t1NayI#F3@d))X8w+Tw@-B7>A6=u5EOb8&_6iET(U&D-y@tPsk5 z)mnXt8--VpM{tbL0-(q43OYoBF9zU*I*bmPweCerQGKd5O9`t<%dwl%|M_;Z!p^oz)-bMPn~7@ zE>PSk1QA>Tuv-6Y{TP{`V=4QcE*hEmS|4YU#XW2rRj&YxcX)l^GNwYFbDtbNLh~wY zaRB=yPus{c9C-&2jYvo^I@Kfg}->9X3P&r7e z;0P_?{pAkPl7g%DuGe%E4iY=rNJ`)*r4WHEaPXhidPrDG{AMbmJaiaQQEn3dPyA_NYB;t?83ZAt1+s32KN%#Q7IK>Fh{A`qkJ@=kTUj zWi~8T2p&v_!j5K0N{8Q;F;+d+Q;7Qh-X8XtDx?@#GSj_*8T*nD9T*LGKo1(#PHp8@ zrNIFd1{3MllEs>y{QkB7HZ7*m$O$UqyH+#a`|2CqV0ne9`gFe|$~1+1;wkl+_Er@t z_{1qn@ykumamWDc?L-NA@)@zn)<9!nJfZrBGR69h3YdENE^QcSr8zQglT#ZJcH$@q z>b);%!{iV$+;;LDFaYX^aQDGLKY($bRz2ILehDU-5J@O-;uIlJ<&E>7ZC0{gzuQT^{mQ<3gd6^Q`1dw;(8~!Er*24kJFm zY9gd$BuxBX3BTEh76-~qWYgFz0z51-^S}KZv^Q`V*oz}pTv{CObuQwYp6vxv`tOOn z6?r;h;l*}zTV0Yek3vT4pT=pRTZz7C$p>da^Ae*^ZCwiopqk8lJ}z*2#lH5dttFbM z?p9Yjh`Y=GfK}emLsXsU*JpUX{%G6yD%rKu_TwO6P5Raj($TP0R9>6K{DpgXz#oCd;{pS&D=)7|?Hqd9?2t4s} zN8|eV<5-vUI-VB!+a}ZW_W0e0aHwr96^q&tSD`GCaSB~Qk~bYcNgcn}z1X^jz$Zd`ha};9*;gVv?|9i=58)Aa|~F$2ss-F4wcGDR$5GDS-oqN-Ix# zQWG*>wdB|p-an&07M?k#P^?w>yxrJL-pUf(UgMhwZU5I^f8+)7MjmrxTfBGT9~%w< z-}b!bDzq~J{Lt3+_DD`&@x1rK>m5dox<4ULS!he`hwf^e#V5_78({oa=i~ol>Kg+p zU89Awt;x3S$+nwnPqsZZ*>;m{Ogm4uYbM*ao2+l2@7{Ylzu))Ave$Z^POcBA$L!R> z7GrxU{l3Dw=aoi=~VEVg9%%{2Db1cahKP&c11C5z}-aj+)lX6Q2vTV#MX5p=dBsfjp3G2lqk`K99ob)t&nIPuq6!RQ=;I1~?&oViv=MvGCt+0Y3+iWG61 zHR|U`aI^`-d?BOZ|MgFAWnoWXRei#YU!j03OAqSc{r5pi4fje0`aYdSu$|fLIRbUH z!7RfM#bGsF&N%Rq@AIvXgOg`&>@(Si)NqSX9xc&}34&*+{VBc<^30$U~m z+vRAWW3wBB>XWLk?g2oPE~;VZT+ws|!I$v4elSb3}q(M1M%s-KU0U|l8! zJRTxpL_J4r3{#zwj4hwLeUE)r|FU9gga7>P6{o*%=eu#e4;CGlFdLP_iR6(#AslxWpTtBWw*S}8 zU4+ED>%#>tZi*YgVIFRp?y#{0!(%ypH+OH_Q)jLy7nocEzoU$ z8qWQ#BUwd)BGP6VZ0SJx*FeX^v^4I;TP_RH!QY|Vap98;O8=O$H?lzFV9@KCo2Pv| zMPYsJk<|u7`s>_h&GMX!2DgL_!<8a|`U>LwtO?&MGwAKmJ9Fxl&Di|`x-OasV8Q{; z4^|dC#S;hTyR@b zRD9^DxmD4F>@MLr&qwF4Dk8Z9J4&Do-H*Y-0=?0cEN2g<#3?FYDH)NW;TBuENhjTqzw1_IpYRb);Y?u|zf?MC0 zV&{cl5cx>b%S*M>clj|0dK~u}u5PplJGGyM=fu6A$ep}>&@Lq_C%y_qrB3{~$);Z& zAtAoo7A5+GP359^f{_!!XmqNTJmL<$i`{ zudgGli@DGkMIC{nKz$aM8}e&G0ht|k+>b&Y>6x3z_xO1;S{Y^ZHkBB^83sJ)BRc0# ztyl1wU6wh^)q8gn@*;{Jr)DSYyFB$V^L)Hq@$D}Nv*1oT4E<|F^^N_-I0vo-Zu%Qp z48zJxOOE}xVTmS6 zvrpWlv26U7O=-yyu6MBl0H%XKx-X-zD9NbPOvoYEbiGs+Y|wk^Me?pYQ8YUmH#kk2 zMU{DSME*N^?hixy4T zyGgD%bLg=;zA)XpsVFpqHVvy&_)MP`EL)N|bu~`%d(I=iTe^$c-qi51){lrgVx$JN z1S2sXY+2(}0dS~$Edn-$cFI#Zs?lmMS80FyJU13bjdiR18{lo3PWH&MKeu}C$lLxL zYXsJ&2uHq5xLGkZU*@>pcbV3ZbyaOQGd;|Yjy03{yr6b2y-wI^tsQQYAak&Vxhz@Op`at(;FEU#hI-PD=qT6#$@_u zHuDwG?Fa_5@ya3{h!4=Lxcmh1)JPXa<>W%;r2>n92Ia7o)nY#yAnrjQu#}a1D5_CO zZA2r8fYH2D$36R3HeIThoEhLk1HS+OH1BWsa;2gHCG%5*^`RPCbg18HFd3P=d(36g zJe)M3bc_zhTbdn_KZ<1LAw<8)XJv&Wbu^T`H^b*)jad9W#edOUMtb8yRMRG8cIMTY z;7r|h40~3tPFgxA+G>bIr(EWpxI$ptO=O1ntoCk^tfHjvF)v(6okxrjq0M1I(YaS& zqeOLT1`UfaB)zX{w-MQrbY;A>oyZX(Th^3s4)~$jELFY%zm-hIm>`hURr8-yZN(N~?=E}KdO~A)~V_|W&M}@|Qil70D#1(Usttg?kjQPGL zeitc06k=qmq?JOdQHh)3k`kygN zQI**MQZdxOg=i9HXQia!mdYY%kE~Eosu|7lXq+Nw_fZw+b_E&hks5fsw|{x>aOJD* zA9MZsvWK5qFv)yUy#%H-P~K^I`yYo8tr~JJhR<6Z@qbfM$j9t!q^dt$dCb&>Oj4i2;jcSuuHX|@e(sg6;C*J|PNhSS@0j2jwYMA}&j!#Pf zhEzpUC3SJ0tyM4g&U1fJIdnMJ3b%}Z&^&AR|7Xqe)-lbu#HSJ7U-?8pWoLLF3}t7Q z(V6H+;#9AntPEdL#+bA-92ZbSE{5PSHaDLrKTNdc!W2zQ&|le%<`orsW}-Z0bXwJz zuy9oxq|Mlzs8IjdJfm5Cu2&$s~=tv2PpP3g=} zXrl93?_wU0NU{Rn1?9cYB@33@DkmK+$1lwDHd^+m+eX!S(pODwMGlaDtQqPP zV=G>61+$NvBh6^XhxARKj2~pi(Z&x5s#f?et_d5dkKCh82&}irGhC7+C3av1m3`to zb66$Hs2z@n{_A&&o`>0~HqKgP&>QCs?z9Ax;3TUd6mo7x-$t*mAe507qx-Rqn|XoJ z^Tt`8gK_|k+mIt`ddaq89FzGSkh8Kk|1$f-yb8E@~l!~hkdEAh*{LyEClhd zwz~kX_@Ce$;)RT9fhz0F+X!v%Ili z;vbmhT^7uY2*X-R>-ZKqO1|@kko*e;F`O&y%Q|V`ogrFU?^Y>3DntOCgs(GmG<7PL zuxgIb9JYpq>+!)8DYu&!S^=%pJOZM-Xu?Yy8V^buKX5(v%J6V<=F2Kasezd<@4(^-$E2d7b36^1&3?Q!z7qycMM3;JPVhu ziN{m!scZK@L6zxNuzMV7!-;ibeK0(_7e>>I{}m~U&fuD^IT0P1ll4)E5xOzekXj zHz@y^*q*nlcN_NWy0@nUd!_eBcp%j$RI0x7rbwPI-h&p>Djo-0BxcD}(-A>r|14I1 z{6Bm|zA|V{%K)&!p$J$T~mI)+oh@#!qD@;J49qw5P)^E~- z5GjGW-O$nGYEz0;zSI2PwI$?aqJ>b;Kb2w@X2*HrGwMm3#%oaODY4ZV67EkqW4jd7 z37?9F8ME}R{yw9GLrtbH|2!Mb_OIn^xx*T%wGRc?o4f$j$14O*uhSyQ;dT}|BYDez z-bYSND=%7PFX$coiK0_>;9g3?cWeJ{yt_#&7%`wOa z8t=8TAC*klze8k4Emiu!C8!$3ZJ9u0(S+4ok?u^C>&@sPL+vcc+8cBwAA%&tP|HjO z4=X~^v8q;^-ZHdj3c^Ptn?l(&bE2>NiTPM2UUm7u2xJBJgo|8vV1m?;2 z5r%4}R&7uZ^u3ar7l_9@?i|k>r5&sLAf^-dgo3_AL$l+XL_`m!F$A$`4;rIIF0mmU z=zn0+SA%j7!X(C&HB^yKS`35&aBPZ zU7E?R5}Kb7iZ}dfvzsl$`D`oM#sOn*xsPsvSgGX>ZqzNonMI*JtwnaLHjma6z!CKs zXHb=%G&5oh-4|S`Me1Lt4@*ci+IU})Y%{uIwn>WrzFag5xk`Est%N&7wDh3yJzYqj zd0LSuN(~JZBrUqtj6x{U5+@|^5+adGLi^D?2qIYS~Th2X=WVBQ& zaU+{L>CeT^LbXALchDMz*K6up28qAO)XTvw7lhaBg3p$M52wvDC==Vv>|X|{Xm?os zuL(t#XDA`f?Kbcr42y0c0^U88g-97Y5{$s*)=#?+)6>0RWam{qx?Ix!6-KDwDh_M| z>zaG+LE1l#P#X1N`NtdNu=E{SlZrr@^E1T7GKTSSUG>bZA53%l?i{stc|h}7RAn#s zg0*Ma!1s{Ng$IS#bxZdL&(ebjt_UJ~!j(%zi?G~GMkF|NuUZmQq*3=;|2FusNZSGb zuV#zr?k~MdTmRbd?48sNqp;`dQIyj5ul+0)PD!@oEt|XUqj2ZLgG|momK?ROcV}xM zyZOm|8*yPj`A4}n#-2P2ta8rBe{M>;IhwGqQV^wAebu*P50Yk=nO-)GP`@-~`Yg&u z6&=J)&{$$mzx%XswoSv^X?BcT ztd3*so`ttr2rJ3KuMc$#szGU5^V75!*gInnMvn;-UBq%0;DhL{{B=2`gRqNPw&ej@ zA=Hja6^In4(wLTO3Do;L(spY^CiFahFIfc!GYy}csJ7e_d-%GM@u#Hxb_%8N%pjJ= z%U+}!)sFvJJt%DSVWq8loW=P&X;=VI5PEpd$luMdlAsLS@TmWio`Q3ON3)@Ol(ZaX z)z5nUxRga3hH8$=ggQA=XX;v6JC5Ee$me*xF1h#ZnN$O;`IB(Zny4N_1)9K*I(_M| zj_7g4Km@#!iZFqz=Rb{>O$urJytAKRV{i6}0Dd6qhrkq~q zDAy|qIhQw90&I@OGsl(PjScrf{Z$rFI6Fai|zpYGxo#_cL~t@&5K zt(K)CK{b~2e|Nd9sPxH=oaScSF<)7uY~V|fi6>1-!~OfzPf{g*=|mJLEE~4D!w*HW zK=u%fVua&$ToT-)36BUMW<7_^5*31zflY|&??k+JB7*q0S@#+4kbdVx5NZpCJ;Z!xx)U(XO3* zz&?P+IzEI10SyZRx)5#30~bLN9a<#@`zc-(i>r`cxTc_4?)Q}U!>Q-c9u6*iCR|uH zbhS2LKYfhuG;b)=W$UOWMsLAW=NX!%W_EZo$HJ)xF@NVX*^4qoxof_9?4mUSO-K3^}RqeB&IKfIX6d$ZJUkGt7^m2LMRIT(0`di-inNI(V}WO{kGOB52{(>=(2 zufCZn?~Gox=?qacd(~3DR=)1rt`3?E1G4J}Cr`b*uAknijAK~;G4Nw|} z{RcyPH(U^g><=IeouWV(HkC}?l@HR(w8lpVTBCx)#n-3Mv)4jmZEX)`jb+iC{hSTB z9ckk0)ixtKezUm8aJ#DsQOB2*{FLOUS!E`^^tI9Fi?H6!Mj0xL+YjJBot1p^@uQ}z z{hjL*HO-j03`aE8QAd^A!ncBw%V(2xVeSZTYnr64F?^5SDrQ-$#Eg0#>^`%S?{*9d z(?N|U=U*zigfosWb~OC_Fy=Of%HM=~4i*-lV7hN}-y1|vl zp$xR{QMIQ}uBvmha{Wrczsw;#fA#(P{&HaChb0Wx(LVzw37z=PI{elb=$cZ`h=2$~ zh)sdgD9!>@68Z4P9Yk({?-j>TAa8s~g^wDvPL~K(cNNl$t+65ua_W^Q1Al6T(rg8e zk5TU`c)D0p+!?7~xLZQN@Vc75;vPa)AE0mlF#nUythEL8b2$}t@0XsIwngB=mshE; zKF4Ce0!ffGJ-@A9(8ml-{+U=9ucKQpb3V?M6FIilFG2LzHe8G7a*wG%aKt{RsOq3N zEegAI`Wzg0Lgp=o3Xb76Ox8~t5wBKOPq`NuAhl*Ga;6e;LiSPr z64jJO-Ri0!4!m~9s|X+L%d?KefUsE|KZl)uU)Ui=$@NeF1+FVWR##~Jd)X=c^4B3B zUrjg`4Czo`uT$5UG$cYlsWFW4Ho>7>**d75#Zckk zyUq9a*M>LEwT$Xxdqf8WY+T?&>)X_2tOsG=oQcSxp(qXvWtbC{sEA(fOk zi;2i4sKr~%h^g8ya&CR>xk!ent^98hz!gPDRQfY|d&PGUN6_oa27^d#djAPHz9}1f zJ$U>+mg34+`sHuA!pcpVwx;zfW)F7REr_M5i$%cGBYQ7E+_NU-4&go@uIVu~V8cva zF{GCNLX)^~tz0@BKVPje$JWJh;c{RUxq+K2*#CRGek!U6yZZR@)V_DA&B91o!Bw8z z&{!EqWh`3RIn{P!Q9^b!Lr9&NBYE4j;}K!g&=ak2YJ~Kg1_a4&I{}s3-0ed1P1P#N zX5YSrnzo9p*1$k|O~MKi*##x@39EU=ZmKp-dRTT{0o|OtOmSx%VmyAdmP^*R?=a;( zlw4s>wgDO@bt1?A%zTHQ5BkUS2I`!$m-+VRy(G|?8Hdb*X}kPOo7te**bE8}O)gka z+)~sTnqdN>%;AWCI|aTN9X-NcMQ#w3wPE8G8=wz+S?{T5J>+QL8;=;G(`F^8ojp^-m#o?QQpBSsPw^g8F z!!~I*Hf#^&fT%wM3IxCj4J{HJLS zGOIF&(&$|jyVVewUcaRMr-Run zdIm`3)p^Y5G5sjMHWflBRY?D9PQwt0)O;>0ioS!Wr2$HAaOoAu7EEH=%0wPutrwk! zP_Tm}SImzpsJxrJg?-f*Dv}OI&a>5BGjGyH7xh`~Van@| z8s{}VK&=}>1`DxM(C!c=t6@taB#EXTg5~8CN|T61b#(UjPuhWuB-|(pG>?z}Au6Xe z7{zIF?E7;{U_}&?X6S=4hS$q>& zZfAx;t@}O(edcW4gTHF<6j-#juCdToNn;&MZ}rvg&lr||8XSXCvFLU>(OM3u$>mOqg1|~|J}4=^jFK&!cX$z$;O<|TFC*XF8r~qGhha6+ z$wGPt#{Dj3Tk%@2eulCqB_uwTb7b%F26qX@tJBn^fG45*RUyG~E?qVVfE$Ye`Sir= zAp$7oN_6bpif_~EqS1KDVE#LMHsUPL&AGBzdo zp&Zhq4V4d%V_CeU4C|OC(*{R|pI;i&F)uxx9!+c&YWGMYZ!3Dc5EVHO$F!Gn7WDF3 z{hQ6fw})^mcWyKPn@A06FHA*+6+enHiazr(10K_GYDagW*Y(*de!=s~oxYuO4_3*~ z6HQPww0^At>Dn#2-=Vw zQ94(ZG#IC%A{FWdVlb&p>fq^+3|3<{wS$)*GZP zCOvrz2|uxk`Ni1esqp1k9;{%L{bTt$Ib_iY(JVb@UglS z22bRxT)<}JIo&V2NYc0dvBs9`1kt2*UhbY4qSdk`E0|iqdPP#(?YB2T?puT9(u5}>9fz4wle8qjuiSLd#e4|$mXwt}{e#Fn71Nj@7`rtQyE0J%*$4w5>3da0S z{e)Enyr2#S8_f|6sDoj=-5TJMWQIs|MM*0$9I3fkpXaDPNF~Ph31dDqgrQf{R9XSR z^KU*p!)F{yv?d~Rbs9##k0uR?p5*EV&Q|^l%NWHYn&Ci7iY3)4$=SpalfHp=QDZ>e z^}Ai?P7584$6+pi@7D|TztYzi8zg45hvA?_0C%W;qFuA`RMV2$euTVP+I+`o6dn>j zB-L!bloN}C=T1SmJKBdC7wvc`=?JezpRVaL4UL!-HwG=Uqg+g( zoGQ=6eQwFZg_*~J1$7@G;YX9X)sPD+exl`UPQm)m%tbkPk}Zy$Ki=ENIFb=*R3BqZ z5J&Nnp!dcVQ;=>HAhbKhz_wD;6!o`aw+&a=iCV z{eDNYcneEPdnX%zL3P^qlVN@T>VQ2l-EUDjoLfs8AD;q;UfU2}$9hjbp%>yV)0h7K zfgovB-wP^T#*3lMKL{3q5ER9yBOxV?u@pv{9)?{^71*++)cw)s=2cM4-DN#g@~9sB4Pqjie8le3EB4P6e9VH5_*Il}PE?}2va)E~a)D^t7{S4bq{9WAJ0Yuh&diXd zDwNSf5r+2Y(x7ALz+8#|Od#cd0y1_YDp47>bJ)V)VAA5Mq0VmbW@S*1Sfi71Q*_pn zR3lU!5q*!cEplLVetPtZY5X)0Nd8Q^LBe3LE7lAObQ7`25%%F^F9fy&zk#Djg|b!8 z{n$3*pIigGcxvN}Zf=>qGpkGq+Ix~Bw9u=2i%+D4x-3biU9Bv6pV;!tA$0Xn7baU} zEAvs&yHah?as?QG5aN6gYX?r1ry&`$PYs{#z+dq@!8Ms~Uq<%sFEi8kZqUmQ!gezR zd46PO+SLjj3Y1cDKO4KD(UTAo{v~-hX{nbNSgHMi(K}TTi}uMaI7xztjQJSONmW`V zoZs9C3s#5rONPkYETsaK$dC|b?Ik(S^$X*#dKhuQY`}+W$`dGvjmHp1f;j}aCJ4^G zV+;{YJ6ZpdWU8QE5oN9ZB!Mv0Mfg7kT2Gmy7=F9`Ey$0JkJY!Z}1|rk2&BT zqOrq*3kS%^m{H(qBE-c2gc#e~@$qP3!Gdlkn;VY-(eOb(Na{H6jkTb1Wa^?1WKCK4 zNVd1pK1#)#Gw5N#)l?{W+m^HsDnRCd2??iR{~=QUFvm;q@4|jb1GoCViAT7!6(3%Q!6;Ey%}Y)dGy#~QTrtJ}XkCo*K zOU-vIyXF!jg+}!JStofw#;6_i(?`cbLfYTKYOB(}c#7udF=$V5V+I>@)I>Vc)uEeX9$ezQx_{8NtwS9XGsybq zkjQ}MaPVB>iNy@)``|a`0TOBCjyj|2agQw|{i0i~9Hv zPAsFchZE=bM+9$iyz5~rA#1+TR;}UD)D?*BxAw#(zrd~)fw86`+0zCuUhtT=2JE#glLf= z5bMO`SBTr&SMm^l)YFPqX2oLE#=$xCMt)aqu}UB}ywp*e5&ch<^!0l)cPJUwBZMYL zxxf2&O&h*i+6WkQ5}Ey)Z=x~i)a&Jyx2lLg*8Sm#$J@7fEh(fCt`Pkf!!ngC_Agk3 zSI`p@`G=9S!M1}^!Yd9!OZ9BRgK18B*I1lu1gdn-r0mSISX*KE=c4P*UENnZXON;s z_ld+6wndpG%?hcY53+Mi_9tl8>8tmmMw4jt!UMIRiaZgp z*aghD6CpmdD{UzO3#46ixFGE^S5vUV;)n>PG)I}jY}Z@ne;48I^xR#6RowqgfRG9p zwV_J)_V8DDiliAMQ=AgT&h87!*=I&QAD0W?SQe~ut{sc0Qq~+*%%HUBBSXE@!fcQ# zTmwUS^?ZR5kb|FkGRGiQd;`nF&3!@ebI)_eLb^}x)IBQW^mtuI)FlCH*Ijxao!t5j zNC`!0`cyHQoYg3Hx`2T4PTK@M{3~N)1Cf4BbT@9r`s-&wgKrFYhgopcO91iZB+>fo zCC>=UBdw}$r*aZgWkeY)1jmAtZQHfi!Hx}rTkT^mf3qo-S!3-EqsB1D6>+xh#mCJ= zzM1qeDt>8=^yWr1p1>rB_?1cIlx0gd zXj-%kQ!x<{cL-;ejT-SdE0gg)1KBSH{8jM{mE{Y*<9MVBrDqnLVV907P46DWhYMFJ zrT7%CFVD={KczBD2G}YS=cH7%DAO|B6iUA?jUA3dJrVgHBc}C{MxWys`^BhiXjOQD?j%Uc0I%n*rSE$|JyRFfLwrjhweAe*tVe8vi zah&n0r2%DsLE}VUo~{(%oDv4mBw{WJKYh0Te0s)^H8OpWQUHBS)>ELkK}FdUTj@d% z&NL>Z%>-XE0UnXx^0BK&Dg4}WtiAGN42re@5guXZWie2GY3~5u)EFVo+R|tLUI>Iv1o4j`q6P-CX9PTlgjD>@AvX*pMETuT&C6`j+ zhW9Q&*dojWAoL$kxGiuUaoD(vDNcwS^3Vf36%keyWy^aWJH;Lq6+gG5`y?GdLz5d$9>>1oo?M$iw zmw6(bdW3@qNEEG} z)d)jDjCXR+)8$gp#0En=iq%i8xPjWmW2q!QLT1uhF$>0SIgPSJadN|+fx5*uhc-+a z=jdG9Ne!p%(%HH7D-L(3FHCno;OB3pH-_I!8<6PN2p3OstId8d4(#3VscqfN4aoZ3 z96^SAxP7OyTnp!;B;9{HF3n$X&5?s%nfv7lR4NH%2uI9U+XRmVEVQqdIkw1pY6jUV zBNJN_W`s?(-03Fy0&Q-WL03quu{^M|$QaZT9)))O`g)is!?aKt7566;BN_f$TqnGw zZ`K}JDoO|2@E6Et#KJAON;H>HkaH4+^8fL784hHW*THxUEIwicA16~mIV+2`;s2`?noT)*16>zuj#; z;4pKB1|2~29pK7b1wNo(^h4|E{amVvjF-HRlQf3P^HF93+}D99X5L()nVTY`=ufz# zom8+52f0|L5$_0+We6jh(YTrePE7+GAh(pb2H}h}(1zm!rT`h~Ob|@m|G-4b4uVM{ zd><g5KnMN^hpUo6r}9i2NgI^!h==yYXC*EMNb%@rm3VHN z;W>*(*-(8Dj7&+I0Yoq@V-Uf@IY0z+qQ>#dTQ-m&EUnFARt}vJ!ev?p z%;V+%?acBcPH2z!hnR3_26>+NpB_KFNivwo^8~3AxN$GRp)6T`2v9GCuQ_&e)wHGJ z#z)`7dr*yMn=zamua=TwJTm=qTLO;dHbML=K>FW2TpiVgpFa=;2^0vDfh-UtX&klu z;B#-FtlX|GOGPAu8rd$c7RcO)HE0Ooe2w=$W;pugyEkVBu^;H!u`-2%A%Y=pm7b%k zgOXIAR-N-O{Xx6~o!^11?s%xX+_duM)&bmwo)ZuT1+tGqlU7xw248wOUR zv4F$5w*ZH+u7M+#rCPwJ3h*Wrt}j9)?oeg)l?E2$?-$l^%wf|6U2wX=^qUVy2v**g z6=x8|Ck%3gBKW7HC^A^snP5dme?0|A(e3;+hdN$7%7}MUojf>CI?cX7G_R&KF8lTj z9S?N?&fNj|)2r{PJwL7<&v&MR&v0pMhmzn{*pwDyoqF9B(0*a^jJ8u=>vZbE<21J* zeedNoGv;CtBYu_)h&MLQs)_kXz;yV7&mJ1#R{jwhoL=l%cxT@QuEx3MQ!tM1C?eg^ zlJ?RQY*k=J7_Z(_*C^BMFC0ZC^1Oagov6N?)b3`lz}C$Tp?A}2K?z}(iJ7SHyAGW` zKtKD){LJ8)4Iv&Z=VG=1bAAej-GPbZlu|c@Wv7FLYHfbmK|eyOb}O?ydZaoQl2N-- z_V7XkGw##AmoFq0iiIK@WAUsG8Yisi(~!xU?{m3V3jGMW{#vcLD<8}|Z5?+W6k zsufx_iO|)|AcPV*!n4T+3Xj&=l!F9t#|5b_1C|9oQD68DjKY!hT5XJHM-(1i6Liuc zoZv;&(ixxj*6Qxa%#;vS^N8q}mx-SF{c$nG$RW&}xC`fxH%QkP<(u)tJ0RN^Yrnxw z5L&$k*uFBDzJV`AK zPsg2F5?SYgcz>qDsd@e z_vMCowfS@Uf5bWgU87x!O#&H+qR1oHc#XP6L94dLfaWatE!g}CXqEWW$zYe_570%` z!x)IVaJ0XJK%bOoR*N}vrCFr03#`lK8EXB9^Qg4C+DoFceiC#w2Rr$|2PgY>7 zw0TlX31~Fl|Ec`lZzQm2mc{Z9$;mMZ|J&M}u-9Qyl)o6K>O z$>bZYMsKAbG2ivHq3+Al>+a{1Ux9P$T4qYTyhDvpl++aU+#O=-S%BE!lZz9YaJVIt zV);hxYw6mhGVxyNPL|nu%}*rub-p8KNknsl)V*=iNgXCxry!KPhIp3*21nM}MDMu& z%E2(wewoeS6V0y&#JX-A39vh8T|roV+v- zsqLu5tUxyF)du!Cc!?2?%D3UY*yDk_P$u`p-hMe@_fbeh+lPcO!&c$TI_49S)tB?n)fJ_Z`A*IAh36bQTA&KNlXE$ zq84GAzPn*R-_eJ4^snuc1zE==p<&evg?^MMEJQCBC5pN}imd>IzC)T8=kuK1i}M|} z`j!Wg*25x-wafPz*=5uhpaP7@_Dd_ehOPsL=D0Z9FKB=4!KizOSjYjccP0lRM+JbCCnj;S-hjl=q*% z0`LJcSso;q{a)g(W+H$jFAWxxtefZoqf=_p(SRoNFwockG-=2M`kx;f!|#I#kppES zIh4eACH7zarE4K6rhwpsSr;BC;Ca2&J_yz32T4S?QVKtjX05>(^X5jOtMP1G)e>W= z6gChr-1Z; zXS02&2g%~^hkilUqZA7JGD*FYN(XgElUL3dawkj+Z>pXeO3lGc8cotg_++Ygen($( zV@46S8eY1z@JEJMUejQ3f1!YZxJPAyHQN3i>hAai6)pW~W=>=g&stoLZ!WDB$#KpT ztCR%EyWN`=3Va9wYI_PI0OWVk9TP?Ttv|c2*Z@hEZL+L4R{34iDNr5L3J}CeYr<_X zK*@B0K4{M-5t|Y9F&bKRT;~`D{6<{6*-G_6)ZaG9N%24VbWNHoC;W(w6$T6+K15V9 z1wIZPYCpF}chVQt1nVZS7I4Z~zCSd(8w;|3ml0@=F~|C9X)DKJCqS8iZ1%b>@hJ6` zhR%XC;$#;6K5O<8TqFPHN?pppG`J$FNm0fF+i=-sxU z^S+sS%@{g8x5I^BE_CnYIH1?U=8Kc(M#Kc{*t@Y#exN8VxIyn(X3UIIZ&lJ}5Ir1q zDPn(OU{t>e=yhh-rFL51!(*gLGR4q1c`x!Zy79&l6yni2w~@f{(%)tm-UqI_wDHN; zGa8bAX^9~4kOeIE%|fM`{-?IL6H7_q$s{`n;@f3fBL1X@f+uP3EO?wTtZ7B|m&yuA zm24%TUQC$^pt?A_;^%!qT5)#?csj-?(x= zP`c9a{j;#6p7KacX@bl#sO{OG$hie1LD+~p<5I^2d<*;tbc6(2lXe?jY5vhKW%>zW z}`Y#<{@T+!Z9I2$)Wk*CC ziCbBOH-dyY`1U?I=wJYV324qSoH(7C(oTI)!T4GcLoWLzm99A0s`v+Rrd!U)AE`|I zT!IZ{HPr&{t|gi&dMu2{d_x@=WX|qr%d4H$5R>&^8~aiBzmbxS3(Ze~rj_J^Z`Wxm zbHemC77W_Cx*_J<_Iy>Bj zv^GNIHma*vyp*rL%)#DLwn;G{eG?+tZ|dT^HE{#<`JmBm>K+kbOvEU9=0>MDQ8q_Y zq*LzX>7vFRI6wCC!Icz;NsVdAMs?OLSqMt!p{GVs1_LB6#jx~~YYQAPaU?3!p^R8e z?NdtV;xIbpPAQL|Qlmb^FlaCqKB;F-mclp1$IVCAPT z;3!nYpsLntWfEbVLfWd$trW(3lx zbZSZpAk5w(t6LZwvMZpKOOsPv@EHTqfwu0&#I@U^@YW)GVP(_*K%Aj#V(&=(k zs#asd%N!vKC##SE+l%-TZkB#AR#q3Tg8>BKlujwYv5ie5wHWtMv3^rS$%m7 zj^Qa%q|&aBdg;XXAQu5q$u}-AFtTcR7`C22_Y~jK6aCL=)j3N!N-~Or3wO=E5z5Y#T`3 z*kJB_W2We1khEVK^H303d-^7gXH=!o@@$|%bZdWge|NxQdU_8(t@D*nz@@)@8u8cv zW9loT;%b_1li(iQ-95Mk2=30{P6iL|8r*^em*6%G?he7--Q6u%aB?SkzBjpR@ne1* z*6HfnwQE;(pKiiev3sY(Cm{AF&YZ$mmOZ@+*Q`77bbZl8G}fWTLv8b?1vegh_{4(8 z)^2><1&q)v2}DxIA5hWg#)zA;!DzosXtTG@aQy(`2#kyV_T^e>H8$%f%;~Yb+ zp0^$QoO;Zt_kWRk*)4B#$CV_ZIujgG`85c*d&v;dkuI5cLt5zp z_Hxz_jd`_GsWI-%x@2SJOq|&@*6aBI+7?xiBlHkty<(#PZu~gef&%?+#-oX$vM``I z;<&!0V9Lyva~Yfad(Jo4pdVpX-$Ts z`(zh(?`k>V9mHEinR&>Q@1?Y}=dR85BH|AQzE+HcDAMDm$wsybHL(#9k$@G&Z^$+~_bPf;$j&ck^;+y2aB z*-=30r8Mp==iTXqmK14evWcFp-2IN&G*(aHyo-0aTDD+VY)XEq-PMkR+yu~qEU<*C z`579t=0&!(TN31x`N3b~|O5Z93~Dlro4O zQ0_YQC7RUk0pj3=%PHJQi;>6CMRWL2neFM^M4=?lci@4^L+Jd&6WU)C@hHUMXEuYD zJ^O%-i{E(12GFqL>8VNY@`sAm6hTwKw0y^~htrn9Ju4->udz=@jOW8Tr%D9|| zZ8;NpHAjnZjuv+OVhc0nc%Vg>xa}IOTX&oEn zi;T#UNOUPxH`&krC?>Nm{%?X_e|d6IEz2x=)-_LIklpZ5FzN?4PFCL$6E%+jooll zo(=4Ap&1e)+Qb@zMt=Hv2N1dbB9$Ea5z}D!?AQ8y7sJE1g&jSLGbCw_1az-g{#j~6 zZoQ!5$kUDK$xe||gwcwnqW!MpO_YT?4O4mod5N4bMlM|!l@kx&z>gpjthDV3$nk}= zoEz1OqDrpCL76qk8NI+D@`&Ng4DJC`)p6u&27nrO8J9%GJ%4FRfT^Sv8b+|WG9A4S(flZzs)@pkF-9@7Ht zCs0>=xGUsMnJ&lpti0bJYLMH=tdyu(A51Qa<7X-)2r{M*5V&4YXYR(MYYSP%hAW4~ z!T2J2jyMn9ePjo!kzhIC^h)$n@)&Mu3(;}*=fI%uDq4I`&S1(qQPmbQ$LEh^EiU~! z-8r}qiBSh^&9#cwr{hW&HJa3I(?ai4F0|~Yvj`hlnJ7nx#;W+HjKe;zC9GcsN5LJ+ zd+JHIf|`QnRLN^R0EgPg%b`bd{$QF9AJxv1baxHb0w44v+0d-d3Dsaav6trHE1=IK+DPzb8V-#4`F*_%8uk;CJiwk~?tiP<<-b)GZr|409k8L9+ zOqdanxJj?ISfg55YK&X5ovMoel^#39SY6Yl?+HWW`fFBot+WY_{5IKOu7#?2aQf_p zJpEq~8Qmxrs=F4;7yky)Q4o2+Y*sRzOCO+d@u?MyUP0B-a|z2;Ox4v?5`elS`p$qg zV3s>PNx+rcSU&s5N$RsdQKq9^-TdK#v}WDWb>Gn5#4A=Ek%C*D_HT0qYYx@(`4)?H zUe2>^8ZKe71kAg`!N&@8#F@$%)Pn?%d9)=ct(WCDkQ<^lM>Jih5Bx?m+Q`qDNcizG zZW1=Nm2f=8y|U~NoRFIEz77ar7-L7s5LCTOp5^Dzti&5*?1yk6~*{8ljB z@~))iacshCiRueC+yVyZIFO2mu}wT73B0eAOkEc_+YE+RP>%W0ljh;9p&Vik0~{Yh ztPauF3!pvvD4wf`UUbMA2?fg_sl`#mRMLgO7?=O0DEJk6Ub@^5apJ#Y+lW)lRdg*D z&-gtyYV};yr)C6E53|BC{P`_2tgXfd?hBnKtX<=E4VVBHt^P0A`P#@Mu0~X`!bd0} z2Dy=X?n6iczJ6hWE|TqG3a$;opLY+Ax|_G&PVAP{x5qfSFJrHZnSspML5}p#)usvP zINcfztFRZ%7(1G4UQYCV!pmn#x86lz8nn2bq{j*cYVI=+8qqL9vBRGC*6(hZms|1} zAHhacwQy6u(~2u38s7V>a^@GPN#JzPiYXejWm&GmIfb`5!zs~;wz6#tNt*E6aKFj~ zthVF$&%;*jMDJW}UKF|c{b;+d+^WrY&y}UJaxPUoo$l3>9!Jk^telpuxHs2J`Rgiv zG_}3MEx>Hz*Kiv9P&t@e4WHr+FSkd#Qb98feVt}2+wbJ^|FN_{6aQj?qst$bR%_xn zSLRRU5>w{)Va`bUsJT{zQsKMH*huB}C^@vzzeKnPw{~$JJ4`XRsyEE2bf21aqx;=4 zd&~6>Dj>9wv1H8OGNZftII13{2YGx^t)n~&+<`bwr~aM^>A+Y z21oL|fG=Y;hgsE1*yBSrInhEbWzmUNHNHNW^_Eb)XYUEUfGnaEmo~g;+e|62OxWQ@ zD(}Lz`B5;q6(HM(sjeiBSWuETJ-GkJ&>$)4&7Bl;s9){y48YgXia?oZ<9v*5h&NkO#c1pMtsjU@^!O{XoN?mob{A&=-YLnAZcZ zeAK+n8x#3$Q1^=sX34gs!_~$YecSp8UR#=&7fmN8FJMfQ$16VW zJW~Up%G*jZETPD*8FNdbAe*>{_mNMQJN=5b^&!M7U&Ne<{zysKl@qtddr^FjeMrtq zFV5sOx4){XHXCcg;(=46Y#3bANq)np@0Ig#;jty4A&^r0a9VCBYyP#HT=gZEvL7fxOsjqk9ro%jkO6VEm5tCXVU3w~( z#f0SGu-x3Y;Wg~(Tqhsjaf-nHU*!@ALk!!Z95CV$GG_7)Ts4Z1Ecw%u51;t`zD~YU z)4(#qJ6|y612?XhOli=iblf z;GjX%5gvJ{hj{$7?e6;1#gyt682k(%ZH~M<*hQQC6XFbF%|kd|7zMjWPuTn9OrLW z5N`ga9-79H694W(Bh6lIkFU%nHg7#%%5U3Gg!l*K_AR)8ScCY&C_+H$>?5F5qHV?P z!Iu^KAb-^JK9ohbumK9u4W<`u2Tv!>Ipbj-k@Gm-W<@va#B{g|R=)f3xsWjIkWr^)bW>SPXZa+=VB5Zg$Q@T#At6?trd_WM3n zYpj%Tj!(2tQDxmiAdUa?hSy=5 zhLi*MMaCf~q{=y;a3=UaXnNzi+?|OYa{h+qIjE4&{0A{tQoO@}6T4Np1ao$4PWmkf z8g>;OX9y?N(8XG*Nz^W95Yb)Ck)BEu?75CrZzz&tk}M+o%H4h+J&tn1L7-yk!vz7h z`^vh=$;2L7SB)=JkDe&6x|m_i+mi~s)Y$ULy;fxRt@LJ`$|i4^TFo`frb**6{o%4} z+)Zw}(I~-m*@LQit;@2X2gzZ%Ut6ajlCkQZA~61^%mv>)#m?lfEiTTqIQGvZXiVWH z@30*Pj!J_RBLPFzOww9i!*OuapuH9PwAzr2k+8!2jsJAAQD0;Cm!NzD0pzSkMek=N zP=I3u34(S180@D*x-tO+Zhi$@a@p)xxaMutWhJ6j$GHy7zzR4iH`_&l2bvuu9vD@h z5N?KWg%?|-aCf`Q1`j2()5Ma%F;u-{isj?wME5dq*z?7rg2#fyN^BrsFS_Y8<&TRI zCe9?v3FHVIM+GB_z<_x!n|vImp{^8()-5KafX~6XSjC2SA_tVl-kgDNLic!UzvrwV zpwQS)rG5`ucn-%*sr)&DAg@JB^RBScPij5LTjY2{nla0m+FX?==+?Jxk`F}M(S>A~ zVueJ5ji|VXeYYsIk?bUfw$r0dlK%a3jJa7(l^VW+kp=m@It>P%H%W;P4^GiUP%#Td zpM+L*Hn>RTfYt%u@m5_D6VLvC)sPW`l7L$3go>~OgIXJRCQl;5agTc6&hoi*w=zEP z;yArQGc#@GeC{#hn6HBtB{li#`LbwGP7{A+7Q@>Ea>nvntwGVEonhGGhmallurf_V zylz=-ZBf4lVIdyP{*hNVnwsPE!tczIbsX4gBZIoCyj;Z$j_BL*7(4s>Icg@f+Ecc? z{lVLC6WdNn!6`iwK_#v^h zi6pxHDBez1Dj3fSe++GCG_~cHzxgz(DT8f?8^O9FE~0fuJmoZJCHze5EbjFgI!86q zCxK{fd8j0L|Kc)czQS1`w@;intqieb2*zf+?NHIlogf2It{ESV{h}(egFMvNYAa^e zV|zPQ+v220%4LmtC+#k1OrSg*sY56U%vSe#q|4y6WTC(Z;Lc;` zY0ypUG3@JU=+CzEU~E4BnZb7UpDVAOyx=oz2vyQ-_1O5D?6WVV=eO;H4XKlfh&I#Wd0k+<~| z0p)1=Af)=|`{ta|titq{Nx^1vyDn{V*dfF_f|cQ%3@o}Ub*xT;>&wOS?@TwgdBDDY z_pORkPB%r%>uTG9*BL2OFBai!{F$l2l8Tnr3v30169tSH+=P+`g{y3K{)t~ zTa701Amm{>Ncyx7efH6NiWL1{j#X=>e7PysIZ{fW3aT?#wCv(%D`2BO5SX$*7Wp=S znpZ*W=}(mWv_TBgw0COYD+L>1ew@v{QsMlt`y?=jDg{+mGPwY&VpcQlYg234<~wAY z``va9#UrCA%%t`UF7fXv3h(L3UtWGskOoQc7Gpc<^GMGy&QkkC-i zd0ai;CeZz>^~oZl`{rnS!jz~GWykK{=aQ9Tiu;F?txxj24rfyCe=bBqbz^w#MtGCp zc06k3^f-}v7}{66?W2|KHih!}evLUSU*HX4ghR{i0dOt0Tac?)%35jiH?g=z&6VOVOskJaCsP4^$Q6uL_xA7MJS z&?-8}M%=a1D{9de^3q&+NfFE$i`!(XZ2>agqL!RT>4ntnrWFUJWi-v00zwsmVFtH0 z()sHBM=a*=h7*H5;aJ@h`8-&A+S#I}JACd1T*1%X8mc2!H)Lf45>PvEhpl|l^(&{` zEt33Hj8%4w!Vv{l1Z(vy9A%mR8*(OFRara-OvR~@9!8pG3!CPzKX;sG68nN2CPd4HT8I@hvet@d{wt^ z6fdTD2^rStlaZ!~7rVtnm#epyO$l|IY=OZFS0!Vqig#d?RY=Y!|z9j}yi@j6O1z^oA@R_Sxu0JXEW zxVig@!ZzIRz(W7ML;^C_I)7myUzp}0zqWSOGR&b-Td2qaP5Vs7jPDeNtE^w^(96s7 zGkfTh2+GRE`#G%1apg9rWJr@0AA+2xtiX8ikQBWc>_NLgBX>+z4p<}$QCdi*kL&^DuDL~acA4*c0U8pJ;AU*l6t0AYHEwPokc zJ-eA>ja_jB&&7xDb&SKK&F4hR55EjU{!!=<^HPS<@XZYR z+3yEb{w67Yx1IPGiQV{wx(5F91wrjB>ga0+2P)t~D%X$9_woqozxs_S_lecHF-F@} zhGAxJ(#J2?-X3N_o483!L0dIEA+>qdNnAxqz{dE6SO^{-0TBJDB~1O z5$36Sy&Q>OUNylxBAjP_YP|dBP%~XAZ-_&^rL`X|((;ZuEoW611h2+ww=>-vhhnQs zum^{}c3fVHN+qLanXN{SPI0`J80({EF`Ucr?c|8vgEfd$@kq!k{$wfR+ls_V*=eM=LD)x9E_+`a)65JiXA2wzcm{ zJ>GYMX>H0{0cFOfPtp(VyeOD(p*5_8_9)OdYnM@cw3VKio@`%bO6mv=vo&&?XE`FC zf`HSz39YDA&5&+p9ESxAwkYw@I|=(A-#@fsIrl_&O7uo2)H!(^>IoYUEt zy1w1J?C)6b>;!+tCBko;Ws`rNSkqf3p|un8bCh~Dsp}$UaEuU*D9K3uhkWDmN{##Z z`$bWO4#Z-{`J!lBUwz%73Zg1uD%Zl15iXFgd8Hl~Z@K$Z?TsFN`2PkC>ph_&3yTYo zRh=8#3*qSU#|Y4nz^w3RgX!@=gWV~uWo&7;zN8(N1S zGyz!=SGje5h_{ta%p6zl9|2P9E9o&s+elLEEZ9??AVeN`Sp&wczYyiUc0e!HIZL3W zL)+2?RLcsQ6hUEZL=1mc)(cot?Ga(}<2QyzqJ%e%_zdGaAjigxC~Pl4_PV_BA85J` z=~x0I8CW2o!5o8tCMZyjk-i0MQ@Q)WP=dE{D2@PfXfb|S^&h^FddKN5c|S&5DRU{# zUA$S`mJUywIk4iUUr^*6=e$3{sU2mpapWKsQ!m{-wv1e99AK z7KW4j(u`3m^Cbrkgz}C26IFRpqL+1r%iXD7Iw*|;b`1qJ9C$TW;Oh;M#*~o zt*MI9Gby4c2_QEJaUezAsAsC+U-@Me1(fhWiMDCOX}=M~TNGzUh#Uf$w8DEImiJsx zG0*}DKHBoq)fkhFB9G&9kmnPt%ZV187Eh-8?xI79 z(eSTlhRlx!#e{UOkN0~1_^VuaCKC)e&;m5d%*U=xNq#5lnO;RcZNzUrWw|}ZcVW-^@HI7_LVpK@gvCBPGM6fH*VIOYD~7?ZHSzu7 zo76~_(g%WtMXOm0i>+(Q}zuX>ja$pn~d1M4Z0>=&n3CQ6{2J|iF zY*fbEzsv`a*r-@s3P?KXLx`ANB>sqZVNA_#*hT_wvYASmR2-m+lzbvqWSmT2M1qnQ zU3GCW-QF1j`i7O(Uy-x{jwax41Q8@vyK-x0SoV(s8c!0d<;rl1jc+u@ zFO7xV-?{2u=M?WwTj+#b1Qh_(MMcKrfaDe0DZv1h%fs3)v4dgOR{ydXyDMj1rvz6W z#}Gjr^K-^8 zny4OfOwW<95~>_As#E;YM%$Va=NymEsGstlg4KZ;gQ5#VeCK zo3oAHXn9M$RaunVnFNwD+dmLlppQx(t&O#o#gtV=M>rIPLtuoV>Xee`ilCs^QgISy z0oP{soq5;3(v177@Lm#71!Sjw@p0(5yQA@2MCh!$5OWdL>hIpm z)^bxX4jL?+o>So`>o0gTXvX(cJ`GrXbZt-vcm|(}H3S3*S#8)kdSrim2Y)Ame+d^# z31!aC;CEm5V!u=>#21h!FhkeSThGe-;XwVi7r+$~LTf)w@(|fbPI`#2gd~Mz_Fvlg zS!xV-sy!g$1zBF_+h#&~LfE627}{ur^OqbgDkxJ> zSQ%0ZN;4F^#?ePY8jX^wt zt#&FEI?{8o(N|WAr0{npgSA66zFpJ#t`!WTdU6qeQTj9LEJ3JZwF?2 zU~*dIOeGPEw6AjVeP%a}huh=XLgLF^yWk1WEl~i{5ujwPB+6T0n6>@#WhS`pf#f@O zYo2j&SILlWBxz=&W$>b2KoM+z(tBxqPa&!+((}IidI&J za6HsQPQr51kr}LW_5dr%$pbU)>dtYe(}FDlHFRO* zwd@MnUquehTS20m(cq9qHN zb8-`EnIa@r*NwUK?t1u`4!kPQs_Zs5fz~E}nd7q!f7-&2+%&DBC9Ue5{8G-v4SwyZ zJIZQ@D5;2QI z=xePy&;eU&7pppTwKfPz<)1A{{Gu~Iaz)i4w&>(u=W#M`Zq4iy_$g`s@Lj8Tft(Vp z`qbdJJVeSU&GqZ_*AsNva`wIKyb#mzOv!>kX>xPEz!O3P$xuVXZW{lw%qkUZ`{Xw3 z!F&3-_2iaOomE@%FM;u@h>^y`d_esPv^VapgRQ5uDT-f9KpI^tQ0FQ%y3>K{Mt1ClYLH{*E>Qj zhY0hTe|hS)pi6DhrbJy)LS5ChxQwKwXV(oV!GR9P2UY@IW33GE=&66?&=j(O%K6P& z-jf2_@ZowYTm@20GY+zNc^nLJ7wd?4S<_+CYdVm5sYKB?;}|r{z$NFXYJQF%vp{Fy zPlHs*ai|WQr;LZ2}~QAIZ)w1Xv%)=TU>JuUst2|NVXJ~$BFj;{YSJ)6qWnOoEOke_l+5=+Nc z-d0e)Gu?NyA`IS^#CXfnijqa$isG>ODGbR@Ow?UB0<;IC9)&7)=%?<`=RU%Lqwzw8 z+(U&WacK5R&;4Il2YCX0Ed&>PO?9r1{Z&D70sbr8ZPmWPV>IwdP@70f!RN zp|_?Gso`}lD~wmg`c)=|F`&3=JKndJ1dn(W(vYHk<^Zo^pl?1FMEppXP$WN0`{bsa z`f3Pgg;c|f&Shl8$wT!T2AAQMyuaOyB0y$KNjoJUA<~_=$|mi;RM7?B?+}Z;(^wDm z<$rnL!3N7EXlPO*cqpOntBrVS!6L{mr(ZJR!cM?oepnUF$BjCfX!M21FRXf5GW3So z*82ARzRdDFxgZt@*}i2lRdB&T#7}?65XSta`_ZLI$7fm3WB!c^-w|v_EccRQQ%6Pe zV=~!i{*XvR?@y0WqRCEt7`#s{TA%7a58L_a%Fge@sJ93D>3i7m!*p%NCqKuuKWTM0 zD@?#lDEV7)O1tJqza+a6S8DEMHw#_6+kE}eJ#%YX z*o-MDw9gcH79b+K(QT=Gor{j&*su z(dT@9yiTopT?Bb6m276MK2zh=8U7M&2C0Oh9R?%Xq$1w2#5a$FT`_spOHe8Z+!{U?of<5* zY*Jv00*ODY;N|v(M-WI+e0F0<+h$T(8+t#P_2gL*|1eYnA77qp){~%6 zE*-e2Kf)V2;y9a94~`g}|G*yOM>dNUj$$6(1LfS8P??dT(#xi-g!k|(B4_aPB6)us zc?vGh6O$4y6A5*+Q!|TmD<6Zcv*?Fqqut{&;Gt;7Y7N(rsCBN+?%P{271Egzztk)u zs?m$irz+p}Xjo5^l279$zgL6mZp)qwFn8vJl!O^Q`^7KX9X)6wq-K54mKd)KhyDe321ujy1n1$L%mEc{E=? z=>B;a^~rvX$D`(+T)nA(ZLRTnX`AJ6N`$Rt*J}NEAESCy1I?g}fURNv+5(GJoi1^g zw4#hYUzq5rzZ1K7+_HqA`u)>bzr#J@)=QzYwo_v}hUJ68qB+Bs`0)mng67jI zO~)t=$8CTh9j-NPyB%3y-thH@y@v;pveVkLeP!m`7}i}}&=^#OP0+f16UV(5|0Z`7 z&ilOIT^Xj{O@JGvo&ynj#I^~4IHs_S_LjNwDJwEw%yU>GKm{70X9heeA4cDdF#YS1 z?8fLV-e%BN3dAE30uYaE*(b6A@wfVDi=%j7Zj%&z*EPOln{|-z=Cxw(8hTz(HJxO; zZ-5^8KXrkm!`Gz0b&pmvI)T zTKb#^J+|~y z^tJ=_Id=kyO`StX3K&tFP7$wGQ>m1u!t5(asF5jR3s29rFXQ}M+bXL|F%s*mGb(6% zQAnuFDH8h%^0q3e?5j(U?PtMfQj`)2(wOdQp+0L#x@@l!DxX$CEk(!}ETF<^u4U*w zR2i6vzj(crqc~V2#!=SKTww&P9qnZJ*e@^&&*>F}6yj8Xon!9@JiXz|HUn%fMKXVM zNXk|JsR)u5Gsy>OxFl{*?H&xX8M|B-A>|;~y|NfQ1AMQt2pxvQz*H$yDg(tw2G7P+ zw0YoPb`-kmCDwQKR?+7Mo?4Db=?IK^KX-eLNNH<~z{&M;1Q;ij^}g;}aLl5_Mt{iK+eJW;6tENr&7-C3o|S?J^};zJMSgUGIWjjAh+B<_;EfdgT|2z zE1-I!tJJ{7;9D7}QAgwkZ8rW*_4-+_Zvzv+sJ-Cu?5yCMcUOs9x);}vZk_7WqfP1R z7?vr8oCBv8@^dZ*sW7RM`pHR%bK*V}=Sd|YO(N6Jx&7z?v&18MJ*Kuke=kwWRq!Gu zs$C2va+C)-Kx0QEg6y#X+9MIX45; zJ%2>;S$7y`BPo-V`qSCk@(Ll)_c3z>+$pwSY-F-~fHPVbTf`6$l27m+?Tbnl7@bt` zbC_asNHEmJA^=?Zpa`v`zJTHY=|Y?E^dWm7-#_?iOKFoBs%tAk;FqW}2hY%bvzq|i zef>i7v-0{*Eu7gch)^02`ln|}x1|-jCC;}`pKP31#=n)eP$fZA$n560bd*LeM6}+t zZ+?)ZneT?w(Xs0dIwEt(-bFgx%h-ND=Jq~H4HMC!kjT**Ea(zYwiA@UqRm=Gm?9{9 z^`ALY6w&qh)b|Id-{|R@Z{J-nZOuy_=W5ig66DIaoA0z7)Ol$Az`k!y@i6$Y@7V)23es5pJ z|JUMohEk;vi%Wl7d-i{_?R=e)OeKJLobK!pD;QN~AID80D=+ObwHb@j>Ev_uy?UlG~Sl|B{EF&3)tzco6+gdP-B6&S-Bb;L_CS#i6qt z{YSydJD7Q#>JB!Cih6Jz6}Bb0y5EQqU$I1OFtlf)?guQeYl((#!^o%03 zd~DMeic^C}lhU(Hv z5WqJ<0Polxe4PMfMpdI=sG>+R3o15+T6!jS4yX;z{7mc_oDuy@b{ejmqrpi3j$#hz z6r^{=o^A@t-Lf)Q^!4+C^VyM|6;?xoafNqF?>=4K%O0$&Ogz&_Uk2XO{b=7pgIwH@ zycZvH0qqx+wD+G9@zYmL>(Ia8vhL_6xY}5pl=E#)c%8i8AM{?B>vRWCx>IZC@vELz zL@Y4F)zQ|od-why=h_i__L3 zf8_l@u@dp~7pe})(B;e>riEkY2?bKeiBa`91?*6!QZi0r4SKnvfEudn$ivz#Hr5pc z7KHMdzjX^#^C4Ybd?Z8NZ)PCuB9P%}R8MCw>*nE3@rrYVmpk`ODiJHNsG_sdOYC$3?|qsCK+$zmQ9p#rI|~sWSH$K|0o3z~dd%s~ z`1DiJoNj19+gV#*LLXbH3w_0;QN{C8|0F%TeUU1Da(esOq+U#WdpOO5(Av=&e*ZyN`vH{o zksQ|nz1hY93!$PW4rr-d4J!3X3UTS|A}jIGzZdNZPj9r>=l+{u-fBuEXXvRX|5kJk z=yTFrUBQb9mesazfZ3x^LRO#J9>@ku3Xnl-xo-@mo}E-^RLYk~y&SldNFJo0-#(Cdn- zjE(BupjhVQcq7D5@mj-~ec1m_pR$rv);B%%EP2TE-F%~c)mIFMOQ%*i z&X^#o?P2$ZsjP4Ur?0L}(*3yFLO+JVIrqlK%I^?0jjEW1M$Wed)<4IqcqXS>SOJJa zO>1RzfEG9WqSwkeVO#B!wwpX!E}Rt}v!z{hc(a{$i(n%@)v zmQMFWBe*KZA{43C^XhbYex9$ViEwqSc)8~gYCV$lsq>NKAXY=li#~J?!1B8E=nazs zl2H}xi+HnJUc*jE>ld|a4xPULS}NC0g+lBHBw~9-_RGd7M6E_o`ukjPC9tvLPDgT;(V|~z6ZA12vikP?^HY3&{WJwG2 zj_-)?z&9SV5}paI`-)Y!hlQZgT*FEPrd}s$G#&zY&6fF*u_`rJUm|W|$sKH1@@xAf``MCd z*m9%#u5^a(Rc9|}wyHY09HF9^I!NNwtqd5i#tMh2B?#)oME^-N2|fsd&0c;^tA#kN(J8?j7hso` zx%1|5!ekI_ka*jkHnw6!+`R-txUM)1;}O_QhV7zAI|V28!%sx}@PE4Yt(#PCrk;AP zqBfz-N)RBS(IJW-SS_~VIAVJwl(+U+Rfeq`syGwhqarc_=_+b*yFtENac;@vxh%v= z&(cgn-&C70i}+MT+dk&&<)qff@-w88QrhVV+YKfVLSC0up*+-b~=eNHp$(>37_@*Znp*5 z1gJPUYjMc`M~6+#QWqTePvxvrYqDL(iydXbL8(I9???(p_6A-kro{e+GrX-7$6y}q) z%6C=w`xCGEUCB_tuCql)UyK1#WJsVMzgm;)2urs!k&gp69xVFv_hSyC^ZRuyGp%Ct z98Fq!0@(N)BlR9m zZT=x)69zV{!h0>?o6;qP-LX#&tPd0W9%4dYFb!s$Yi&q>?}Vi+j^Teuz%6L_@QE~n z)O+=rXFJ&2MA57kciX5B(tY8LgNbz1fhk3%JV3^QPnz?k7NkZ`D&BC>ZWb({FCYEq zCbJWZt0LUlJ+(PWc1q(LERL;9Z^u%6raMhJD=EVVED$dh zzaXId4jOgTp5$v}?A1zvud?gU2uN0^65hk=Y9?LJphjXm{+e=c2n80Xv-ZpSRE~W; z%Ql%Z_(XvDfsmcCE4ooJ%afsK!J$_1&jgq*Uf=_k^sVLT#@97ilMFwvVrz)OZ~~;T z)*O^LvM`~3XZ{j=xAuQ%Nc&D_1DcjLRyo9#e1wNf*$g_5f- z_yyl?b>8t2zLw+V?*=tKge$~|T6+DM=dK>Zkp)Dz8gvdLX3R}5ramk5jaIjjF`EMR zf+BR&NQ9!PVl}^*eii@ZfDNV3(ymUoBFrb+5%s+`)t2ElU_MXw%Fx@~Gk#AS;Q6J< z-Q8IS`cD{N{zwhpAKx;*{|49icvg(n-w&v)zQBuvj0! zaWz)3 z-?i<>2BD6f*?cG%NwM7?6E5@JhbUOu=*h!3e^%P%h{mOH?cI*6ZKZ@&hRen?wgz9T zQSg0N-yX)}Gy|$=J0vM?BLpf2O@vhrne=pjkB9pAZ6pc*;Opr~8aU-S$tft~8!EvK zkJky>-|#_RKOxKg@`bcak{aGEfNT4Yp~RZ}0DY0Jh`O0o<@~CC=-h+dmDs#4e3RN- z(m(5p_*-!iFLKQ|jrD%AmXCR=T(rQ6j0A~z%iijDVfeK#HO+oJZW~L!f5p*8bacI+ zr^+W`;3q0KW&Q`X760Q$`kGHuyowY-!NTWBWunDP(&ZLvY~+Z!U=fmF`9!U7UBLfi z>Ko(hZl1T(*tTuEu}*9!4VpA|(%6k{+fEv%v2EM78tXateLw&9_wIZ@XJ5?j?9N;> zJ9F)~U!Tz}bDOA|VdP6oc-LOHn^a=}uR0HMF?`?N%1l#62AZU3J!+X@aY)Pe**+evXY6i!S(44@s(9jP!FXs)h`=Hqs>}Z@Re;HZVT{N zlMJqE>R#2K&)^cPjq;~&;H+_{aiJB}R;O`NMjPI3mWvQl_p)3Zmam=_jyk`M4{6md z8XRKDWTwnnZ(BW(P|RNFx4^(@w5Vu!g;k5wt^b!bu4c@2T%_a4vJO8&R5{0 zueO_dT%(HyDd1We{qcMA>+c(P@~>-pq2UwI#~uf_g>_FY#QB{#LWLAgQ+y=i9Ow}8rZ9t_6M<+Nqr)|hr9o!Xe0hdk1spwG8(-A{Vt zrzgxX`2RyH6REV%x9w#%FmPWo!0k)yYP^UX0-DDdar`wuhtnQwUo%T-Dyj3O44^?L zw&Flzt^S1qV1)!VUhYaY{KnS!U`px=tco97gkVa}7+_Arhi$Ap3Cp&xOxxEdy!w~9 zYYRmK?d3_aNvDJLclr5X^VhCabwqWnbh%`LM;`eWARy|a@^0BtA*nI=b!RU zgt~Rt)lRdt1~02M>bVw-l!gs%dq2gzGFwLFJcD4`-W@2MLE23G8JL7n$FTiY#nB z>h?l9!qvWHm24)peL%Lx*;X67nP%gj3E*+*>!#h`Hu2QtIz6nvMpMx!cBZMk3i8N( z`nQkj=|exZ=k0*2_ug4(%D9)9}kritu+=LP6^E%K=I1zU+y(#f&hF$oXr+ip4W=TP5 zh-3*~a3t?FO?5V<9}#}`$S=fSvxo~_|q#IR0%*RVgQA?I% z=C&1_k!T1T8TjT~cvo+v*sx~tzJ?xPD)G0AAHu1Y3@EPzP+nzZgTx|YK7e1X+#pw} zIG7jV3}d*XOH29lt~<8;;qq;17?CqZWq$JFD8bp{UKx10C#nN(MLX8w(+)*Kdm?1sdtTyp-ssU{O3YZi40ciT(qo;7?n|6zs81NQO93!{=`T?(&I z)=ksEeXRH0`wl+8P3@OqXhN*8TIJGh1t+&CE4_EGcK_5*u279cv6_y$C$6Js>32{i z+W8h*_+5ufA?qj0At8IZB9(f$rEYWI99+|(xF({)ZqCINO%h(_z>oj(#V*5$z|N@_ zPRrg6<08UwG%r3r7qUVJF4;F7$S>SN)+91y+jY!$Z`{ycOWpP=cv-DK{y2!ah2eEc zrnFXJVDN6OssS3ea`lQZ)0oGZun>~pS>;-K^VO1SojU2W`V7QQtmViz7jUmzrx1C! zkRn)oRdByMQ!t0P+-X>;uVupIZKWbf34Qu7Kv?EqaRERbY{k!^eM zxrL@5*ZqinD)7C*O#K7jB$~ejS7`ru^ZM|9M|Vur$U<{4RCok3TqL%}ibqauLVSlx zWoXHc4JoViuhe6+!*f8XOMy}k^QnqM4D-1*LYlvfYj7PR4+^6RJR)oo?H&xO5uVK; zYL+znQG96=cfSkcBFY@RVT7#zO)6@4+lR7)yX|8LM=n zC=BjB(|hg|6}i_|MGe@0)OLCWcQ?<5vdj*)_gORYKU4xzS73cr=_Fq+U3-L%Q61OZ^v^TJgA{1Mx965FZZ*(cUY>A!Nx2uM7+wR1ks!dj}VeNkF{A z)DKhT`-Hf4-_k=B3EH!F<3=s_7Vpn-`5rH$uz*I%5#?%?NPE7g*OK$oP?3@n|g zRM$yr=14p9VG{l9%ar)s!EA@{e!NKM$J0&ybN!sul@+UVEjX^x6VLoSwY&Xdo{AZ& zU&|h4kjNRT6)P!%5Jw*N4P`#I&fp2la!E?x6%`WpUt%k-=Mf$$>}5baGqvUJQFyKN zjK-!=bcf_>wX{d8`90NwMFIlAxMjfk=kWe|ky1N-qBwZic$#mtLx?QW6js+)9_BkU zui`X)P>2=CjCP6*C7p z#g=qSi0HU>)i_w-YmRReQf1+dv2D(v)-)K{q02{eowbc*W&EGaWE$}~zoDv|KljHANUl=VW6#xm;F+;Z(RGqYMBh#v zwZZ;--MXJCv#0htIcvD|vXw_n+G|*kN!H6o|5xpPJUE!k05G$=V#N zcy0KRuE7;<0k70Rhdu#@#o+9X^G~qk!gS76M(6|Ctv4gQO7DfoaNLqUt1S{+IP2l< zHf=W+&2NP5E6J-qB@>q(-ksKbm17`+7JgS~SrtOM7!wNlDj5IiJex7K%x1@Vo?R@jVeVpy&YJomrx!OE#u`#q>sPpq~bg#6KEm6>8 zXOjD%QDX*y{8a2#Ffi3^aoKPC6r8NF5<6R&e{qRqd0K5PTdd?3=iH89-#^f3IBi|J zFql}A&T8)^cn2bHC2o{|_x2x{P8+b}W`AuC)TsbCfu;uMr;U`0DsWFBGR_L0MQ*wM zRa`tRTF8_DajN$A=H^k5ljJ{U(JHHy!kBa`k61?ROu-1K5K+}&VM&if_>bATeX)FF6!9cz-i+!ilw*%+qBlh z1g61}os8*+6sj}HIqAcuj(Y1O|WtaFe2HB9(uCY#8`n3vuhX}Ko8 z1{x;7m^zst^=AtdhQYq*y3j*F|Ng|E^a`^9ufyS4o`dPg$`OprQXwThqsst&lfIim z)~oHS_sfIR^sm=&q{n7k$=>3kHM6&WNdyMuo6)l!ejPO-@e34R`9tH{*ObXCWA^76 z0%%y(RSlG6N6MhXm-zSXrkVa&K-uP~Bd*qxBVeVr`v{72DNS&=H_PZcjYLL9io-9x zBvwz0kx2Ei|5`5-Mz3gs;nZGYz75ld2_<;<1#D#irjTgm{3AkzQ~@CCIYk!*S@2k8 ze;NZe62d7Za%o>*98{v}IUPnazqwG|S20iDZ7p4R<}-QU2agg_MDyO0r-VXXBH8iG zr+x3Nk(m%j(hTn0<58nFC}Eoj)bB$0j7$$(g^15#eEpA?vl(d&B2rk!bmudMiup!C z!+IxTbS0jk(ioyeY0Bbn4qvA^VNm>Q8rNA?3;+LU15;|fO-J;U*Ce&^_>Ik59}@tH zk-z)DsU*?x}vnbXnGa+C!g1G{tM%cGTqQvldd4FaLjiSF2z@fhh7 z59GCcPuv(&9=&Q{#(EvWJj%}hRsMEcA@S6`#qo&DtQ;-NulAer(vlVcmj!CM-Jksi zqo-%QcHN1mqt1suGD$qKF~Gap!;7mic)gPQ{-&CRa_LgNFlxV{2hXeSq7lgG{@ptN zhO^&iSYiFfi!f33u$G*d_lXFG zYN?8N9E!+dtDaZ);BZOgxPShm*{zV0UXf0Rg|x;hMo?9hNawe(n(hKM*wJ=>ZPKa4 zt5@uZv+_cGHhxWh^<`LupNWXL!c6ThIf=v{DaGMazYF@8+=dNXt-T?}5)!S9 z3%M0yme~+Ux&ox+=z1)m#VJ{@IO*f}SDMHB!x1yKRlw%YRO(Jv8JX2xuj>h!AIG&) zVQ~;JuDkO!pL`mWMN*S9GC2%N&FyJn52Ht>bu)C0eCkLWfimhVx+&*qQ8Ium8R5y+ zR-g88>v=aF=|({cgUI{iQF&(arAa#~$>;5SJ(%f)cWQ^tWfqK3?I)4O4*7m;v z7k^Gq9j3!H7zrO(yOvfGMtE_m=O~p_w=2zOP;gWA-JK#RRo9?D#9_ag&!>7R0!@Ki z?l*AD9e+~GoHqGExG`MFE7*-{y57ZAh}w9Pc7aUnY9P?*ZC?K9^}Yx3lX6gAu#wCy z%V+wn&!w8>Yx$%j-TQG)zPYXu?t7PuH`(X>XW$M z6U_j2x#xddZ$K!~mSN8jUgQbVuc-uH2GdwTQVlNqy80&dB*BuL$L5~_+<%xkvCV^7 z7)w2YOKSqZ!Z?9lau&(yF_W9)XnCGSv;*nlsgVk*&`SzIOIf{(f$V$LL8NZ^q_LW# z&hS1uZlER%$KHNfy?J}{v(ZD8E6BHkO!1Du3xlfYP4kXG;2%~Hc@I^uMUg6Vg_27l zN38HNLt^HyN*K}-2BdG0itAdbF&-=VC%k`lTFSka>59IxmjuwrodbwV3&2gpdf`qtp{_-{+?w$iyiTr(wK?pvK92_!BUCPbbgzI&?Q0TMeTF^ipo ztLjVe|LO7>ZR67H<2BskgWB>N)hmwkG|Z-8BiHtDxCAAi)7oX(?{hMmZcJ%f=aUR; zwLG0KO`>m=t(>i|WrR$*819j(w?@tyc zC4j&w%SXwH&=_Gd)>DSi<0RROpSwkHzC_sRW_bO36ti8s)jMk4_YEB2AAx;#?Ig%?;cZ`PUWka$kMuu*OA@-BR8KHTGK5c-*|A<3n+Y+tX zL4jT8Q}7?$idLELdpoJz^=433sT+Rq^UcJ=p-M@axkLzLKYGJv;bs5%>*Cj&#gX*( zlSQqb^eL^0sCq=(@!pM8VsXM&)kqt#&9xs93+Pet{*DS>Crwv_PG3|Y)9Rpq zu7nJHvAu7h4;XBBhant``>Bpp)+k!s{wD2-MHjt!5io^u_l~Ytw<&D5*|(fzX_i`p zdgHQXyj*_vapnG|x{Vqw1=gEgz(0N&u7FVQhVkZa-QY?M%ajaLmh_e{9yHo8OnSn{ zE2*z2IP`5A&f{eAp8E+zZ}^9ma7O(G(dcPgI;K zj9-7-f67;Y#um0?XK)>3C2AxH<1q$k4^~9X7G$VvX(bN%L1Hog0XU!fUBDyWwLk}o z75NOVQqdI>=Xe3veKq9$XoE=9@4%O6*MCEn480I@M%&8RlAd-f#<|)0)^^x%N^+7p z_2~Z=r=9(H2zTi$B`4_3qM3>!XO)^P`g;6k(4cRlAyT)8DZhLXg7_}sqxm}5@|E1dt|e!Q8aa0q#5e5b;tXZ z9(-0E>_nq)ce*dwf0{XEE8@lHsg+1%Vcxi0(a{^ad6>=FG@5O~`%u}2&~x@tPeq6L z(%2ODTD`}sM5JEUiYkjteOU4kldG|eQLkPbYqYLWfU20M#BsP@Lgx~#@(|{}zdZOm zvHXIflh0kG9aMg_o%`KFZ-{7L2D{5-oYo$xS6QJTUaXi9QE+Ix6gTz()Zrj$yuA%= zOK|AtNE5Tsn(C;yp7=M|>9XM7-)O&qMI#J8FJD~cL@7R3arFz=GRX-S|5*2?S;T2X z>1GP+7nH_KUaZw3xL7nH(|t!iJ8$BkYjWUx3w9}Mb6T(1f<6lP5_YcF#GVx8zf_ai zj8wt=JD*ujaA?)8jdhWza_r9Dxax!6xGI|NyO&PtDcZ1e(dJhGk-ypk8+dxW-i7iqDZ}3|q9oB4P6Ty))C>>v_qp=M?p;?` zet0%+N$T5Z*N|&<8;;f|Y72Ecq*T9uFe$BV$Kg2*v;9H?E|Sv6@Lq2(7ZZK*E7mHs zJO{|FljEfWalT7ymaQoKf+kS;SpSuD6cv-A$5aafms0QAN;^rhW^_F17cB0dIWN`b z``u3}3kwD^!1zxZ$@Dx+HIheBEXTE|*_%AROPJQ<1^8-ul6g&ks8*Q?%2V8L6?Ay+d#y@V`BQd$ zpl6o*;uh$@acsUG=2-Rl_y(`xggEj!C8`Xaf=p{{F4{DXu<;Ydq<2k5TA&Pd7h9>i zsG|wTBA%vyc<#S#AQCTzBVH}Z-6T^Q)NOr2(WD`!m@hB<^ciZd#ps;FW&O_oca{dR zg>AB+;01Vy#)rybuJrEtlfGM6O+8!{xak$c(APwyIquo$HmlQLbYGjSI8PfpbNP8} zZKGQ#?A~VuIA_wD@hn92kouxwq8THTx?g_5Z}=p^Zwwk=2{8IUz~Fcy-;zS_#8FHk zD0=f7Yw4;vG!Li{V$9Z}+SG(ck8b^mFSp*NV!K~VOMhkGcoV}5+`b8E3O;!gM^S7d z^Ruso5bi_dc<-B<4)l$$vn(rV$zdY`0$Qvhv8Lczx z@#_pgRAATO!Th=-V)=>2UFW&zh9)^rw73lY9ros-E!y%a$IUp3{Ziojz5EsaMv#7g z)u&Q@(>vdoMOV2FLGAd<-89b+tu#-f#l4qbl$%uSPfDqePB;tjVV*UTR{^`KkvvVb5#z&|T7agnGF(-gHf-{lmzK9uP@ z)QGQ}OPbG_9ZKj`!mvI;D<8rGHM`)knJuyr$u2nL%X$E$(sUp zfWxC)(42NZ`4w^l-yO?UC2D;X3oP^fhzCmB@2Gyl@zedsXTMva@`T7^(kaCKYieE+ z^5cz8Xnl9vJ2iVZCU0b@6tv+N%1%T7`J1}MoFc7o%T~8aY5DqfMBJL-i1?zqdgf&^ zJMmqG&YO*)`ThZRM^;<&%)Sm)K^Qk!wd;dc8rMQ)O)MV#LWk|&3y@Z5YZj%Jwm%A- zSI6V}F5FY(U{~?PT@sWC{N3&d5`u=(?LAju-QnL%`exN%O$#eEd#kv}vKnWC@mB{h zqG!p+G>1he^60O%(&S(|sxo z$_d{V#fv5~17A;Gx3#yj?;uezN%6)r!&3Hh7FJ6>ff-8AlwLi)|OzSSP=Z#a6HOQE_-I_wZDgLX$3 zMRK>Z{siAWbS2tDxiYLd$?itodrYg*u!Dd7J=x2vG5vWnF)B|cEdX=##t?TFUKGwf zYIR}X1kT|5W%&kHAi*lp+P#BdSyHt#l4Zqz(CPacsZVLDQdhnUsETas+GT za+788#qQYU%E5MD^@RxUQa$rK3}X0qu1&f3K3i~vr|1d&lkA$w*U1rmAiMck^dZw7 zNibzSY+peb9cShu9CICk{~Wb=zG%^pA|1n50$(!O);<@0VQ zL*?JjK2x37e7~xAWw%`Fp1^dd{!ZlXIne^!OE1lql%!b4DF>I72xEF(UlC3ombc_0 zQ31*)i162YG{(;I^`@3>qh>%bP&@j)||WA_wPMgrE+;7mc6RQ0gN2)3;IG z;-r{{|Ex^=KB_t_ z&K@nSC0PRwZ}1>#sXNWS$AuW)!8W7=!>CF&rf7LhRG^Qrk)zF_nGWe;oNx!r!m?}1 zj%MA?ZRSFbrA5gJu}*O*bf;P;wNlqBr+H|=W4g7a*Slf)mEs&LJ)1cMwJ$F*Zn{J4 z(arP3keSDcrAr0N-?Wes()Gm9x0n%9?8Gom-i;+y9_MFR3LrHEXEF{3u9vy2oQGkw ziy;N(Y7X!x-q<>nKQXjZKiN@vOl5wQ^(M^3`)BoTZru*O+j51laEfeKl;dEVQ1%h= z?zwQXCKik|z;i`f;@;7@Dv1d{60eH3;xRy%Y8)kSlvob0)Y`dKVIqXSz_V`g zf}qK5PdalP)}Gw}vQ2e?da5B5ecc zop4$}+l0`<%h$p2^Z5&ySQE{qk2;?PCMg`t!>2OFr zI6D5M-;lL;ykNeOLpqcW=DO%0;5_TE)gD&7n-&5w<*}4M-SalE&L=j=s#B9*v@yZf|mlHrD3zBoOs@eIPy)V6A1o~jZHFO@Q?+x+Hw-@o;87WYE#uFZ2bje$@?2A+r)L_g@32=v2C`G&&RB*;MN8ES=eiR#$%+X zAD2U7T1JsN%GhD&2j8llS@s+OVYkUqD^+PjssZhup#TV*zz419liIVHy@Q39njdqd zNlYc(p%4+^OHfmxf&{@10+SQHpf?A&3a#59*vyTYxIQHV{;Z&|O%G9(8mlJx{GR5+ zb-pE%6E5{{q2JB~5m7A0oy+asvUe0|_4=6=)yi%-6JO@;_v{n*;I0`G?Q?0?PPhc~ zEX#$Wp8zR2vsZ*Ei(L);=(AVLRL@udnn$&EL~TBADx0~>QAV2~p`h20PRHTaZ5Lio z|IFV57{H8Y5J=;^^<}lIPt>!|3LwAhCCri9fv+3_Q7rwC*pg4Jv zld3;@g(9#RKS?G&7gm04kF^Y4JAbHr|5V*DvWoL7-dpAT)kJuES?2}$a3vVa{#-P} zl4wWgC1z^{OD?HT3!|D|-V#$oYUGCfkREP_TYAJ@Z|=P!6gWCR4}wv9CofThon;=s z%FETdioftmL?zPV^81)-YmB9W&3qm2hf;i`4uaM7k=0$m{P_H)Z4e3@i0`Q^u?l|`O;Fp zZD{5aHBBA{1e<>E5zRm&)a!#mvX^%a0e<*T4$g|g<<|O3k_G-n+9(pkau;pmgfdea;>Oje$ehkM4r1@tys4PhG7C>qDU{2 z$xh{L)q^I`n_N(!NpK%jD}of}9t|mVJzhp2AZtxC!`|>cy0Pa4E|o^Ra@_OobKsQj zB%THa$JUSWSEeGDlI6v_#(Qc=x+Ov|7tpc|+Z21Av5vs3bj`^C)#LR^w5{g?LxG&P zy?ps?l%sYQAkD&E2ujoM1}4G%>^%=Z2iV@a&xa%vpOKh$GJ?4e`TBrg!=HbCi#3HQ zM+@z?M-GlK1@xp<%K~P_?Bfr;*#|x!mYDqrPx@uHk0Cd;w4D*Wc#xq2%Ov)#Ok;tC zy(8wk_s&{;!ft*azPnTu4Zp+CTM0l;*3l2ZAC=wqcAl(JS9vd**0s^{{SEI1> z_exqVfd!~B1MU*5iQV@&0-Lx@iTX7ED%FV>cGyK369?ji(>Q(?-3h&pFO2$`LX+wr zqm71>L`1107p}Wi3k@Tw2iMgSBucg(5AOFD)nF3%MlM}JzXABxzsEVoo6f5?aov(q zU(JKbcMsn;&Cqm=b*RPT-@CfL#y$SrO$t)@xc5=*vLRE@%`~OPx=aA&71jLfN)As2qEeeNv%;>wxM-?x0W4Y0aLHmwWhPUkOJI#a^ObV{vZ9s|Ra z&>FcZC`*y|Wc1g`0=&mVnb!T?_n+PHIXzshIe80_sjNE423zKk$m>$4uC$sYZZt}~ z6fT3BV$PWMe&yCO%w6E^Pp?S(c!kE^-6!lQ>`6<^r_^f*uPhf$-^OIR6gR2X05%-C zyzcmqK%F+R_@3&YA2&rC@4irEaG)A(?@t9pzS-y!-t+h}Gw{(x7eFG$cC_VL(wySl zPvwtf5c)cW$;_0`PuIVBeIctru;8^Tf3l+W2vJ$?4KFz(kvB%Nr}dCjT)wT}GhjqG zAeM*4ob*q@kRqtjAum%i*1~#kaR!c(_~R`6bP*Hz+c*<5m0i(WLu#nLV&(qmVYJ|4 zKFh=2S@(YXdQv;y7#ytp9PUYLNapo$tf&Z4it7#!hSTc|E>gl4^l6?zFDwblt z$DWM#uAIrPe8<>nj60}b`UT8-n)|-RQqe;)K$eBoF^A(}ekWws<3ype2vxM#F;>%i z%!Q#s`>UQGl)jfeM@LL$0AkC%>>w-vE-(f8po}P;2__IOK`u!#%wv4 zY3pWdlU_(rz1e|qo*d4XnAP=S6Sls2r@b|7ESx{sV2+t?wk*C0a(HZ++=pIvgtd2I z`@Lq4O5T4Pd(wUAsnaUol^VqUj$%1adv5?gp-m9ZC*Pa5BOJd#AL=J&7$K=in4AHy zC!lg8?Lnqd#o4J)Q?2g;$mrDHgbiS$eXf{4TB%Tz-e!r&9hkuuHP2xV!re?J;l?b? zO{fTRU~iENlo~XDW<7dDy6Y|7Tq>5r0R3_#%alIZJ!rm5AZCWkK&QVA><9mu%2a`pFuy7g!M|5v#@*1&F~k_cwwCa7UtH zFxX9_VpX=~!RUNupEz1!mzUmF`b9dB1)>oExzi|q0cnV$v}>cbZ?isMteQX+s-{VHYr^Y!K=o%Ld)QJTCa=EAhthk^`o3L<OAOykVNeZH>-@rm?|sND|KZ<&3hbK{ZUJBj#uq$2*u{tc6`h%ZvID8okQ zp|RY9JCd?19*Lbp2FdsRf^nDa%5TA%UyS|1Qg+Mc2&rsiJP#)Ek*1sJtxC3V*UA_Q zUiw3*;k`v|cyf1`Bfh_4{8xlkQTS;&Yq{3P>J@iaYJr7t!@(z~L~Y}GwXYMYJqzB{ zJlP;vnR342cAz?rD4!U6VC+!jeZ!$abr_hINUNkV=kg5gbqXs|G*B#a%*v@psrTQ@ zbpz106sJM480@D<=+bgxMSa7ooIn$Wl$L4paY;Y_f-VFw=0nUYP)5wzpUo;#VLNT?9v^xh|uc6go<#bo%tg= z6|#5i{+Cx>Iq!X?UR|i#&{th~0Txe&YTo;#6`oBoE|01GsNe|r1~A!6-_E^sBGb?& z@b>yFxt$O@R0&6vP_iB=d=&Ye5NK2hLQGPNf?ZI?u1my?c|^n25JHI$}D4+!&q7T`-1o6l?omHN2e3pi_wp7#PchwXZdY2 zr6W%>5oCsua|t&+Yvo*kA)WHE0+L_i%SS!S_2~#Y32Ianx*s~G&9w2A3;R@1J$=Jo za=dZ}KKx)YAVq+Afi$EMwX()zyZQBsTmeD5d#Igj=vQ=_r+%N((|e}Mn?;7es{5)X zo2wEg$Ew@IO1_bt!BaRW43De~6_92D)kaBy07WN&-+BFkwkaKixg{?5riVev;*^^= zlq%-+N~OF0sabFlT+3@>ArBET8)Ds$Nh>n!Ou6F_J89q|6_WMP5TM8(hd@gQhnz@` z-KO*#B-Q?kl2KQ`^`$VL4-h6Xj8d(Pu#<+O)!xdZVAOU4pjkOn6HGVI5G3^EFUdym ze@ZVE_ey|~wT5yIq#7Ved2QW7TG#TGMKOi6n}4e=mMd;iY6_)USrI`LgluYw{C&DC z?G!RI$(cYt-DF1<@4B9vhPBb!=`7Ns;ZbR~1Ihi;pT-tr%ok_$9(vSzEtEq@a3`b{H4<3Ji5ld zdb)bL49Nkv)&;KOY;h8Ged8F9XUF)<8*w1}g%G-%-! zHL7y+A)$IS5i$&*;95cj?K%Bv9De2G={i>N`)b)J&R*VK4BPfo=QPAu*M~EKBdC#G zw&(R+qQrR!ibeEMXCu$K_;&29SW%$9|9g^fC=rl4G_dXye-r0uP`7Bdoe|@fnrnQR(Z=y`cblaE=E3W}wdA7dyr|uS^$sb!rQJ29{q_7oU;U?et3eCcDZ!N=Rr4FS z>wxKZv4QxgF1C&kGD8fHuGuiYtU!v7tO>hID3G+9-Cz z2>U4LzqaJck(>0o;WH`FmTXBiu<_vV4Fg=6+JMeTsG=@j-R3e8Ry0p{oLKsXy$4^A z6?FtkjlXm^y$xhU3cbl2y1Avix(4=FMT^G4k9xxrd=D6!Xb-&U#_q80Q7C!oUr?)L zU9QY(t#sIX>Z3NDw*83R*=#h#*URWJ*u}nmSV}^M8K9`U=rJidz6nkVK^TV-$y(hz ztkebj12Rca0CaVL3I+$L05=5qU(EH$jUMy3f{qNtTvxfM9}1A!qbbCDMPHG{B3kE# zN0bP^+a_t5-Rw@%@a}4w#PA@r7cro_nmQ_7ii0L2lEH^kau$WG8p zIzsYLcF`lTi_QAL0r~W|p1_g-88PkJUo`vt3Ue^&5{gKjVY{-AGR_0s0IZPb#*`6(iN(q>q}#pam!a_#uZ^HCgsqkw-m&$Qh~`K@Ay@D0m{ETDIQj9%I~UJBLK+Ne+2z!}h`O;nx?JGFe<&6+m=KbDA7#MlL1w zW`5AflQq{)9SkOme02yDsb(K{H|YTIOSl?(mUzq!v)W_>oW9BxqA(EL(vJtl4Lywe zw`p=ecQ@!?k)OH2!yi|`;eaCl&P}u64y=AF`A*X5hii*3>%I3mT=!boN|bu;S~M`Q zq*TCPqopn~@vFdRu=;9jHI36<>khZr3?^vaGK$M=LJxURGe~~qQq>LC^PbsK10*{I zw7V__|DznD9}~93DB0uuA@&!-o+uB*1Ip!GP}Qv36BFT<=gz za{l1uRSaK=WDVzpv$;OX5xVH0W=KhNSl(ABnABN@!3P36XE?ct2fsKWyAnMqzY=|2 z@b;Kj@P@7M@6Qy;mBWUT5kK5YMHv_BX_H(aD!d$6eQH_2^9J^V!>uEEO!}BNf|qu8QZgJyDKPwQ)jV zo*bs2tdf4LiZQM`iO|jKz;8kbSl?&J&Q#l}uW?dle)6EO$$P)wZPQ$Kg;q~fc{8O# z{H)ZOYdV@v41kHuo8L#ORi!pD>waYB_sO(`$9xx&sG%m-nJlU%mxnor_v4Mk z{X|NZ&J_g&)-%i899E)KlEqL_qFW^7X<8#?w4bR|? zqDc}(UUY||M?P#7&{V_+yfGSaQg;j=bKlp3V6T_Y0Raz(k8&*p>i?K>Xc4ikH<`KnI6K9f&@svKKs?lQks* z5Hi281wrng?C!5B?H{!yQ z&t-W!!}}`gTQjo=>90Zn>s0C8`E!gdo^>vqicIy*AY#XSVi~p^a><66fYn8eAc`6T zDbMeV(%9Q6JLc1K z84ym(Vonfm+A(5?d@U)x1)HaX6zI~AM=Rcnz?@)5yo=gQN6wn=MevV9)IY*YPtQ`i^%+seDp`x1H_nypxTNMjxMx})REZrv;Ff`q%_{$Irvjv6WWdz#l$ex zLO8*RX$3A-xQp+4^KS_B#0}Iba!eq~YpR>Jw}#x-qNYSSa#>ontLHY*u3zDN_*<== zG@#Dy%YKP-=L%z)&-=W48Ky14tpo+;mLxOoY`IeQW%# ztIMOEfUxc^Xh|^P6Q(ni45|j%&TKF*nP+Y z;RL82mbt)W`cvBt8Iioh|F~FB#9@+V&fy=*k|ad^vD^qxjO3qVTK(3;L+#mDoWQjC zz;FZulw_QoM7h=O#Dm;hwl*F}a4w%olX%-R21T2-Tpl>XZL2v5MjjMe7=sxg3$~C^ zpDnDV@h~QI1yiG!FKNMdD#R<%x@mV(S*Y|JIEhHRpOA+Eo+03eqU78}q$H2X2ux|r zOsJTqvFy`%c}8tx5HhaH8~{yYxjhACDLVo1zi2hb;SqVb;RzXN4N9na`pty^W+XpO z*!95e@dUz&4Mxj>+^bX$4Tbk>oO?Cm;Ve%vpSKXTU?P)zy#18cy^n-*6-QJD?U;&+ zss|b~D~VK#YCKt~^QTkg(OQ!PsqNSx=31P;Poa!Oe_7|3z5EgBfS7pDrPzvOHmJY3k+mGSF0>QYf-Oi*3R$5dz`@KB!7J=#*n;0gjW-wT-&!+cD41ijD339@ z07A>Rey&V0~L!r_KcLf{H$(~R_)Pq~w9`{Vks3y4JM5;lfC z=IoR*`io*5c_#%F8~*eEC?_YJgZt*34PyuPiCNq-I8tfH}ic@P!pQi3EW31Bf~< zOsFdv>oCt7aovl<&YSM4*7GW~43oZbxRTi8oVDkk|ERLEan`_KTntZj?!NwQn%VAT z5p=4=b1f(DzG-tZ@tec{a3zc%p!0(nJ zF8mP_W}->buH*kP^_5X|Z9Chz7Wd*5cPQ@e?(XjH?ox`k$j05>-Q9gt+?`^@`S!W@ z{Z8+{HOH8nL9&vW%;d?l#6_+d3WL>Q)U)b&?DqXRB0gJb>oBAJZiEYCYjX*N{|$Ad zoBMAo5S%X3F;OqmQJAK%_mtKTQ3lc4F>6gV_%r7z@mE$Vx#rF`bBLl|6h*cCS0`e1 zB+Q@;BlnEEMCX>Y%=Av|8--RZOUWt=g);*AD#WhxtgN1#?WdP9@uwH~?EgH%C-xX( zDQ6U?8wHPVM_~|Ai4&Q>my>{Y{ZGu~0ldEL1D{?%Ho{Y#)T3xkniq;2 zcvmj*EnGLr_dZDitgyHpI($EZ3egnls1D5!&5MGPV)`i=HWz zd}4x`I-$83K70Fr#25xZee46_-$7ywm)hM=>C{2HFVzYrELQ2Npun417C$EMxfzya z(^;+a+ozb3sweysf&nO*v%o6s7DSpIp94 z!FfS(I?{660Yz?^j10PTlU|a|2dkflask|!vAs#E=^=>3+360kEbHLthHv?dlsObL zD>F1H=Htlwq+$OpxW|z)x=X>HG)cpzh(PR??v#iS6h($`*}T5=^o=Yq=pLv&-A*`C zK{1bYEhmt@|KJpMx?F{kS<-oQ8i@5+B?suWY|@TfATs3pbcq%PEO|&rqVcZV=WVdIRiM~%hu+J(TM#w$ z+Ry-y(exDqMS>#fs)Y3Lc z^}%keUDF9E zcYOP$5U=lnVIhuHaz#S-`%ldnL!%33Q-mkdZ>L?kli00JnG$j~GMVtp8+TgP&{J(Z+#^xAoslyZq_t+#$c{81Eca^q$wH$^k&s*b_dH!WsbRJCP9o@p=vgO?q0g9ys`-H>bm7L z#G+?-y2GF?OKEvF6@>KW;q_MU`K1_Hmd3OihBr5o3=ugC*8+GH5vo7kb9^wz5L{_t zZ3w++4>P3-fHToxFjLBTQ!ECw3gJXcRYo9y z2a#-<)kV1u%hp0x@X%!_?Q8#dc1Ado{~H1NXd*$s%;W?`0H+w-cVWAs?=OB%E&E#Y zy9Eyrp;RV-WRrUKV2l;GlVO9(JgI_axz}%#C?%B|s;YfL3ty2oTkt)*j~dnBAWld* z75KSY*otm?)$xrGO2@C(yXy6q=C7Xi3UsBA{cPcOQD=fOB`j~@RRD?!27^>m&H}Y9twaCYPzP5)M7`EdoRbMMW|*s`KPP$ct@d30Dr-Ut8Pf@(Z~G`aytfjeGFA zAVJjp27{(`-@qtA^cz0Ok??t&pO*mTb7_hm5_Eu5-bxW-g6OBdbf`<+;{7N_ox>u(c5JR5I*4vab0g+5 z*ded;#ZbcAfgE`-DQ5^FA2e{1A$Twv1u!Xi2%)hv>QKgIX*G5FY1+OUp1p6ktTOc^ z-w`jFKo?`E|4GNw_E5p*Z85+=>G&b)K)lIxxb?^4W3p6U3c7x;vg6qYccbrS+YmlG z3RuvnJY8rCYqDw$;24{Ne(Ol9dCdAOeHt#>ne!`)nzL?&#W~L*Y;=1uFLtP++u>fV zP_&Y+m-;^H+qa%*{uC9Jsx@K6FalI4GL4wc`e}s|#osCKcljyrn2P^-Op!X7Ig(a8 z3Wv(dhk2y=qLD&o#B+42mJGu%gx|BHj^O7W60+F44piBDM~7C z68WdV&SdPl4MMM%72Sq;Wt2?IsNzq9N2SFf5G}c4zfShyjssj@98yS)lXCv}-D159 z@+GSLIjdW4Z{g<4yZDI`K2ZCqM#|L+!0PfU$-z~*V!;;y(qOZq5wngecFBE6gBB>QhU@4N80R6Af&}p1!HodG^<9TkZDwY+V6H6E%k6^f_?XN zn1E&Pm<8OwO%AXmQB$cJc~el61D4!|oeCU1FARb_qt^*DA!>(Gczo5FxZCe?I4e2p zb!sM%%NxrGAL)_#Fo+}4z6e819nnnCiO}#TaqFfuBuWgVV7i@weFT5=?4p{X#Du)A zzyCsIpG=bAi0_l_)|o_goHth%!zV3sBZO=-0{LE&6F(p**jyNa1W01cCj*+wV#q?R=wKTx(d_p0mTe6A{ z0igyiSOL9Q7}e@p@4XF8AG1mN#XQ4LjUh*b(p{zE{MTrU zIvV@JRdvTt0At)@J{&aJLp}?Z8nPch-N(b=lDw0|Zpp8ci&*($iT<8fHr(2GYfTNu zG~px4u{u-IrS8(9kTye+*wb{T!z9VFbMIr9QQA1$yg{U+ zB>W|{rG+wjDS_=C0qgd)Z`Eq%yxS94!npEwb8*3owZK&b8W#62>`pPA_3+T}jj(L8 z#4&HO^!o3kn1-*`NO07A5VSgUQS(Hab14%h?5&OgWisF>fX5WH`>!a$98?wj9UdCI zAW<6s5e3L7ZAGQIU8sELEY~D$sPmM0PxBV8Wl-_J#m$T6fitVE3(l>Smv}1}!CTB|UGleaIVAw%Ve~*>Y&!6>} z50F$&p&^l%t&#Y#5Y@oi+1D(Z2lJnLCxY+a%VGVJ51xG<0$X6S`UAHza2fZ1y7?~I zXcJKtyX+a=h+Ia|{A#tn>ixVJg0Fsg{IdnIr7woEPSM@1oWA-3&-6lZ>rXLl6rwsk zJdw9x>|sNOpmZ0Vb)mx}^6{xc%!ZdVqu^PJ_9vwCizk2?Jc!nfBE zx;L}(IIRzPq4w#i)&a=Ex#OhF@D`qV9!N!(BE2aN~qk8J4}0+mv}n%4kS{g zh6B?s9-d@Fx~;RG;|ZDn)PA!$m5i}av$Ra+Vg(E)>Wl4;g76j*pjF5qT7wgsI9qaHhyj>=55^PbcxGuv>lfAz6?)pW%$;Mr_F? z_&;613~tbGfv=!0pfg(m9AwFBl%q8JNDUqvzNydDb;0K)?gB~Fl>|+g#%HXY#oX(j z!D`GK)83Ev$T;@tElCwHKAWa;uW`(DW>kQ#Dbh;wzI3$#p4_f8)Wx*f%&<%deWy> zPmh7Mo=N0(nyju&-Q>s}lH)UpQN@O4cz@rZ)j6|ez3o>^ zP!D@9ZNK}@J>u;i(F!_D-&0?rRoAnRr&R*xCZTA8@ zW)y`^>B6s5uo>l!$Ij+iDo-CAGfSn~t%c?hrLnP#g}D?XUCo){Rz>?*#idT83GpSq zsT{X?442rVWb(GG?o4o_I0u4?Pg1r`<#(qA=V`WLqw{*;0p{t9KqMv_kZ@W3kS;=7U) zdr!9iocc{xF_8uK2>PYPwV%s=0{;P}^qO4QoW*e=j1}?PA7fYkh^}nU@zsrWwThJn z&tk>-;VQf{zKw~TfgEtMK;*416>U?c{$j(gn3EYEv^$yAggRiOT{rxBdNXeUAFFS7 zhjG6WHy-Xo!?#!Fi2?_95WP(mz%4Qix)UkijOIR$vVU%TXxtBRd>oe;J%k&*>A{(( zcIhe&3VT6 zZ@&oMI~>1mPqMj4@J*@B#j601MC_)r`#4|xZiux=>UTH?u}dqaJsn~~UmWBZ%GX;R zVB8gs+f<2)y3^)tH(((*Q#RSI<%+edE;$*A<=rDAYI_~3xF}pU{|E*EpB3wGX)M;( zFdKds?lqi~#iXmB^G-O$tZCi(O&3##a&2?dxiC5sE0gUHeM$b96vI~ItMERou}#{+ z{QB2fEYn3You;%_-OTmU7P8 z6^1baPM<9VyHRlG_?Nu8;qn;FSrD`H(I{QAFg~ zD$ik*`J?2^`UYuF5JZQ>AMIqC_92)}p&dV#4}7ZFYTj>Jd+g|@A1xA^Zh|sdO5gI9 zUTQw~cgxoar+LDEODLuZ(}eT-0rvBRARLpFYN&KVF(yHmlTxT+ZuRW#ALt(Wz&aYm zt>I2gO=x>4VWuV&Y8}T0!6W4v3kY}4hCmzB9+Zs@08AI9iqE-B{{7Q0mTb{ui$y6D zA7Xr+a{$os2as{`XHw48B)%edNb@V1MYj5RFbCa@(7M)sH1Z7@l6Qg>J)H@53A-g< z1uZs~F=nwfUPQDYPukuj-`|%vd&qoyWBc_MbkgO;og<41zDYa42HOo@=eX~d z|5nQN)^((4{3TN`okqne^~L(==&FWUj^QZlgl!>Oe!z|C<#S}e<;s()l49~hrNd3) zTd$jiYUZmQvcY%P>zi0EFYf8S31?&j1*hwI%0uA{sLIN-j3JTD1aE+4Ww|)sk+qUW z;)elXkKlj)vDSU3>l<6wYwGYE;Dt{2VRQ5e)%`HU>|=1uyocQ*12=%$+iAC9HUc*f z*2h$^2BX)OpBO>%}170ZiH0~sm$)`guQ|1xS zst;E#sa2}K)l6AuO8XZS;6Pl9)j$Gk=7zFNHV~%*Q}w^F@Oe6-0m!Ca_OPo zHV3-^FBb_%rwUxT;Gt6O$19uiAih4DEmC;B#Ku^FGjOMRv+L!~;{Nis1V8lBakEY5 zPLqz)^H_LYdRFveCol;mes^VUv7Dep;{Zpw!Udp{y0=&k$kh;6#^h9LWGd~C8gfo( z=#<02K9o+wcIIO;9ZVQ3Q~#eZHIb)ruu`m{j1Y+0Lv0TgfHpw$%5$NO8SqpWt8~4| z=G=U!edRiB(Q$%VL7rzE_p|fp1@;8a|HY1s*NmiTx#3FR1&bVYF*s>*94YJ@bljhk7D9 z+bqFJtY>T-W9%C@PmXnF%(;>X9!Q8bE7>bKXKjST4LCM3uYe!Dl-8!ec(AP5_mA1> z;f#YnApnv^6c`k+1Iw>K7r@*P!$DBK1F9i{Rv~jgB>b{}k{O-&5jC`a>yy<YhVL3mAZJ#z<}$}!(7MOW$gwn3arqsP?R@1 zkIIL*LlNyV^Dlamhe(q9C%cwcyJp?*4I4MHs}9`L9uv;Zx(c-$^(5mHe1HZcA`N70o@bXBD+VN}Lg1z7jnSjRw{ETT;Z#H0 zX@KTgKOlB_AkOGKJ*)Pn;lzbo;pYTX{=@;7KH~^zCHzx1i4v(_qL%U#IyUER#&0rd zip`kH>e$9g8Nnwq(3ZbW1-6_w0dlH|f1JvQ#vZCy#lBQ2h~GH3*&k~XnUY0W_WS%g zuhurKpn@^fYN}Vit;d!|1FZ7K?M1t<((>*bxJzlbBkZgHVe0Pz<~jfl5kbIC#^eU% zDCvYDqv@j2YFcglwzm~Z*0bo#BXytsIX&&teE9SmTSk$|{uAb}e$a(WIl93ylG>zW zfgY-^s<5lv#Ni7qbj?{)8A@@vfACMpM$yY!0ghg~<@>RSF9TeG$o|B&J1)7>D_IJv z=1S@!sc$Jq{b%Wi{ce9agt4)!P8E*Tk>U%f@CgBgTn4npRx}rz7yAbaW&wa4H@uDu zxy{%`?$Tj*-*t1*5k;&$m=B)Xeo$KI z(}*I3$#za)*V~1~!@J|C%heBbp)l2FNn(t>FS|2LH@7W4Rj)^oV*=+iE1eF+!4Ynr zRPFvb-|l&P&HxC8$u$#!a0EFRH1X&D`1D{^q;Rz`uI-*eRwFViO-mV946GF*v78)V z`@7+r-3kGqq<=qIcxPlFl(B!WdH$*OLRcRsLra!=@ec$BYO87-Xu|DywxwOuzaUm6 z6Se5op|{?nNB;2-=RIN0Y>tY59p~4&8cZxv9PHFI-3pd&{vg+Oh7XD&rOWqSf(r+TB>kn6Y9Gjkt_+G8Gqi0(GWxSPRaW z6BjZj3*Ugq#oXde{kvJN%qxy;XFn^wLC=O5|45i=Pf+f(5}8}+rRt1rS@xRKxl>6U z8-!&IxTc?qp#;33AOWr-{wjIa>Cxe->B-?AC9{E)oae0V*@Tf}zF*Frv>|DgjJ@Ap z757`8`=Wbmd22aqF#a9Kff|O=KLm!G}%ET@`RXio2+50%vJ>P z_sHg1UTObAQE>1thwie@R#^Gh)WfS#sLr0=m?iDNWMR(sLf9>2MsKQXUI0ZLFh&3h zVkw_p@X%rzc%|B1v3n&WCHK?f5vdXjJ+JLK5+P;$3ZV`V9VaS$Z6~niHOvAB>KA}S zCW*Qo8zxiaVu3s5nWFn~-D>8X7DkWbJn5x!osUqEU;64-PjHl+_iqS?=>vV#9&6<= z8RV#+prq|bgcCk11Z_vpgd7zrA*cytm6r%kcO@t`cBsa+5I+&UcKS5PP2Ch|yDz3( zJxk@5pEzK|xL4M`j7e+anYT_oV{)pat{w(P^$>HGy8*ixWw<>Gf|mZ6X;cLzekr5h z3rVJYSY8kedCDYtJo$Db(Df2_e`aFA&N*}A5&?hOd|I78V611`Ab7XJ+1YR^`(}GT zBGUz#%<7t>2`u}l2UhMh+-wy9kxJ}Fx39blax#&$`5h;t>$*%gk~_osnK{3`$sDjw zcbDo7cXikK37qpD>;QR~O8J8$IGc1Qs%GI23~pcZ!cDOK-I2;JhI}T}#t&mp=q|0A z0`V^6dy_5CV5^_!COqv|ZcaA?8xwoX_@HzF@-zgBJUkmQvDD!jbw_RuWHTomATXIL zk)^TLZNgZAT(-k3cLm%)1cfsmHbss2;M+kCB0weTuW`A#Qil&U(S-kFTpJ+cI`JSK zxE_q;cIiwk?9PknOskU1mg4vIg$;U$=S<0QGNyV(T&c*Ki0-UD$dL|0 z&HMM^o$$@@0H!|qfN8U4J^{rn?>LA4_OD%{l{nJuPAu#(cH-2GOpcKkFpGTx>HA9V zvzfUSmnZ|NHm$|KqPy18bnJ&7q%XkaSo~(s^%{b2W)TM1N6>?hzm}yAtu2m2lxSe% zDAOSVbhNh@$3t>KlP+v@AlwfbxS*WQekDC^Uw%Df2;X-x?5E5+Y_2Bse=`qw0p7*& zUErdO%nr)#t@)yi4VU}NBdHBV|8ZW*9U)53?*1Z+)~w1&p=k34Gwl7#5r2%y4&2^h!@X6tloa-UP+0syw=NvxJ0Upm7NcqsYiqZU zCHK`-Muf>}8f>xXI-@r!r!JL{HXkc@++MRPp-I8AHqUaXppMKCP`#np=T(m~U3W-t z5c)Ir>f{};GPrApY!>WF5*y2v06iT{?}Th7>_l=Vw6C6msDY(Si}rO&3r!3wb0(QB zc0vfVZp%=0n?UMsau9XmL=tQ3NY4sGo^BuYbrQ(Inx0R+L{W_da&ol*@=EkhAtugf!gamyG0+N1^l%~h)Z*xx?!%{)nDo;VNxx}j zw1~*1m4ApQhzX3WT2`zgPI3vOVf}aV5v)N}iN0E1sSxv>ggK{j3S|-p9a9nT9yODy zbZx+UMHC^={e#YV^XI*D1y8qo@jcts`Tv>nt}i#!-M$3 zFS4?=nMPQZcAcNq^X*?5uj5wN{C>ekO*FQLbT~9~UMlC2nU<&MTk6$LB@fUROxeJr<0d$v3^y_1NsGg@A4FMK$(0yRCHh%u4b8i13c!i1WcYB%aPiK2GWigC7C zzCuH9{2o^x>ffXAJ8xM3E-*~wpQG?`4EV~W&^-9X>9z3$DGi?}ns|~XB0qZ7ih6<1 zYJI2GQtSAo=J}h)Hw`_*Y*IM0)lFd9ucnu`;T}5T(xyjJ{BZ*^jgoBiPkX_2uz8I3 zK{783&*J>G_Eqk;QIcQh-9mmo?c*=Kti8uxP`FJj)OI-PrfwA#PL4qh8^u3I#P@El zowq?)&S2rx9U%btHMh^(LX2j@>sXDT5$i$2yegQLn70`e;xI6F6#1wuhRzQJe@$T3 zb=7sKY0dQ?6X*h&fN^|b5n8P$@J`a<{K#o>Q$C|K{bs)*5TTo;$=m&k89Fh*>>qvaixre)M_qHb5JAoG9KI~&sjuB`qYj*3fA_AG zCk>u1oG!)P&`?vDGWE+z*)MI*&MfV+!|zt09^P_9OLzDzNn-Ap+{zni`kjVzg(O)n z41u6t$~R=~Y3k>q(g4PPV)@t6TaxiZ8rynWi+Q0+ZPFy6U32=W0j>1NfRw=#lfRc6 zrTM&Atd-(eP|kFgUKF6!Y4%T1C`{bsHBG%TYG9o4^lu* zploWdgDlnRkK~IVV@-UOI}#UO*RQ$Wes}@3@2judi=0AUO-p;_0}9}q$JTNe9Ml!2 z+++$xZDR#J1dh$%>q_?ogb)udM?1b=;dp^ZoS1aeltFP+gabfvDCUY)SX(Y|JNg@P z%%$GnHa0&}jX|*caqUEMc-aAOEe+uWb~bXbYujIOsd!`W4KoV7as zscgMYIKkiaedad!DL4Bh>Ovzx{l)#0633?AtyRO%+^1AVlWG;ylmkeIdS#acl%C_7 zg{9f2n^?Pvk-7PORmik+QpF8D8^hOIrRn#dY$NZc%|3QLF*wbbA%k5b9t)dQ;*n;9 zncY#Ri4l5K+?>Qf!Or7GmDN~$Rq6Agw>-a{lcwXQh0&^BaCszt#97MZ_8<%KBXFIX zNABGF{G%WaG;f#jTQ=HxE=xXn5qK->p&K!BJ0fgr^n*4j8^_l*+6S=DjQ@_*3Lz2* zb+8^qs!4$ZDFz(JcEYkGzPJ2HCmt*9TGaS<$#ep7O`YYc{d~~nT+#k>tR&zz;Kc8=gNBQu8TI~H&=TOzYptd2DE=kY|LA6+ zV_=vs=Yq@m>pG&8FL2pzi&bhdSPX=y+vjW>z2J{fI;sb?U%#WBqA$zVtVSwPpP7^0 zr0E%_ExDsM)TXSAwIV=L@95WtlsE$il?|>Z<3U@XasFi_5D7;X(NDh@p)Eu`P1+c0E zbPqFLc?s;vNx4-3lU9nUyf>4*v98|2A3%e82Qj=FIT9b5^$f2`ctYY_I5l4==K{o1QJ5I2MCVpK1ks35@$J5 zt>;=cxGm0pMI$ml(VA<6i?4U{NkrL!|Dm8dB#y1Y9$T&h%oSd%CCikg$BLGkXvK8j z_nn^6sKeP&{(<~|d_TgEqr#7L4Q^85nEi&VuRjPBfVqnvMu$`^mt7q5a$m)kNYFaX zjfR$ZdPGC3o{L0P#RUVB6)m^HbMpjIhcP}g)8tSV$r(KZ8+(F*t0tZ@YMweHg?n*E zksA^A%e`WLwlZe-aWl^kQ0PUNtbB2Aq5dBibGwZCqk{Aflb1(_UFPmGI)(=GsJ&EFoFcb+CU; z#A6uQ!ytWCl(w+;_CF@Fx6IOnV??+W0}~*+*(og(`a$U*kyS}A)GML-&F4&OYV(@y z$?p9S>3O{+p3m1YD4_Ur0KXKj+ZUpk?s;y-{J6QRe1QE^%YD`u;<+4$qNB8DMA4>J zK>LO6nPgdmH>1sQI#>9OUgfbKK*XD|Ycx_7YK9_qp8kN$!dgdY>VyD-s?&lGd4L&R zI0bg|CJ&_g5~Xa!|5JTm*i80?Z|qfQD_PTSenc8&g-vS&95Fqmx|Ge!@nz#NB3EGRt1oy# znU;8&O=r_?w6*EHrb0o?@Rg{Ym};U#EabWdL9qg^hZmz+uHm`B^ zrh-BkhHNU@QgOT(S;{isv9e;PsVPcuo@Uc?_sNYh_raO=4|rn_KFHCt3W|;KaI{mG zm9Zr^)f_5T|Jez8eg9>?a6QevO{L*36hX*h!V8c^rgGdaadvw3lKa+Wzhsa6`twWR z-jrR_vwN}VhA4le?r7&re?<+%q;zTAa;DDA?~&Ya;%>$DxxQpuQ^lFbQ-foCK0s#! z`}IK}e={%{Y*F-0b7NPA%sjr3-&Mjf(yyNA!u|UfyS{?Wko#KbVN2ePMwu#6)dAkp zWdGw|Y?DbV{+^Q8J>!aSsXG^Ooj(=hJI^Njjl6p51EmT5Gv*pDX8DZ)-=Q9i4^HM+ zDGiM@Cyv$-4Ys&mN@m#f1FLhU`6~Hw?@uSc)4+x_wYmTP2x<@hNzd z^y_tQ7?i?T9Lu5 zkV&F|amm1EiRBv)n{pERe`HVJBPY3usweMAu~bF|{&UcqEn~2}AO99g^lq$Cc_*vl zf1&3vM8Q+wH$)8>VsJxjOuIWOSv&1{zb1x0a`NhYw3=sipKvo5<$cqC<%SMj*|Rvt zEdW%NUzQ9?;r3Vumm)KOCb8#53F_Yl*oGY}@*zQL61}c82XiAnJMv1%E#>ixn`a>L zSCi~$zwc4!)fI%wUSX95*#)@rd_2f5f~ZeGc7d8e@H;4E%CD^@af+;dt(y|r%! zP^b#SPx((Lc{qKZ3e|PZU3`Tg5U^Hv4lFWrDUP3#nmb*X(b3L%Dy+UK_vd`=#YDy* zH|Kn5K5Q`5=xO#m>v0@@U$vwQcsh8agXGg;9bChr{`_!=>tiT*^;EiI4$J$+9SC-H zANXp*(EVKyZqM8WUAjr}a4jqb%u!Zs>sH}U$$5h=Xc}C-dLR6gsgrtIjm-B{U(nwx z9U!&aoKkumZ22gAw^wLja(&$T?LO?^4JZ<$Su-@#jrC&dT%_YmE-J)Ya4J8-*w3Oe#WHtyM%?oYhyq>y|{Q^)_zMUfr!L zU>(yRsKVvl{I>5%?B*X+;cN6|p_lZeQfA);oQJFkE!1}u^Gx*)^xLSNP@lQtS<03& zWH}t1Q@C*~ZcW_|25T0R#`){5652|KDtcS0IyE&w&ASp3`B^3}x9S1fU0+)veKZB@ zr!U_E$B{1ITfFJg{PEs@tMk>V0Pm+hm*I8_J8# z9MKPWV^4gT-t%qKJIn{Af*)1Fd1qlM>$AnR02O6JVyoZgk zR=Rn=axYO}YD=1qGbIyKw`>9uLm(q^Cq7b!M|O|lQ19TEeg$3?J(t9N_h^55>d}F2 zIHXmoz-|oSD&%;EBY?4VZ2{%)+sv&|9p+fR+p{rzPF$c2J{eY-ET7ucI}sjRQg|q) zQUNqDK!YM`03E)?fWQ5V;cqR*>DZ|y#MZS1)O_Aaz^#OkDq!>u5aJ6&x;h~w{n|^7 zL>c|V@sF*Qspssb#Qh9x_Y*Q>Nc9E*%q2wc4`Mh?Zv+N-TvGB!Bg z15x4@b)$zWLKcj8S}qEbD7ikf>y$KbfF}O$)EDokQ(2pA%^$(OyFx`qz*E@ zYtnP7OqiH=Q&`mg%byAH4cVN&mBaj-iWdQ{;>oKk1hat%K>^Gkb#dRLi}jD^1(bxv z&C|35wvuj{g;F5@$vnY~iO`H*T0jE1MMvs_TSNC=;x3aN`L{(y50?!WBo~*g?+!c- zMnYO=X$hP&mre5SK}7irBTh(i?$K9FuZ)6-8WcOt#P=Ww;|pHqTj%Bnt-WHMZ;>l6 zWsXkt8)&ZdCH1w?+NM3k_vt!X6PQU~bF4HHc$)9d))aRysQB7jt+DeJ`GApZK>rFiVj7OzBB*O>c|8_nTzbkulLp=}h3&RD}KZ*7;2z zwMYH?r~BzHf#28`5m;N3?XgjumzUndr&;&;}b>aopT{p0nP* zf-i<2aJ%P%;~pq${cZ>dkIAU%+O<&Uto?Dh(76-Zqe%x3;++@BQ z`kR3j>?`meD-ELw4>i2-QS`03)q<6TLgUQ!K>(1kx7})kazn*w6umOoE9nvYc6n&D z69@4oD!8U&_@pLgb4pOR-I)KnRPXU@Ux@8OAIPPG6LI}$LFR-|07ERhoIk8^eXSX) zF^g6DH3}MOrAfbheOQn)>_xWy3iVy6y6Jt=ENI2i zR23p=pQ#$lz~CBmpY+A{!->ZGk%U9`Z}rnU-bzA*{@u<($`JLx_&TtmHcD|2yOwg~ zNfDh8w4KnxK@MRCu0VM+E*0`$8x=daUgP z)Gv``322??ybC{6!pmgy@Ks88q6Aa4QaTw09Uhab56kotIdCc*6UxZwV~{A-er~_G z>x)9RRcQx$Zi!&Ten3bBzwQlucDQ~XBk4f=QF>bn_EKn4Aro$TNBHE~N6a%@g&!`I zY+=w`Y)JS^D-}`e=c5WiSfUTq)U=r%wB^@o2!Jz|-e4<&)3ACFXcgi-w3lBULT##z z3}2*7-$$R~sU2-9yawgY#`H!b3qIW{@~_Mg7RYQuv_96=^Mv*WLFL6DJnq?0+K0S0$Gb4+t|!IR)Hg8goPw+E8xqpQ|l@ zZ)1M1dtMusWvhTqk~VZhE!Hr`)|V!#kM-dBS&CwrY5Rcc#^GM}=^_2_^7*7sboDBX zeQ@*Rtu;~bC`&a#T!fNdU9lSDZnm>@B&Htm2LS#;wRu0Z+kV2%&vY93E@eEo2 z`1(*WgHa5ZA!f(nT97(D~CTTp8kW@E#a%)rb&fSn#!E30fBkvN8>WRxoX$WC$o%w>?eH@==sl06G;_sz>MOoWbrPKyMZz1pgn|qG4!-09nNB< zZK($3Ph~H&jSG)#Qx2=h!!G9bB@5+h6}vlqsBHWlZHb?KC^L5XO18m2wLaOV;WuH-?>~WP+g0RDV6&>hu~AVtWe!dG=gNzALJg z5Bx;*FL<8RsC_F^_ku;H4kjY@MT5^$PX%I5fm!M{4?SXQhK1}$znsCp&ol2N8%7}Z zbPi?$;f+$!wPiRtCheY7Mk-`!>Ju1IjLPp%Drf3QsnL)lxGOjS^TrEm(CX?c?&E+{ z2K}Hu6xdP3$Ig0~qsGpY*3sZ{D=T;fPuOnATday<$?gtGusb{2c@S$V#nKO38x5%4}nNaf5r222--}cRR)yV$}2X?BI7-FlM2oerF zWmg&%%;){r)k#+Gq;gCUTMElkvB3=e;vk;CE8+9eXO{z?FPCD5Hdj(s8ENlKEMPJ9 zVrL#NCW0N1%(GQ9ao`AaPLs1`Z)Lg2!;U++$NZ5X(!~IZ`Oa5?tmEK7^|?gYmawvD zm3Z*^vM=tdkZLt^LI}Sby+{u1K2Ld#vqBltU2dNPGjWb#)$jD8?qcHQ>k*S7mN)h z_L+7p1M_^FV!*;cW}D-9j~|v|gJXi7^(%k_Ls`VcH%REF@0aAk*RJe0XwTKegClfr zfXEk%FWrP3N{$IC5I_&1;Kn{bI_w5MN%k8N8|@81tLM)2G6vsO3DPJOS%s%-db z@jM#s*>V*jfi`%3-21s z!7hTu$%53sZa&ReK!WO@c|Klf_@lHBx$RiqO8)dWVI#LB-*4n<3qwQ#)YDiEQqT~+ z(^K44i^O+O;v>26;r@p4a$dXKYoHwoD2%I>tTI5A8}>tx9T7Dd1Txil36%U{DkOs3 zxX;+Kr+BQUn}X(9M91W~*dWAKB)cPf%dn&FUa1M0IaKLJLstTC#d2<7LNt$4Qe6w6 z;`oIbf7^qET_WFGhF;5wzocBKONUS@GGlnK@7UsZOP{APo$$7qp1sPi%TDmd;x@o{_V2G z6QC=2*`p(aAjCw+|#onAZ0?5bgdXp<#g~mt+%XWU^%0(^c9N`{k zC*co9?DX&V=YKTF=0XSic0!QA9X&nRaqWcQ&4J%;yPfd4>Es@+Jm^vilr06S)Qg+C z70xbYZ0>L>Kp^f)(t4<})dBmLgP-v^23dc=nmc!6I5sp=8N4>H5iJd}NSL7%WfZjfnc? zMovTCi=%>aP@8>6yfOpTaw&|ff|6W|o#Lo-GU*$%H$8)t!67|Ueug@Td(2(wM|w|N zo%*@B9Y8%a=D(EDsO!c{VJj9(AiVk)jv*rw)E9IPq&5t*>&W?9w@`k6h8zbbrd%G* zh~ES6-5XUONIjNRpDrX%_8OiT#`{8TSfhN1Prrc0daw#%A$3(MPkJ4)Irp60M*Dd7 zt?v{ha1<*a*XRo6N%M`Gq)14lnm2w0_#EXS)v2a-X$ofyc);baugSlWPa^Q=pkidp zN5MOb$a$fWQVznikSavM!;8pi!)4D@0H#!}Rv8n&IVXZXhl(-1XEQzU%aD~CwCit+ zf_aK`Fl>c#5G0G~=cU);KM=I8P7iZ9WNlq$|GDEZ4q;LaU(o$piFzqSPRBURfTOGjms;2RPRk|?pFRkxP+v&yd4pA_P zL-z1Jc6>jPyN&i^6dnjE6E9kzdU?Id`kaq-Ps>+Fm@2o1pR;wfPC8`Cz_920WHBMg zHh?l3jI4a>$h-sb{AocYkSeoh;#mkzHYS6EyYHz;4;_U{rM9jLPRB_ z=9_ve9 z4@83otwmD0@%A4URzRpugydTKSKK%Z-+!AR8Agqw=kPW1=Xsb!BUUEYA5r=hG=Twj z-C?t$mr&?mONP@!9D=}%GWe$=B9+#Tm!9V~kx2K0)Ue-#roU8)NH&yLo^X9}cvg@V z1g1XjZH6SXY5dt$wj8gZ3MQTY(pZ4iThcr_6gWyJ-W%n$Y-;4j!9q0{&AlT&2=e&D zFfJA<@+fX&T&UaH>;{u*e0$~}#_4sP-#?>arANKNCy-802>+X^g@_|FQFU@KMXFed zOoI4!ty#(evBa@aztu>MT>?r>5{Q4oLAPJyE~cBu^TMgBEr0dC8xu%~p+G&E6i#I` zO{Y=c(t`x%fNLD1x4bQ8PopK&s$MJ~7-92YNd$w9K82-R+lk0TVW{-S!qJc_NP!Gc zMhaD>kR2m7KLM;?d~{cDlRuU=Ml1b?w!n<+CY)dc(;z&}U$a9UBrOD)9SAxUPc|wY z%N;_3(>zXk6xag5CJL=a3t%R7OLwBbvr)Q7$}2wCu+w{Byc0%6xzU6j8|ZIz3t9!g z#f>M&wEh$KM4c!bNQqtWyba!`mcXxMpcXuOQcl5ch{{H+fSZmJN`PuvIXwXd* zq0%Rh_FJP_Cn)pyEZ@3hB>=2@3uk^}|NZ6p0l880q1Q7&aiy$><-90CwKKyKv8`zd zF3PF2QuQI{<>n$qNIXUZcEl>ZJH-7cmGVbzVSS@nn`)_InMn+z&#_Uq^CdRq=cCJ? zoY43@W56l=kGDf+@%t-r;DHqYqsIx@o`ql0NO^hQ7!&gR$*CxtzoNs_^GKBO;tYF~ ziPD=Tm6@pNqT&?*DC9ot%F#qDfaFxqf0kPX*HO&D)bTyIRKGU0I)1HNUA-Zck2=HG zNKus5i*XVbdNS4uUu!wK*Y{1ep)Md-D@_u3xP zz3=<>Mi-xy4PK6ffALSt6vg6v;?YdTUD1S#Nce4b|0%YA%JL>uU=OxTau3{H2Av#* zE&%m0!}l#t;ymA*j~VN*>-pswqEfE6b~h-VK}RPLjm@pLuG3{ec=OM#)4qt=D#aa_ zh0bBu9;z|Pr6)n{m$F`kqvKX1&=qAZKL%n>XK6^t1v1NPUhj@GRz4gp9NlP<6)iDG zK>)H=n+nzHt7u@QQr56YIg=*oQ*DCfF=W|`weY1jqC+eCqf9Vz4Z|_mhNhyc>IaPj zJ|Fy{VvZAp?hwd*%e*{k_Pi8lzCy|mhqDUr+qi?j!l!W`j zA+Yli=tuQOiiBF5w@NvUIAjx5ZJ0B(ICo&>vw~pJ6f0olOZvSEemDP4F^&pG z=oZrw;?nN1d1dRy_Q;~@SjtXU@OZFw!lC_B!LKufK*2dOAXo*pDCuu--L}zG^;^Ny z1%qtSv#VuJIjzJgro!YbmdI-ofeU%UF+5uEzlt26vha%0Q};8cx|d%_8t7tua!uP# z$?qLd%I`{3pRW|Titp!)Y>Ozno#{Uc-Ji`>-G<$6@?GbZDp&=S^e@(Zs84vVSU6*y zazP+lc}R^5scm4gLve6e%K5pn?;P<%LDRW%<(2uw{zHXaDVFnDJ!g1J_$ykLT%R`OqgiS$mw??f$V`}A>&`axwHIF0NP>d>;z>l2|GJUSeB`{o)^`gP@ z(7O0|JAf81tw8=h;{EJTJUVhMt}+4_CaZ$pS7ez%4yeeZN&XhAf`aE{f+?|ligDD4 zQQke4*p&?1o&l_)M6`74vfE)|f~@BMXVT|S_U3^7#b!A0W!p)5Q(@!5m;EYDD1!qn z&fj5L^x+Fy$B8&Ruc4EdM+z<)0x?9Z~y5 zAI7*(A!D~iJd$XeL5=hYgM~UJ`d8^`v4w9SSZoz;->~AM`Gp`g;o68!EF(PsY&0-# zd*XQoJ?^$`C`;a4oP4HcS1%rq;_{$Rkg}GU(t5Ru5O>!sUqqB7Z}0 z3wLbf0nCxt;4B0`jEebM{_7fEwrL|IMz@0%oZZR;L}kj7RoQc#i#%HViN|Y;Yxu6U z+l}p!8`V^ev?0o(Xr=k>dJ`9C^d;gezLWXuHgl*h{0o)yRaf>ik!H}^wuA$CyNFec zzz(H&p&ewrWFZ7HdGDXw1^sq`>m72miOfAk_a zg9Gzb65A7577^5>!6MF@xM0pQlQDfj^yBmA>{8{pu#sbQxiry_tI^`NB01JB9yZ}j zMg-QpHEWmHWGxRCgCuAI1_6Z!UXzhk8^qlo@Hdow!;n~? z%4jORcSNx(S!uRJUQ|?jZ?q-|Pw#j$uzv60*7SK-J#Fdi9cSk(10ie}V6YS{%7GQ( zBjaB{a7}=IC2z+TKrzyZiyqY0(f)~&&wWlI^}YeIY4RcASam~Dlb7h2KZL)>X}o+tJb1qKjCtE9AiB|PK1HHg?tDWQ=Iozh#h4$ZIQ8NCOOfTpi%##jn@%uA8e$AM z221un=@F(u4ipH!kxvk3OpM)%#nccuY&(I-rrS9zmrwFoA-QVsdwv|F7bbw}0 zB`1t@W!i%>DY+I=tu=<3`v2j{41Jk*9CO)ko&!upp(Uqx2~u zfe$W8mIL!fqdSZHApad@+Q<)_s)YH4;QH;5-D18Q&nz0i73#Ld>Zx!fN64;5f!{;Q zjj#F;7Ir^MPX%KndNW4f7mcW!oC10KVZxkB1HJ*y6SFUb0{b=c`busiuMfopIKcB%TUoOsJcs8A*2*J zF`)F5^y?wzS$}znMdJ|fJo*Y%8L9=QV1SS#iiwEy3SB`Z*FNCuc6(nf1cz{rUZdTL zNIB`P!siOFLK(6Pi0Adh0u875Nh!&)7B8`a!MQN?hGj9m<&%wbp&(4tjM6ZT@1IA9 zQ)}d&3b3cdN~dpqBaOF@9l_iZE}c*=#Xz0sFMU@TZjA5fIP!g4SyhLAXoyi)mO@VP zZNOM00re!~ZbRB)m;ll8wdY^E*k7~d7(jdCm;o6YNi|^?tvdFrQRYN?(pjEwyL(Uq zt!X#dY(u<-p?S^OG^!~-3|L}rUKZu!`m%r0(~|v}_BEHe>p00)Fz%R~WMveWAOo^q zY8pExN$k2&MeWNjm)kEh=xD=50axstAn$OaAM+wgI%OVF>H``m6gTU5Vf|VUy6&FYRLf1Jf>qWcY^|fjJWa$++Cer{@8qR(FE+UF4nMuZ{CBo`Z-_@!vKc zk%QjjRW=uD$M$3v4^q-ml1#XHb2!Tw`2Jo||2+eu&mM<+A_tcn*e)ANz8Gr7x%07; znQ4HW7li})r|YoI;%IMZ5@cetYzhL_Q(qF|75>`u%SN4s#&cL$+rEw-8HW&E0XNLa zRv|-D^zI-5E@ySlX4-q_M5V!*CbtG7b<)+aK7j<{tq#9#`*a*)9EO~?Z&}@fCCb?@ z6su&d+gI=|dHWP*xGONMF2GAwE@>(ajc3H)uh>eQ?J~{3E58mYYrW`8$sC8m^l>i? zbHbOFJfdu1R@$yK@7Yc__jEnTBB?1ha2jXJ@|;V4!lB!#;w~1aQHn%xb0K+rdCV7N zHY_M}+4lcpRf`CyccEY(;{LR8lL1?Y2=I0>kn4_$+_OqOQGy7XEY|@5cc>%2U1-Ve zxylfJGh62N{wr+r_1gG>Qk96$lha=w>PCJ9%Uy_0xPCumCq8eg-nMyFD{fG8dk$@G zuj*V0-*7dC7hDKPW;jXrLCBAFTkIfFV6?ALs!K1SSO@s|%@t6R>epQIh_Skz_B$mC zkk*vJsdV_EDSflU%KrM0YF1G?yWjb1C%iifS&!sC;l)abqI+T9^G4r@KzM<326gh5sxqz#JqgvNg9pZIHm;wvA~_Sq>O^wK{L?y3)cxc5r-_JHn+ zb~L-+Q6AgO&grl$S8Kw?e0YTPul2hI58$fQ-h)cHnI)&kf0Q-Hxjyey|es147m9b1cx+! zg0c@Aj`rG`TcCE%rJ9_aNa%m;p5}GLJZz;LzGYrb89^}6&wXcwdsd%7*g1lLtf?mg zmU0kg1;yBoLm2d@nF9IV2LCO_BJ#}QlPz49Z+~5u*TpLRH$n0QEGfJ*asY>Zv-~yT zbnJfT@v7@2XxtPH!+ihyzBXo$D$6vy2PS*kb%9de&SOVFOc8gqE9|qgwqN?j5QkY0;yEzoYi`%c%2K#;Aj}L8I zlaPPO6aVP^#HPmRY-MxmF20X(gC}Z*Z|!ar(zg1WJXFI+ z2i0`E4ajSMr2H#_Lb4cGWi+(#jOJMD=fcA8veV5sUgf*<_83(o<8qs zo+w-_rvVQ5rimA@K(OyxYSwv}Xs06C`SIbwSow}=<Y#dQLa^jdPBJEn9tR*HziJ*9|2nx#eH#_M1EMGtMSd3%77YHU;Qy)nwXpMY z1ZN+)XsR^sMIL}dyIUTE71S;7F^(+F^rV&tJyEuLGC!0W_;$}5P3Lv#NJsL#eo;r% zh~t&-Y}>rH&bj5ODASuNAE}%x`mvWVgPUM>X~ZZ;3i2#gYp8B#MSBYcf@?nIJJ)`L zK$HnmYcju^=#5vW>zorO{|Z_y&_5-o<&UJ3AcK7)5!g41fPJGR4+RyQalUeDz65#1 z*!Cfz4&VM9FCqQyNoxRR+)d{HxC(`GAmX$YmEA%f)h{|RN{GA(nHL3{!;AOrENvV< zn6*DPWra@wGoA0SUZduH!GvLf&YhAQuVU87tV*nz4Fxx!i$mKtsbTxv^!R%_v%6GcYgh^V zyKf+UV&jN;G{M|nRKa=QzjEz9fU+930j$Mk z)r_9<9UWQmFDrBN>+)MgtH#J>kIob=gzbws8cF2J#|d6!B-Y1~NnR*r4YXt;nvu7O z*q{aoa(rV7r{Y+b>&A>D>h=CaPkYoHS{V;*_>RGwNC$*2NF7qt+#guzFW*#0(wpN? z!Pu3-_K~J|+#Q!)uKO-iu6rsorR!t$-I<_W`Xngpm{<4wW#go2;vRb9B?^ZwX)s!W z4Je+{qA`lo-V6iETY~c*n6jw5IK3w(>vN+iABMD!F#qOsj@R{|Z%z@Y%BFo97)nO#e{JKGe3B&2#GS?$?qHKa_HKFku{7s{f?Q^)PbobDRZy-sIk$X!PB3syw%1~oJ~QRFxYJwUY6l-- zYV-HSOM7Sgh_*+H$`~u7(vjMe7$!(WQkOjsnyLC*;u60fu`mb~fTv>o85|l)-sO zH-w(h_>+}uxbL;Mt}IpsMS!!SAZmk=e<2Zd=3trjc0Obr)4%IqtVJ+^ug~=R`WMo0 z7pYt?YBeE10V@s=JW3hGFT{N zdzeJ?B@yf=3mCnmDPO#-*{k#gc@#jrXDR7aUrLQN<(17ubcp1YSGZPG!tQMBRz9 zn7V+Jdx=Zg{>*vA?~1~3L*xO73_-={H;EARw6lNj^B@>))15c~=t%@J!VqQhbCVKL z9mr_r|Ek%x_Vkozy_Xqzt@k<{+tjQ9O;X2B8y?owF}Rw5Rg6?)z5qe79UvpR zx}|YnNu&Dk@Lk$)XPEl#MgSdY1UCS$Q+2);cv@9CmMcZetbvDGVIZBB=5R_ zb8H;-c1}&s1wc*|P<4uOGBV9unw4t6#f&WL=H${=@R5qGVLa-CIz8Kmr$*I)QPu4T zT$WG`6>@yI(hCXL5PjMN(x9uz979;>pu#uFL=fAuZpi1 zg(fmK{J?B zy0%PHjOr26ACFuMe%PimmmTCe$SbmQ*>Q#|w6e#myhXj!xZbcTYlGEZzmz*vKW~Vx zYW?(wLC$>DxqEVm&Te&1D`eDWb!PL=C(o%TiTKzIKAoh+aDSl4l+tTvyOryh@-v5zyD(ksVzw{SdfarY!PDzvnA5McPrXPtaR9zYwWICnMPbC z{+8T(f?6j*Fy{09yltrIZ1FnYI)8atv7Ydeu&&1hY6;Eu(jx9{7)L_eiBmru?e`q^ z5L^NBQ6q&v__OlE#KW(c&pTvZvmqIN8i*?PUePu&R8&gxxnDH*!lMqHAG{nl<|=y{4b zpWe)4XSv|X6JEPOeRB#+Uzd6@3CvJ9UjrBRj{Jb2Wcl;JFZ#q@`eUcYq2+L;O_H!H zB|HI_l!@NKdwl(w48hx*Vx{F|s61P`oz@;CFya;~G=I$MiH&m5mOGQq~Mw^lpZw$8u}9MJ3#XI>W!QB}#7 z=(DL%?2R8w+mDT!Z-`iYFw91Z?96F}BfRz@n$aZHQVjSSPO`HX9!sL_${?x`aVRqX z+zm&24ft!LNoFD*$S`6aqO9K-g@=Kk;NkFGK^e3Wl1S37Nc|KS#AcJ{69Om=O` zMELt;%tWEl}t$(UPZ-DakR=DCH+q zS@*z18)Xv?lwiW!z{%7dVyk<&gS#X>K&9*tt_EJOd5BYf7azbV3U`Y-D%;9ilEk~Y z@iiq#l-h1A=3rA>Ql31uti!mK+4d-_^;8P8czP+{yjcw6`Ovrq9%dC?7EtAg^@p0y zHolGxO(;iYjd%%9wqfSqworDsbs{J*MAgqJbqJ670Tun2(hMC>l#-DoAD+v3bGhmT zvHl0X4&`MQBPjAPVkqP%a47bt!xi6WVu#5g-5cOYtrWzsM~#Oy18>T+Kw|ht5VzBx z!{2nwT>vr?GC>C?r(C}2s$IDc{c?4oi$DHXT7N^P^? zmwHng8bv~>)xoPakV!p?B|Q}$Q2ic-2aZ?OFlXpfoax_?6{_*Lzji8Uu(rT})&>-6 zl4K-t&zgUe#-r{O$aJyr8BJ?_$D!y-Y#9>@)x_nPqZc&v&emVY zYo=-a{xI}HI-~C`|3sB23pr?;0$YhGO%{9(_?5-XpLG{$ zq*Iq$W6;71|CO`l8D#G~3^Z@BoYf!U@UhM~I2Q_&WA@$!9$K#)=dGEXYKqkw*onK7 zlF+L;ZBl9A@{*TY|5_aaj8tldNR}`+^iJt!*M}z_E@Aqx!WaC37Gi{gM^j(6^W_@l zLl3tWFOpns^SNj$03y&zrg`2*OCk}N6bRpe0MuCUZVgQ=Aw!@f@6Vs)XsR_K|BHA( zh~#7~O3@WA=4Lj853&`S7GAIxjNkjx%Vj*MI>qFoinPOkSO}+BfCv)6dlOg~_0a(C-gnMe(Od5Z3y{57e^W?mfXAsjKpCx)bJR#N#}H`; z@U9Yy!+PV=>{H^#e@UKpRa}t0qb!I8ZN#TxG{Rm!q%R@JKmv|oKzKCo zMy$5OwaI7BH(?klv}0!l_}a_btGxb4b(BII;@g{0&LzTv=&f(sqg&;cwZ0Ll?x&#e zpM6dBE)Zde^()7tdX7iaJgg$<*WxM6sw_Myef@;t_)lfj!K=%rg5I})Ri>GL=lsMV z(Ub!Z%mGU)LTtAegY*2sO4<4j1~FGX$EUJHt9db<1tm$Q!}C*1RVC8XmNyfid;gJO3oKUKE$!kRYAE49 zaiwtzA(XjXp6QO2DIM_UXl|3k?+eOOjMhlq(8!S;a$k{{bo4CR)R8eqzy|+$G?M3@ zF0Qbv;#Z!JWYm)No@m;}mmylFOV2s1g^W7nNSV5=ts(Hy^J5GaSPu6V$zTzWuQOg&bf>v4s z=+-zpjprDBa%NQ(DXw99E$i9X{{&`!bUfBr%j=#-UY)3_)R_5g-#4Dz`b19B>1_qz zeRCl3?p3Ca>?yceEHc{1786?GyC7R8nY1Mn+duqK9-7G6lAo9i#veZg`%y8EaYWf> z9CRRss-L1^f({D~QxHuO{EYhwLPIYCs~mCu zIGN_jx3$^y4B@8RsEMbPsoj|r@Ugo-W0?dY-_@l^F5Vg@pm_=_o0VBaZ6^Mc+pm`# ziKo9Z6U`_Wm!E)cN7?6-PWlyWw&1+XG{mw@C*L(hr6}=~2uF}1)Y8FhmZE8-<*}8HXd*(F@C9 z_^ikADdSjGT7IqjOY{i$MpU1lAfnfAQXo|rLd3}B)F!qbpNapW2^lvWeOyf&J6TOe zv=i|3bU-F!KZ}ib1)=ll&RP_5Frh8gof#Bq1%8WTPm^vIc2v)b94-1b<&&)V!>rYH z#l+r9c=lGg!a%Z8e^Ap}(5giqJL~1|cYe_7tGZoT(B)`<)9!?K=xLUd<6MhvgTdjV+x0^p9 zyxM`kms@IS_WfjVcFMbR{_gFS)eFqzmD26Ao%!4)wpC4oJicj`7rSxI_9e{Su1{Z` z%FEpuRYmK{T8lwf>#rA3&FdVCdNv|s#n|%c>&%tL54`!ZZK!WIKi;{rqR)VOFWKQ1 zNW{F-3sK6ulna=<05kui(zv@3N9N&iW~LG4;N%zsPWE>nXJ*0?maYY0U1_$!JAMSSty*4AE_b z*%3lSL`*utQ}4b_x~7jEe4IaaEikvW5Hi;%QDv1}8O0=KgU|cV(}?K9=dEDD&57xI zD=uPoV`i`E%ThWkddv0#LzPA7KSS5DjF^*^$3$3^FuwnI& zFhMWd+GY~Ch2Pc{FlE-tcHC2Ae|5CE`1sVfq#<3g6q%u-UMM)T|502G-rydMdD=;F zPRQ`C^bz8-q{mlT<@V{@`v$h@I5pp@N8=c1xY~rz!u@4d5IZzBvF;d`r|RlXD;zh2 zJGGqDw{wB3%#~0oSrqOXqD>_Hu?_W#Nsi3gBzwg(|IvCtO{D0A->RO3gP3GNS=ORI zY^2?+mq>k^I!K@c$e_}%n*_LdK0}Dp`Df@Ok3=e~g2XBd48{o9#3Ur6mf5V1t?6D< zgMZeWv>a5#+BxTY6QeQpRm#Jb#^yFM3K5PP8UDdDaw6VlA^P6D_pez^-&f)Da49!6 zF`cNPnmz{!s#Y$i2}lmNqce*E4H$PEz7@g#3sOg!IUAhKr6) zGQFyojEa!=OPLqwKz+2-@;z!RXu{Q&)PH9A6R#_O>s3Zo($n{5SgO~=il6-+4L?A} z|B@sIg2yr!=c%)XEgk-c7;q+K_4F|m^nSCJFgiJLH{AN|!k+pI7gmPk;j1_L!xUle zD0~T3V~I>=Uk$Bg+2vqvs0GMIXdvseJ{1&dLUM>8|EN%=cfnIlcq_AHM2e{@-anWX zpG_P#N=q4*o5|%RN}atnhPdU4f3yqZ_1w;i^ zn3v;tiG>7`+o&_DuvZ_os>(79XEZA8U|hQ~JFN;k8fG&3S(iV37ysdb;e(tj43&jf9V%^^k-W-Jbt|TUkQyX6`+8sU;o8G zzdXd#KImj2@;{hVvm;n3RZ+ki#R>yDfu73!bf1Z9OAz9?|H=2mzDOEazSF?+osKA0 zB{9{!YNxzDu~qXvz;Xt^=>z`>eY77sEXl zwM#u1p*6Bj#(Ksi$G3NkJ<5q8H+tZ=*wh9YeiPB#$YtmyyeeA;ioqteDs6O)Z3_4} z_gliCx10lSw>$I*NVOvH(W%R{@6*B|&{5j;=qt6o#M}R7X1LRKaN!(WW#L%SPHecd zh$ftcgfO?h6qWjC7^NhMYD zN`B)wi%+UOm%^_+m&%gTA;8pw1Vb-ZO)39*kvr{J=!D=8Pt-%|%qH}AU+10SadtkOjNgEl2LsV)Dwda5W@klM`zzD{f2Z>X?ePE(SoxvHttv%zcsM zt01xD-)1eaigXnG!a zbt&9azhz?ByoR?J8bl5r=1%<1v59$zkRQ+6 z{jMHlK66WBe>CFi^1Vd;>HdA|RZ&}WG=B8d;;Xy!nz1Wg=}uC%#>9cwlR4^5-fjp{ z5?%~KEq-^Ij&z8TUxx>0(34K*C1q*6*zw|YRE;$jt?fTss5%?LzK0RR{@WJn>Wilg zz-Fo1)lMe_o~xtGLRQMc<$s-ZX`g#=4{}l>CD8&#k+gaWRQXZ$m_E0e1NV#a67ki( zzk3g;Mad{K!|PdzxxFBNG_wso$|-on))vxlVfl0T10U11U3 zQAsOcPh+t~zlI^L>7Rfxgp(9f8XyhZ{V5?kS~9j4nM`$NxMxln3tt$qUMIi@zQTWKnv9=+mf7sN?(voaDYG4jd?&&rK?KId8 zW<_rOI7}XwgSp5abY@!{4&*P-AJvML)=DE?9&SJ&sSj9WaW&~73Tc* z6|w^&#KB^|WI+unG6%u4ADA3&{bpPT7>IrBjnS^w`RxZn|`1Rh? zoidUeHu=WNdyzG=MaD|T8M{CRdVn`n&*VeR?SWc=K_!Uor3yM#T497esprDySkjT?l-SHL9A@3JQF&kQ{5XB zWz|=IfaGlTTWsqu#GQ+j=kcm&D5#44FJduq5pq2fFJ~%M8iQ+TOpD_zu1fX+{oo@* zPeZeeDF1$^9C@dSZP7%^+IM~U5Al|8I9@+xI@*E}?|fn~W9O`nif2j0&53}kw0h>k z&^Mp>2Z?!1@n5uSvRyON^NP?>rzA`_{pLZdXVPAyzY@B*JnT-X(f^BCt&<~oA5n%q z;3uuc!dG^nO$LU41H+3aJ|2iQs-CD(^8Za5OpWp`(z zt8`S>k{O~O=Bh(|rTT0S@0@&u*Mm_V03%M*iH~8uU-wS%m^Db)4u~XH#4LFRKvOKM zBRkm-X9}0^)IqDS4Q%;r8DG>EOdYi!WL5(%hm0DQj+Wb(v>SguV@9}esE$c-rO^9Y z&sO~hUN$VanmkO71@;%Z7>l#0^OY(1^G&H<$-y%%3jCw8rO1?J2p;X~Q*r+)Yq_-W zSgHna3>!W(+fUH|KNq~w$zExOPpM?oa>8DdR9|GjGVEWAl|?z zZ+Vpqnr#Dbz_#6M8DDx58Od^mdE83ff1IzkpN;!-8rx+J5sgwRJ3DbchN~VzYiw18 zRX^%H2-o-v#`tp4lQ?P=*Umu73K0ayD86>g5(i8{va!xUF>cGlm{V0ljhNH!Sx3%X8AOH7IypGk@ z^(_t<5jBAW@{QJtTk3<+f!gym;T~m}uHg{HJTVb?dj~bTxLvs?c2K-dczemdN)g~8 z_I?r={B(Dd^0WcfW>OooT7&)o;qXXPW-KbGnr2dZmo?9D-(6GIL$y7H!GCsS!oH-g z#9QI23kgjRd*qX#os;P7a zoBv;~9#6Lab%a!RUx!gRmyl^=OTyY0FQwIvuH$4+x^3}5k2A1^pO_*?LRN0;iHWgF zMWcYR<}=s6MtgGJ7ahlwlAUq^(W9N3MfZ(yrL)?F3W!=G+hct04$>Q#`;uZiJe=t3 zt$3VznH5F#ZuJ^Viy@an!qfx0&r4-TUPgQU-}0GPcuP602~8hlH5Z4IdTVk{J}ig? zBjv(3yz?T(^kTvc+NKQN2{@~&46Y*DmEGuTP3e}=WdF+?f{Jnht+-FQVCIMh`#)S| zj5p%XtJPf1V-eX_(oc`p%7drNV@w$2JE%~rV0fM7D0qp=)VwX-r0UNe*)CzQEix@? z0VTKVny#G0zDBzivC)ACsom~8Z>W#jbla!c4y3yN9Dn47XA@shkQXN6&pCZ(MVbjO zy0S!E7V9tdqb0+z8YbKaoCI2=_PHvh*t@LT=p#f;;as$1=dame{aX(bn)wk|O-@Bh z$U2*t=n&3EP>>gx&J+3JQNB=vr>*5?b%^gZq)gGscV-&dAlaSOGJ>rx43uPNk0Z6g z(QqF&+P2fEid#rtRiJlR-E=CIjhzCtzMHYZzA3=Fvule*{Q_b!6;cs3z5J*sF`02& z^M!Hz*Luut1~-{|(`+M|%OWC+d2$f!UIvlfgNm?VN?``^RtAb4R09JZrKUOIXIx~I zo9aT~HA-(6iRVZ*+z?+FlGd2WIlpCmrF~F-Ekh#VD46MLf#JGJauZ)Et!G)~P-b@VM6?r2#jS9OSEHSIIMZUy2x4Oh;6%O!@G{5N^;nNNA zRhV$BTds3zZ^3%EY-Vo;apl`|s?Ay&`YTl`3Q>beJs%5_fsZ$)TW4>g1WO5vel-EC zTn7-6qAUE&jszsFIsTF5l8`0KYwV^;ZG}Iq%!h^54ZYf4%A_A2c|22w7#DqaiA~8o z%(^sy0R#pw1bJ z^z~waj<{(tu#$d>_jiPZMn&evy+U48j&~G0+tsG#T*c<``sOsD#?me|H*Cgb{!DYC zNA-Eu8plCrjs?Nk$egp^D+S-Wu=eNx^5-H9ORe!!>(MOPio?nJo3J?h#$FOTBEP`w z0dkJouQq6+TfeRUwGVGKH;7I(iI;NcC`#V8KY1a$!MK&FO4N+SyV~9$NgpNhxN?|* zCz48LfP^&YsZz(82qm|w1Ss>|oftXywl)%na-jGBS95J&ejHGfibP1vg%} zbfBb>h@=?Dd;=ql|qzXkh!(wU{GvS#gTR+>V8xLEoglyZYm4oLg(_b zvEU`23G%4Rg^=fi!iVWiLB=1DQK{(<@2S3oQ}P15RzEJoyAgFMAC$OtaXDtC_Q1B> zk5*dz&PlONCc&8~t9{-F6&>*bRwAyipXc-zmX%ML@r{L6$iFGSNH>_ZwC$<@r+xuXw3_FTAbb)+hS9UzK`0oLbn{!Bn63GqM?E!1_AjL-(_c*;9c0b zBuD`0t54(>eQWSx}p7p{)iL9zC_wgzHl&HhO_<$_CNI#Y&7j`A>*E} zYWfB%#9_NmUfRB+2?K3QOU(L&&sd)q@|}brc`C*%IHGsi$%lc6S?;Q?ctS;QgiA%HpLF8ZavXfxCPJ-!r5Ft0o11=XcMOY1& zEI@@Vacn3DO5 zRLDW)51kHwfUA zfwlje-lJlNY_5r8WU+?jSU*ydFTRy7yTnOMQE3fldTBi>DPC3rf0-CtC$GMfO9f~RQW&j`XYDe)Epu9N-!Y02+)IJbn&>-L< z$z5m4=vKC}_wdbt}k!O$4qb{Qz)B6X-l!#wvh=NX(F0;E! zjn~#&7>C{XJ4a~)!e503N3~q>F|Ho<1MUlE-4Nw^C84-AvGct+ue^wUYNGJxCSec9 zfI2ogSz;}lh<%#xiLFP2w4t? zx5d8{%s|`GJv8Rwn3cr)IG3-*#$*fB7;&uX(kXHBH`Z6UH%8DiSTUog|9M9Zrj4at zO$mmL<8QKXyJ=i`A}f^`8f9rV-5u@`dHT*2VG~YK>;7$oR~tBCgGk`k3z>&%ru>z*JuqurvplXtvqZ{Ou!pjB?+>AeWrpYsPrj{HaI{Nw2D!}7?+U#?TUh1y_D>0yIpngyCaO?`J`RSh2Fxyem(Hvc z8)j?33H;BY#5FplFgm7_ATD5lhlYFR@#&ts!gU_--lIq#4+WVeQOdL4Khu2%+-%T& z6eP@Dyb zeu4aS4gaJw!>CkR;r1iM3Xd;)(EY163syU3VI*m7Y*y?fMl5M( zD>t9(k2)e2=sg|v+N#eyv)*PrKP5T6JOdszLJ&G$90^+Q*ij7eNRk5>f_DU2k%NU@ z+cyg@<#{9mDfvDQSk!&|$51YtW%d`q3Oksgb5J|8SRgJW$$<~XnOrTJl5guL0%YpN zmWI}G36wyWEM`MvT9GA;By@$`9mF=F9J=|fAtyGh9J=GbTN=dn^*MA$*A57RzrNN? zX|5c&Kj1ij(Wg){e?1x0w1=YQJ+(yAkVFC$P(*q2W!j6Lbi56YCq;GDibPmMrF*Ow zhWl$+WSsi4wl$`+1Oe9B;9L+R|4AO2O?zESzzt&!D#Qbuv=iHFs1usK)nGAWne)j# z>RH|<-_A$@$#tw4@rJbeV-%dcd*Y%7&y2{vNj~iB)+*`YyWYFCg(mMmi$pGBPvgKqSJvYTD5tZRa<63W)f2_@ zXZM0qt^qTGKDROZM`;3y@R7hinARmOwr*qcibJ_VMU3Nf&*Tm%)#s%nWDMIq;%+q7 zrpQ0E6;TBqwLw`XI8`Aj;a9>6dl8HcWRw004Oq9;ZD@k-`qlG z{OxVnJaq8z4080yHwf(pfINi!k0el$X7J=;W&R&i*Bn>(`}SAM_Ofl;w(VNja&1{# zwr$&XEgMU#letc|>p9zg-|hLg)9ZC#pG)`q;(aWvB%}>_i}b>GKpIwAFwd81T7$aO z+*?WJ+&L{**aW0D#fD?{pPVvF9ts&;V*bOpJQCe#)JWPrgd*EMjb}+ThJ?z$> zW)ob2%HzBAGQ;10G*45rxz&Yi!P%_yks}k0ka#; z@e?asO|Z!yewap8p+ydP{rI;^r6L<_0=ned}Z^ zH!W{}QN0g+s=AcfR#2+KBIU+LPcT0^Rc}Ty9!ac}6AF43ZTTw~OjPIb$gk}tEhsCYlFTUx)a^3 zHSb#Ou7=M0tCGQ0TF+%BuCiI=T79b4M0U{V(jCc$At%wZPimKHf*Mi;gJ0S`fp-eQ zGd4`j9x3MLJa@X8{BvP}y`Hb7zPX)*2yiW;nWoiF(-I8-PHOIs3K22HFC#I^rm}SS z3en;U_1D6gjfeQq_2>A+K$$UN*HeV~gkcA1j#H)H!3zS_Sox&BE-u|un~#_5{InyS zJ66B&2Ud`zKX0Fm<)o>87Gt-U z-da{$%1>{9^gkWr`&xs9io%(&Mldn3s$Oos&*DB*kVPr;nW`PwNacc@r#~7x^*$Z8 ztsQSZ2}kS)%&lb%vROc61_AD$3I?cOb=^Pm%!(9jGczQdcchHf(gXz_%lzYT81I;N zCZrEJP`E$Q03UB-4fbzsu}6~NRNO)36asT1HgcsCU0uxy?-8`enC}?{?1deJx3OJD zR@^~98_^rZW7o2&SFRw(>I)x1Nme9kc>N;SZ{_b71$CgJ{HkZ>wsGk|W8W$3VB9&S z#hVKrVw52t_xqKf{LKi0)qYmL{U)JttIjTE>ZrAxdfnT(Sm!TJ}|JAQlfBtOr4+l1ueuygA zs9G#aiz^Uruy;a^R-ecvWuHfIKa||>%;<}JEMi$afK% z_=B>*^Eh*5-GlM=R09^r;WK`9MEK>HlR>9Ws7H0(XLqK(DVZo<>3bWyyB|c(ow%DZ*HB~ebUy*nW-k+&CySK zH8s@OqN9)6WlwTdgXn$I%v3#5P=g(H?X6@6J&O!kX#(W5mZeOUsk|Kv(#o_xJ=tlm zVg>jPSokh}?1+D_RpQRJ?k;e=)HtN|$X7#xK>ooY$CJJ7gbVL+tp1hRlS%0!*sqgc z%rg4Tuc!#$D2uXYclRUl7q8y1no%paN8Gdbqf+Yf~5HK*@&n1d1Gd82^{|WIK+$12&~KkT`rl-1w3TUDY}=l zH__T_@@fn7YM3;~=H&DKhj9Q$DkY_%%C{%QBH0gp*-p|qed{`{(Z4Fsi<`bdPTg9N z-xHo~#%f38>{>JY3Ds$oAJ;Nl8Swg0mR(AYwF^thlRJiuPZcL){mLvvXvKG+Nh?1E zm^j$-{Y6X0DN#)V9VJbfVSB^O;&UoNB+F535!SVcWh6EW1f}9fQJkWEjLO)#BYp)J z?+)3%1Rr0}eW*;bZbee1Yk7Bhd&)0#%O<`sNt zkGFX7;YnaZ={?vfL96kKeHyIO;`Z$G_!yM}z-reF;B)R&>$${0^Zjsmw!0Z}D!ZtQ zx%+@hh6yw~GHMQ4$`gYI^xu)W$iJ1vdXqPzcfR^4RP|E*?q$dKWlHPyp!n<45d7;D z?AYr?_P1=Rv*@!a^j9V(%#623RH;wv$y!XEB7S8zylr9&&K%df!HpT05*L}MC3SDy zao7lx!Q}jMqVh?<>So=zLfM)ATUv4&5fw_(Q4;z!Z0~L|C*#fg(+D=}SmopM#X&bQ zPm(LUo0-ik443e#n>DTxV`B0u&NHLJi!M)SH@}N`ul5AGCCp&V%lNu%rj1Inu20+~ z*M^THa-Lw9D6Z_v$ZxY-c=>Rre@!+$r11b|92TsD9O$23uQ_JB@1(jONtrt1`#XJS z9)DiXAC@Qk-n^RnMt@F!y*z#~5)i8G>J2$kc&0-$)CJ-picOYln^nlOek1Lc)yX2K zfq$+E0b-BF58k*!pNRb32?2E)6$MSvQ34$Z`l1u!yr?d|$qE{=#-VkBIsfN29nA?% z`nvoXy$@F%6kMMQ8H6DgNKW>1JOb;x>(k%PAvq${cjLF^s^2Ari3j% z$SLLT65<5rjCsd*E_Bxp8^XcFOr-sxJM(;VID~sw9j*Qu zU~P~nsU#fJWfeO$Qq(Z6{>sg)k|L9KD1Vx*rg7|0XrW~q*J>>+Gi=j`B4bePU|?az zq{&m6s`Fss-3e=`>BW+YRR$5f#TyJioHs&GnKf?C6Bje`XUJNrEn@oS$Woli@=c|VElp3=1$KmAZ`tXb8sR>V ziX=N3*+mcVYN(0X!(eW{paKo2<4G+qVU~X-s@-9j5>U5_qGFhx??^Xwv|+KdNX=A~ zALQ%A`&orj3pDiaN$V_W;T+YV|2h@o;HXlvj*?RUusvxckW+CYURK=^W`BK(%_viD zLdlFsBHHmp`b^Q@c@nMrjK7cb82K>V*)LltGh6>DGwXv+_(iQgESal6l%9%R(|qlh zsHMy9{oTx?-l|-J5uBR4xG`=)ek|d;x6NOao5N1QdGLgPo02TC_+j^fE}U!1Rc`UB z>=SipJ*`=eiHS;L5qHdj6Wt;G=vPz_2e>v#D4{Fw3i(IDj!01URX(MoJw>6zoZ#p3vNvHl-9-IC zYoZRPAzy9CGEmOoH!oSEyfq~?#`6j)bXZ{DgLbEC5608VvE+g=Zv4%OJ&^GOVeaz7 z;qFR5*pX#~@$&YT4(5|(SRt@QTie@YsG+{h+0CSVt1NoET)*9kgvMMzz5AxFbEaF^ zURrID5a)YreICItXc8s14AF$}@$K`(vGKlJw}&8owe>lxvS*3?xeE!^#cEJ@$o26{ zl|ag==;GSB@tPH!n$WkscW$49mKuzc=w2?ZUaRdph}|vHtbuxR5KK-g)+Ezhu}nUgf<2_+e1R}e(Z(f+#c>y-z|Yl#rxoZg@u z`Y9h@qWTr3-5amSu zJ3;u8O!;NuraNbO9Z|`2kK5`L1$qy>1nUF_+j*<+KTGi(s&55Fw5B6@rPXw^)Mx zRRI)@p?Va9xq4xVPvo?t^~|#B`zct%#czv01X)yZw0kXAB<*fDa=mUI^YMK}6%x*E6SAGW^PVDJeVZRvQP1i&(*i=Kx=y1LDq>F5G2Zw5ns-C$(LgpLiAG(Y!Li4E23+Mpjly5~F@J=4s9n?H&Y2Z-u&z&%%C4Js>Q}TFE z6D0{$cs4IW%+q`WJObc-x-YvJTOC7eHT^KXipL9yyEO*5cZ_0T+3nVIy5eeK8|wYv z{syW~9wgAgWZhd5aHOK^M3*IB>Rb?j%Oa(GlWsT=@`y3cVjWC zOQ@}+D;tCcsuQ|=6O2L!x1VI$3A171Akh}CFK%j%lO%jL0MEKMosj$CNRD<~MkdI1 zmQ4qG;7=t@3C&ryytk3n&e!1FWa?C*d&2}$!M0Y!-8ISGj43KNnNXq9>Y zIIY8p7~DP9%Z?zstl_HhC-@?J3jqMVeS0alG1||{G$!1+To{Q>Txa0mAf@Ugt@CeR zT{jn~4n&kIjni9h7};TWqp^phxx&~)yAFvddDIwnHzcQ*HHpME=h;qu;?nSWQ-)k1 zVMRr)pBMEv?1d>KQ;BAzRVmKnLBpU>A)=tpI|sc>8i^_5+Wz}g{!iVrXKk;3G-!1-^{(2t4_T##lk zYh1qxBfR_CnWr8ww)8Jz8gt$`nvvK&0^Q6>`8!AX^sZ4^nN}6rNb|uemG%w1>QEmq z5Jv_G-7I(PU5mee_A%n5;fvJGOp!Hkg($w2I@e-rHXU_mQ}!!`Kjmr`HPB0SR!2jZ z3D=#ZeLXyvwM5j2=a&|vO%FLm#*^st7efg6?hwm=9dkwoWf{ubRuf1s{KjcmNw*|VsxVFSPhqTzlmM=+u7{<5&sM|C>u*b1|}Rt(V0Mhf&w?vq+? zI!Nqq^Y}rZxGpuTt956!g8_5DQRfB}bhvO_82A%*c}+5wIV|j9F?L4796Xbcd6i`L zY~;j$Q=uA@;8&r_G)IwenEXgZr0)^^SNg-nWSt=CcY>rJhfL8)L_q|S{yj=$BGAVR zJuBqR)1{BgrS&I8%ROGbvn=O@(Bq)?wA(KYgp>wWsKpYPSuGmwm{4Jemmkz|p(OOu zo$8m}t$FUE+g}Fq7j+VUhLa%#!k?D%4d9IGxcv?fw1TX_0pubtM#r$PqE>DHy|AD@FV37xy_-M(Rm3^LClCUSVx53SiRGo(n|@9Tex0~?s9p%` zC`;-QG!S{qU$vbi&@0^%mkmUnl%C}E`Q4AqidMDFH7yhr>tcjdz0+-z=+Sg9TAei_ z){mI*QV`~?QqP+_)=3>jr-|X!Oa4|toQASA!+pse#ue``8uKO$%d>k+n}&z1 zq9WxUV#PlyroOF0n1@Sbj{KJM;Tb8w+-kHzm%)CZ4P))ONVWBOy=rI5ptu3p!5fA@&mrJO^1N0>dLHm4BMF%IO8 zM=yW_x)qsxtAlf@NisKlm+>yPCK(X!m?`*I88=F!6otA<6o2_qwf&!0rJzTGoTC)8 zts*Ywg4314lTtE%!X(eAW%eEn>q!0)8SjN7FKNJ$uO6>o0&8&QlZRcveb!0#bQ}j) zLuOJ)I?aWZ>b&!KSeYN_y`%Ry_%MU1r&KQmFkwAaxRH(;{|?V7jG_e{P769*T5iAO z0(5wTcp}=}_Hp&%T6Olip{MOZcfK@{0C_>LXcyi4JH09m{LY!VjK@+_@wI&mD*fxP zr?>d5<5y*nC!7j?AM0JsZyMBDD`Z{f`f*XnYK+_c?W^(&kfk4vvY~G0ibc0v9BDsm zcKoprxVIT_nQ(AV+jKB4;6KX17|W9l@@X_xm0uU1Zn@MkzulZ{LO0)15^%Pr!vs+a_tD;Mbh4%2=6qTwl{qg)%z3;_OeQtQwwSI z{5U@*r1Wy3dhJMevir1Gel+9r$(1?{ZcmHJvm577sq9g4o}lfft!w)PxpbD}g3J8A z;=z4H?gZ)f)~o%g{A?ph{Q6N+AQ)7Z2t4^F_rqJLEic#{4 zT={j4{_r920XFn8_<0-NnF+|F{xUZCj4WvJ@=^yty|kaMxgT+Uu*iNXnd)?Z+c}p= zF|mKWp7oRvtwlyD1mS(oJdx)WSH};Jjs;md#a%6z6zqt-m`Y8RYQTiDorLo@pT>ND zplz`gu4@5`0phbi(X*+)r>*8$=x5cb`DZo0wR5{YUSMapt;I);oVhVoXQKrWAB zE2=#!_3Ez^(iNH~$1)gQQUcp5@BD6fK%ZAGH7)q9%xwMqmEh6C1{yM_i^O@$bj4mw zK-?>6$EHQ(_oNpBO~0jd3mzrq3iAMY#Aql}3e%zvy{zbD7&EGTfJs6Kccp)ip*qRn zD)YaRmN&0m3dq2Jm9!pFRD>Mu)ZkZR5QmZts&+9-f>z7;BK?!U63X_?%xcV zd1p6x+dn$%(1zam{-l_7s>G)kGuc&TnhiVN3)eRCTxI1~P`nzUyY{W7nh;g^_@mS4 zoe)jsmlK`ZUEflnt< z_v2G3A&k^MF|}la`yIlL>=2nthB~sz%BQFh>xpEXXC#Wmi0Sl(V17hplh!hR>U9DC zHbMQ5nZmpl33quG7$9bTMNx4C=NSqS<#;*gOF&;K&8)GGEkcGK#X=sf zoDRlbjjuX6Lft!cAN?Vpp5utXcKLtVg7?n)l;;u#lpstpNSe15;T+W$U=>jfD9J-C zgD6Wn5Y+k1!9Q<8n)p<@bfr^nqh`Ujq)5@C69D{yoyZN4_*2WHcvlym(dreM1QKQ`;_8+Iy7e{HNMy1zoioBq8V3b)eA+Z?Sql zqET67z;Tk$%cHEhvOwhwX#5WX34v2@7~YWIg>lN2lcukFXAydYIFEjxK3yEF#)q=F z#C?DmFW_7i088Y0^G^?YPq{rodf*Atg8(J*0oYf3E#!IaR*wY!t&%WesxtBM+Z4GW zPUrcLWIb37YBW%g)x-uHwO&?Cr(#+!H94y7xWoloYm*b}Kf(Nt6PV~g zsr-HOdA6G?%dUWZ=nDz6yg0fm2hyE!E;=2KdU|otgEKc?HfbYY{U=wD+P%sYhrSF9?sv2-1q0vs zm~PnI{PqfTp&J%NZ=bb-Uh7$(kPCE*i|>55W7e}DCjD|`Nrm23NUP5u@msV?({Y|( zrWHF9T9mF@;%vWA{zpg2RIAL;dV>DkI;gC=txrok()#%e>SQ7A?X8TE?}KxISE+WG z*KJk?^U+OM;4BrrO`RXd_RMJ4^VrpoWFXjRS7?1C>@O3KI`neI?z>h1kf54 zY;TZ#kOvla)$nd~$Vv={nWEK&Xi<#C$@G#6!IU$@xt#zi3t{b+{uWcA<^Z)e6z>{s zRA%r?lRq1%%y~xHhFe8k($6T{-<4T?#>>2gCTFFDPg`1@9f7VVnte7>=BNvW>)G9%YnYW%VQJCP=Xy~|@ft_Jw9dSpYh0Z>Z> z3vf|D{7@@siwxVKc+@s2pWj|ZFIX&CIqIcr0<1LoX6XNLU@jQ@aZ{M%$bE7~r zbn2ti{nIPjzClfiE+BpAc@Nl4^!g^c>K6K%{=xTaSFce7bPfl`RaWoV&EoQ7y+@|c z^a^W=K*MQ27gLn$`Bd|xuLfW*n4>{bpLhxnA=0I|-9H*JJlTFtp1%5#i^J#`;=8vV zW{J^=%E@CQb#I5M&YJ^L@r2Rlc2MWHK|jB|sL*!mb7s^d!QWWr8(-(Pt2`snwIGkD zYgT5A^jcA9=u(UfOts^lN;~GO>tXgwGoC@g(70VE+66p25X32~iTuGWoC0H@=+ox}=>oGuByp`R(N~23-^S2__r$V{R>XOEJaw=-oWZ8? zpMWPZN-#j3jRet#pkwS-X16rOIed7|Mw+zw`^F*HHLhCSZ$c*U``68ODg%lf^}(3y zi|NOmx4mBiz3xOSJOdg$Lo0|KijkeA-s|riU5otgZhdD^(lR-WlbIRlK&B#!9m+br z=6@jww(G4vh_lTSor1Q`^`OfKzbQ%jpV@rq5hWl~aZ({e1(|Q4v=GXG=stE>$zZln zR4mHOoogmvr@{m5z}wE%)xDZB_1I9x12Vl?(=A zvqEfn>b@_II(Ti5OMT;r7f>;Y4CjTr#yM{uAuv2aJv$26N?R#3&=UDNP2G?VR9Jtp zwHy5B4DAt#Ol?qqNAsJHC3$P$``mTIp5VF5(bhcMc%FC}#$&1oRb^{Y%0dZskU=q5 z`F3rYL8L2HZ~d(Emd^JKX>#i6^3|;`w3<13wbJcF9>~5a7|uOMcA{n|82+wrX66_U z?_3`xL!F$#)X=Py47Uxv7K`&Z$&0=jj?g?n^> z{Q8`@ZX>l7@6e$H$3i1d8Xu_WDtFJ=G>dMIJ4*;xsNsuDI%mY$oK|iHR@##j62sd3 zx>hp`;4l(6NiHO<&|?h!*t*7Gf2wZ9dQWxyJ&wG94ua#=5e|A2iV;XT$UVH&6ZpID z1L*;P(}IArYQHe{428sx!rP0e4{NefW`!E?ks^gC5HkF!z^v7%P(IPervJs|*U$ej zK@=}k)lME1BM1`^sA!hGzYyZXLp}D5kN3`OADon$+dW?NR^m+H>hcHwv3eA^T#VFh z#lee5aM;EmxxHGx{NpUVTT|&Y%l9is{Zovp{_zffhB$!<)wUxzw=IMYg3VgQ>u*C<&fk9!_s2Psyo{LSFyyM`{;@&p7Qp3D{`Faz!u-mV*aFI+it$|2dV&*2 z>Bw8g>zR)5PQPR$xI4r2`}j<5hg)Q4U+va|{-r1X-$}KFo(UnSx>~4BmJxEPGky6K zCNydo0?mq$-3Mv}S)nO^>dW}hOb&%=#qeJFA)DK7!V4NAuE^WOw>R}+rpnJsbJ7~-QC zD;fmlwSS;cGF4j$6J7HJc(0(NMrkOdQ#)bJ;j@2xad7?IH{*VZgZ*+rF?@pub=uqM zUXY^`g| zoeauF0tL&I&Q7tPxifa{uT5`>BDxYc@`a#(`8VK6KZEKCBG3~=ppIXNY+ZjUB-!v` zem%JCyH&z_P!W^&_P%HRI*dylFZZ%qYb=v@m$AvqU=57xr|%^%fLXwTyFyEpuA2h3 zl+BuKgI@erTBh(b8fGtc3oyN-9d*z_)B6u~EN5`YG>qeluqH0J1x`1_UYa{Kcw>DD z=Q1cPLc`@U7~&$zq=zv2DgSSdF`sN)k%@M^D36B~iXyTI+y8?SE0jjvx46!?6sV+0 zX{Pi)sE`V=U4Yy}8Ly&P$gMYq$uY|&u#n-&p4#RsebOabTaR_qyEqHa_(RNW_W}4* z1uZ9OzyoX&?!&6z%O7N6Qmh`|!!N;nElWb#?Z}WvqkM;tj)iGHdBH!bjTr`u>`pk3 zS~uOp(e}?CQFw7zukvsWK=w!ivPV&nJq8FH5D`3sUj7K6fmjb~YC!jbq%#b`q`Oo6 z$qxCXNi>c?g)%f3wfcls`Ek5}J}9%jNplV~^Ded^6~ONh%IKa?wzEk;Bk}uYcJJqQ z-=JMiP@aKuOv2E?uO*hx^>aI}r{5AR&uam7sKPwMf+pg_u>RH|Vx*)b(hb!mE7a%A8GwYxI1EA#`iQUzBqfNz+nJmaVaeTD#_4550Ks81toS5q^B7=+-U z|0?SYH362yTW&P-tG3MBf$rtDT{f4XT)1bBtJPSdlMzG_j@E6)Kf;z|=E(Re6veiF zvL)}RLHqZD#a<)Ou<}sRpv63BoeX_*cI{eBRy}rIUTv_hFNm; zv39|8CRej^(&;_ZkRVGgqt7V&*2GtIi*C)c!DY=LXLkEyI?{^uN%_m$rXv?a?s``_qSMV6hM$dLH_YlR2A!#UOeR(R-7qxu%T!}L|1p=RVRzDHd0%79mNM|rO=-0%vD zJf*JPVKY1QiS%Onx}n4n0!5H-9u*4LUPNCOnw>};et_kF!7m@99sV$6 zp04gYRCF_0r|=tlN4e@ZeIy3BQJJNaDqS)wz-wwsP#53SPPw5vXx@=jyOD0S)LEv< zJ1$ZFW8o>ml7)xL5+!CN?&&^zH%WSQv}@k^Q*iTXm4MS6x{9Ea8_PQ3PPu#iJRM&C zR~mp7f`{0Kww7qLCkK-@FmGzQYR1W4vv=DnG$)N@n^4OjPJj^ScCuIQ4^5u>ZXlXk zr~;BT2HzTD3SQ3Any6rtM=Z+pY{f~%hQ#wrh7lFDoT2@vS-|MW3bKxIM%s>oJk;%% ziajo~%Na){&ZO`|r*^M9-w@A5%H~*dxvT1)o3zHVaaQsUBEW)6rEF?hTKhw%G?<^J10>SbJDyxQN$_xpdRIRQbL9|>Mg;mS;^%t zx9nmkYu*J_&4O|_B2jI&R5Z?Q5uEbpjn1H5H*!XI64qcCG3#R}N^yZTFh4X_B~vC+ z_5}oIp@4nkAH=L|2gM)jr(+5^fA&DxPREGgO_KDvWD}jq79?gs+&O^Bzl2Iv4aE(H zi=v*fhDyMwciCTz+wG+4Pz&amf^@~jXYx9Ae>114 zv|Z<9+OGD#Q$3*iSaEfXyU2;p1-R<^36cWdf}rO)NPVc5PN%eS3FUZPRIG{gOFE+3 zicJcdMISSaU(LB#k~?7qf@rj3_YVC<{BU$V^JjxkSwIXfyuYM~Lr7ZmT@_h~(c)5o zFS2)2rB8+TP%xQBUB4@cVL(2%np(bgO!jFBsXy2;6TbH$)>>@y4zjt)&!FY>mJ9^poqNOvprZWpIlyM1|InEhj+m+zaLiotw&UoqUpq3uJl zxy?K~;CD_lXmc$WJe5Xc`;%Lo2ikf*jcCoh#>s|iC1%A>=%IEL511z?qBqN{deBw* zqTlqZ@MDYB{fSpDdbm_y7qq&fMFM$&8v`7eo<>3ibfYEo_f;_Xgu5wT%R9 z1IH-`8ZP4)&F_m^2-ql&QbghlKgLOnM;kxRC(|(yF2a72Bh=DS4WkbqcZvY8{N)wt z5E-9^hZ-NqtHf)0N?C+*nJ&h(}p`LJQgvuG5@bf2|!Z$ZgY8q}Uq*xllceaRf z8aHCyE~#Ly9qwtiHcoPVC<4@m@NVD80cR&d0~?>wehbd@D}YID#U~Z*Mvm!IAG@>| z)E)wlYq@Nag<($z^%Zm4#|QSyPpak4tQEPd5SA0^K0 zcj0n|{TaL{$3mP)M%~;T>z^#4v&EztespJKkA-#b$ZyzH;4**3Ry6XE;woShz+oq@ zFHJpYL5>F=;LlcOrhM?l!mTrZn0J?+`fmIMFG{2QM49cbYhkaQfXxoeSE~an5LrX19O3Eh>pMbyb9=1k!DiMIHXqy-PHw!hv`z zwHKH~nF)p^3o3m$`ye20VEhsCPIF}nI zu0Q7yw_};KGtD)o?*yaMr^i39tc3n`f<@8enFk6Jnd$;?U`0!6c< zVnUY!yxHjbeuN9~d}WG{3lvFWkuId!zs!^Gpa#8Y=4iEXqky5ir5q&|h{|i}!dYi; z!PRK5Is;>&HsQN|^!QfZIZ}pUg&cFo{+2L^jSNs4Q*Tp@D>l)2OF+LBtV-62JeI*9 z2IoRg$DAO^d(^(aSpa6|)U!F9Wq*6>@@TjHbbk=3`t`t@@%p{~Z2RV;KD@LSDCzHnYP)|`1r@{@rPEEaZb9%VQvevIh;|3D7FnjgSHoPNr}$A zb=36n{m$jwoc42;Estn{N!$tB$|eDn_(ZKt_33R)r5}pV0ppHkZ0U$8o;#w>;SuZN zZ%D7{=AVp&yjwmA4)a{SbiMT$dwIHGV#_X7Qe9MBy%=i5fT>{#71*%=5bW<>$T*cG zy-wS-@3RTTzC2Nd-;_P)SwfZBBYn2}Y<^j+a+vFNu6Iw-TR43ThlICzh))Ua{jQ8k z#aksE%By>SJ~`JW@5!@Ii*Fapc0N{wAxQr@Wo@HN8Hkv>M96BbMZKI3GMafP*FcLF zI(9Ps+>e?Xv1j~)?%MS=a6LLGa}}uON%w|3L$&UBBz*?C)D8W)_`z^w>?-N8bnNY= zbO~XSrHJ!5sz| zK7}CfUf{=9L87sZl*0Ydxp?izZM+v@!L1h5Qd-yAT*(d1jDijAUU&;6q3-S}&s(Q# zcvUS(b~fx=@;D~npl=IV;tfLZh)b-XKUlO-v5@hHhHg|bb%aqEA_Q8w^^CTKrlc2c zC`7~;u_ix`IVh3BF*s5W<@UlTVDn#)TX0>IgU~k=`UI2dS>ioW>5b6X`E?D85?V;n zs|VWQrdzIWr8hlwHoGz*7Q8c{g#WuYNmrjF=BH&Ip{KZau9LodftOq_9rx{*dWKIh zG$k77GiQBP)yaGg;xxX?6>nO!VxKN7FnX5DL2rA2d@y8By`)7;Au}0$VBXHh`MWN1 zUkc2eD*mKImENZ^G;?JO8H#Z&Y}OUke`pXATL-Q_T^A072EmmlqRoL5JKa?l_kl{j zySA*fRz?)qW+oI-8XxC)!N2bl*7pk{%TQ{1ArHv7K8Vf(A*-lDCVX0)JVvQF%rf^9 zFBpD?{}j3sdPB51)b1XAML=GxB~+U@7T%cVgZ0&N>;8iI9(&+ z10O>h7o)LH=;1m4ODpe>c0xAmMY84W0aRA(Y~`P`sI0YdHSBOqvGoxkTX&`4$fq~a z(Fm?6^RE6pI|q*jdfTiJ^{?Sq;OpRm7>HZ?0fVk|4}vaq4}*@$vn}HT_Wl*o@SF9; zfk%Z2Mq?h*q4=2%!B%1o*cPzs%1?$n(v6;nPt_+mjM5sx4D`x7K}9b}ln7*h(KxRI}qBb-+fME}MEnOG>5Oq~MG^zV6T2*;z`C0zE( z)gR(hF+yq#B}uD#%Sv^KNqLxH@=>Z(1L@_(F^3FeF8aN^NkPu;KYRXMBpm8lXV{x< zUo33a;0~FWK1GYNi}=bLvg)7jliXEYd;}z+u-$OeZ(FDtEJsF@8eE8=QElw zuTRzKye+u*I@_XchpZb5I!A>^2d{;B+MT?37mVptdD(Evvm7*M2_Dja<~KKiR|;TI zC^Tc2T`k!QXhWT#aVDF{AFAtnN4;WBBvBV2Kp21)wx<5TpCapfcR3q91a9K*C*5>1 z#TgX5@;d21sXIHwYd?tWO!pdT?~!YrcyxVF3$^NjRz7jkUcqCP5A{?gd$qhz!d06w z@%3UvB5f9?%BmoHK+{tGV(Kx`fgHK;1$X~bJlE$c*99M~`8m~7%t-msz0BCe*=^mGk$hJ5hCWH##$-Sa+~Cro|L=bX=zS6(7FpoG8mN z{QbP0NurTe28Kq^=bbPzBruw9vX`>Rt!r>Bj_g^i^Up`54L%P^+9Du#>2nwO^;>#Q zcT4T-s4F=kHF;{zcK9|P;<843>i{;pc;AiPU(TMm^+ZmTC^s`aPfSopR06P0e?={D zVhu%Hamc`OVxfOIY zsTlEg?^zAM&wPyp_kVEzpF4!0#D*Pbc`ZEKpKS^AjK1IpgwH9|Yz{()I(AC$PiXX&+hj(kYCQJx5GT+vutlgswm zM;Netg)B4f!V@0^@0{VV3FZdkzBX+GRbPR-Zo1v4_M|+B1#%pRP{7PWq1gz#A0C$H zFZAqY<#^)O9vW9G^TCNfI%mrbzAZdA_jFyagVzy@X10QOA&6KCMF!?|RejJSIU$_c`ahhIh8oGfoiwS>idzWUtS-tHvX@|?fAhIs62(@8?5b>4$Jw}3 z3yq|!_lBjq3~N+u^dt6;q9z}+Q2}hR~5Uh+xomCEMG0Kdg zd=NO8HDKlIrE@3E@&AXQ(?Zl)(Mt7rlR=`DHrUmtOjjdyUYeZ<6K{BKsnUdYR1%pWO8j*!(YXQ#c^?#{ovR$@a|)}kfZ zV@dKNQLYj#)=m^9g?_PX4@SeNIiTo1X#|e2%uyddItDLQu$8E#`pmGYG3phwuKfx> z3ZW(%Jp$xa#Zp3oW!nV(&9G+kLRE4hW3N{pPzT{5#c@ZMH^DFqZsbFyT~4l}3BgqpcA zS}adHZKtd`6W!FpH_nXP|D|5U;p$>BR=&5&OXe4B(C)J?WyJZ7W!WWx=N)@D`@H4C zHDT=OrpabqarH|?SP56hOk1$2#{_|SJF-X%ET;C(FL3Haix_n!=KApGKr3nv4RP|P|oKwR-SqnF>;}#Ji`?-8_=FhyKkL@ zJC_$B_P@;5zUp=){pgwk!>BsDsMYY^rK%VQRl#0wakjw(I}i!8q&t#lrPAh=0eD)i z$SqWP50pUjauTZtYSKyf=AGE}u0UQ?_9&GOj7d$xUsq?(6G;|zT-u`9xkzHWXN2JiwY52K zRBS@=sjb0ykLe_x!c(Zv$a?efRL zths5*`^5rH$Z7dHso?_ffJ=42B96B5E-7)iHr#;4Gq=JvuS%lD1nn0-rGGFToNT|; zRc)UJGg1|-j3*a-u~mV|t1b0O9B?XiZgMP`kl;c%;PDfme!D$(AZa@_mnvFdzrNFG zuKp(c_kl@MAF39}%(mDz_vY*zp|BXRL7u9^m)+LDDm#H84CZ$-H@%hIb&LC)V(utQYCdT z%^1x>Z*$txsdWxKE~-QE_v%BEolOPxt{loK|4IhJ#BBb`&T76OPsPt6QzPC=5w;go zQ=#mb`f=-#s>|od8;WRgL;q(J6BSd5;nSSnSYpk<4XoZD2QejH$7FYDYFxP|i!p?*1+76^f02DlkW2GNOs>4* z_=Z2KvhF~!us!9S)<>UNSdP=O?!5e5Rq+mseK|9gMt71oa~jXM@^^c@yP3T2Y{AR6 zT8liCdE&k>ja1~*Ql{4;unX(ve11C6M?RgapQ?JKeWbinfX{2YgHYzp?jd@ttiS?LOFiQ9!=6_XzNG1kb0RrrH z*01b<>mUUXm0~AiT`6CG)>q%i<1AlsmQ*ZjO+)LP+Vu@vsjwCQGV4|H;a1c)A$b-D z7T`Lr?eS@U?igwG)V5F`q0%K$`_dLr+Rn(Jue-S``$Asvt)T5EIF4z;T1Yt>t_MYs zG^O1cdG{VpWeum>9~Gc;@GlOM*A>C$zrNOniYLSBy($Sfh|M5KbaE=#leDPpLCpFu zP+*@4i~R<&pKl=h`3O1lWLnuWc_7n;E>9Zb;*s2>7F=m{iCIMM5PV$zGgI|JbNDul zSy3q{2CrE?ZhZ`)wUQz6chEw?Wmh^E6S@*msA^L;g1GPy!uH8~2*NMf$}CsijkM;IryiSsxvv)OHoFNg_*R?88k^WA#xS|n>GzNCW9{URf8r+oycgkYOvz4els(G zTvj(rv?{BL4LHd$Md7F(zLCaaDqFG#Kk*fmg}fUDBq|Oe*tZH{suYum@iKbreqXFn zaqTnlymHI%VSwU|igszXp zf9*x-S4Wf18=K!=o0f@Wv%`0iBK{{Gv-vp8a4@gKZ?~ zYzJXV4Gqdfyn5;jeyj)Qx9P61<@E)Qv&)En{TUI1Lj*B@HNxb27z}ha80c&>4$#@! z3jM@73Z0aV$@eugh8IBxPm%N}xj2jPf~ShYH>+XF6Ypjn6S1-#_M zWSigbb(oZ&=yXv!i(I~o#l&b2h&GV+gy>s3x*SJ;C$XmVL-BVHn z3z%x5ivt4jvnvf^f2;8>+ez4!qgH`Z3+Wj9o^x8zxB{eE&Lw(Mp!sNA$&TUjogKEh zh2VCT^nV%Ov@`deuq%6DSV7*zWh(Ihn7ZnyDBGtk-5@EQ(%s!s(%oH3gVHVC-6bI1 zAh2|IN!QX1(%s*RzZbv1I0qii&NKJi6W3fbI|$`b=luk+;4*AZ`XrHot~lEIOkYQ^ zXp7R+u{m5)U_U@UFr#dNnIXMpqmdk?GY%VL&r3Sp$4#oei24$5q)mX4yBkg)vMR|M z_1;Q2Mzf$oN9e?c2!g@SS*HE&;}0mpUE@j z)O(nYsvmCX2^W*y-~tz@gRjg$&=b~%oG_6y{GGqD0wuR`bew;HaC#NpB`XCQs!LUp z$VW8RF#7`H*U+cI=Kz1l=?JehzO5<4)|%Win+!Q{?OS#8&FI8&kxjwYPH^i>o3+Udt_Nin!h$vNDyj=*p2=A<}bhN{ESTU*b<(`wY`o4z#V_5BUPzNV#Ypz5O9R8YK|~p6Td@MvU7m-VjkQ1KQ4VcDd(XYN z5FR!%HkLC45BfGN4e*_sN861z%hSdXM)DFveTykwS}PZEcGc~l2sTyU{VpuBu4z1DKd2l_GXV^G)|Cx%#;kKmw#iF zV<`U7daKOqE!pktPXalWBq_19S*VE_mu!YP=XGBzzCnM=OR%&kG+}|Sp+h>zlL}XE zHP&r)v?Q+2Kq=g={$h&w{r2lh@BKPaM{8ARF{>C#cbcTnF`biZYvIH_W6l#>7MI;;2ArNRQ+V9+;Bph%v#0DmSQ)Yt(*Q#3F(cT>?) z+^~}ca)~{}NyrGwM^&W*O8GQABEo%KVrCeCz1RF`G=U5|MZhmDRiNlo&7d%Qs|t7d z?jL==ts-8$RM)*1%|)%~tFO5W*wOOXpiO?4ex_}MoR=<@&W?v+DhT|M0RR5E%*$rh z?mOR?@yq5cb9f<7e;g>-(unUbK1byZ!QA&ZxGYrd+!v3mjyZJD^UfN{!f0i~NGZiJ z(Bu=v6Y21*?GfK!Pgv0>29*s^gc={pQSs)(Mi^#$D>}->eLIHF{(}t)=7F<(WF!B= zkg(@_p5dpq;G{hOqr~|meujM#<#ZM|kM=#^Ur%EW+`(BD81p%C-RILpJhBir8xBuU z++|j+LHw9V9^y*D4#z!OZ6jUVMy%o!tLZ_oLa)1e0rzcnPldd5 zy(}V8KdnL{;U8f2p-Mz1a=4`ukMit&q z#L)5cs2BRGnc}N>l3o3DxWFm8k78*_&^f0)69y|GFx98baZpu?LOs5ICH9^S96x@w z@p*b>S&6g;G@Sy!ue{%NMojNQE{{WOaE8KG|6UCZkSC$su^&SlhX=BLZ2bXBtFFTT zORL5{`M8Tibg~vRdawW}dpkpe=+G61Rf-r3FUX^n1i+4P#9q6_YTcwX zw2l{+^bjwf@8aqZCXAo}*YS6BUm6V#`Ndx9XNJ|~$v4-T(DBz_0l0(hmz|xxVLuq! zKY)jx3ejhNfHc!>Zz*^+nDKy^YmmWQ|1lT@kij^v;X=^d3RH4Kj34Q-xm|e!*UcaG z44)OJ0y`9HrRB)G_qsTO9H)1{{dn`V@bAvStN2mQkXXF;S#*P;SL;;wMTbB8)LLV{ zVEec}i)s+SI^4H)s@4|91`-B_ot}win*Azb1XP8SH{0QgU^d$SGy@%ORnj4AT>{b! z5+KIIQEbPG1l-otihDht$R}Xi$IDNVzh;otUT!ZM zu5%?cz>l36zjT48yIrDPL@-1H*Ssa>yFWZHDH{XUl|=BwtFB(H(3yR#ceThP@hbQ^D>s&P@IJ7gzE@5DrH z*Vv_3jzheAUr@f7q5Bo*Yw!Gt(_)2atGt*a+j6l3#9^Z+wBUMZmuQSm2G~)4p5E_t z5zVI0FITff0g%QaX%|2m9<>nKzWOsZfIJFkEH<{tfkc7+y<`kEjE%=@^bZk<2#@NJ zjfetiG@vo&^z?rkCC^!cX(*)fsRutBi(J`R`V_Xt_HH~ZL_bVEX{k^cHi{Rwh;R&b zd13r-lc{qfQXDA-R-Ox2RIkT0U8NL}3uD)cB@w=1lWNJIGC^{%T0D~3UV`j3*ux4s zut9S=vVnpY-fU~pxAw@9NVCA zym|tqrS#nT+QYvrnu}iRAY7L5v`T`&Xh&p+(GE>;1lkxDJvRYm_pq)29@ZB7MUwwM zG-Hw%e;&CjZ2=kNk1z6Z(Jxxp=TS^Hlo=kIlNnc~#N2KWZn(o&><$iTt&ocyfU%2` z5zDIeUMA6pIgICy&9x^pIGqG($hv7iC-Q`)PbY+*7Hl)lNpIB3trxacWT#4Tc8GRm zSo`Y(EyX`stGpB!d1fF+)(D7^#X3q7X9kHMiG!WaTB-2Zb{kjB60-gSXLr zbjPM%z0+RL5ZsA;wA_>wv9BderR|sdMRx5M)WZ=FZ2!=k5k_*Pg9x{igOG%~_R+Yo zoGsA7DcUr%Z)#@Ku4`b}7TEBw|K}Bz9=0Z%5eBjfFMZ|M`=?ZM!RQG6p5r0>Fpt3# z@4fW+Ecsbk+ALmmBi-5t2x3=N{Dx#X(DR56vbNV}K(U;P@%L%%Hc@|3KkSQ_O6yJN#~h3gf>!p)7IVDu>rq2O)_ zINAE(^CPUPVc;o_A;r;dE@1@gxdwm|@pEZVZK*s=))RP%4YLDF= z?ylOiufb-crKX6MdOa@+91D77mzYI9c&y1jdVrK_rl(B&Kcz5zcH7Ko3--5{3QeSv{k!;+z;u8dd#aaqo+bI#^BQk({rx{{xo& zkIBsSU6jplV&Q#Z@eP1qb&GDzvOJC8;YAI1MR3Rnel6D3v>*+2v#;a?)AVe zH{JAt@7D^SMot$NP=a2X+IkyafVbCO0scgz(wiPj2h!H5?+9ld@nALX;p;uVpLRAbtp!dyLbkm%IW9D_?K`Uho*Ws{Fxurb`YltmkC$4cTtcL4tM1hxq zuji~4rDMA$t7{87XD#LO`U(RMPJ!E}R7$~L5j$2)Nqia?WM9Z|_*~RFest0%pgZsU z&TQ-|hHiTlvS4+!m&coi^B@~p7!Q0gwEgu+4y2SqX;pbA2*n^Tns?K7%rg;NxV$l6 zj@aNgehwEG!wuKsivY)81=yL25Ra_e&5z`uS)g+)>aCe-Ssy_8x`DH=WF3@o{Lvgm zP`VKT&yWW7m^;OHrArK>VQ^-^QJ%zr6-lYJtF51$tJ>UaxrVh^IYYdNP!n(b*B?AU z%8_7B$Po#r&FUU~=CcdAP#i`%V)h zc8UEx&NNy2^vo6OPfk$YU5#6xB?fq;BmHe|9|y>W31Q3~G&bC2r}KL}rIF@8$?h@q zuLM2w&(fyJ?lr$E-{XKRZQ8^*;{$SF_p)=t));tQ(8zFWZ*(9#VTP9SX@c`_sn(0y zo9&bH#^9BOX?TjovexQQ82}mZgE+sJSuMWiV*jr{Xzq{(P#kNGqdK@U#uPX-NYVdZ zELV$#qf|pJPhtD#x*qy$Oq333h#elz>&s*FR>z2O*2aKd9!HwPi{7|`IngkpFPwax z2&V*HO(Yh(YLRGf0beZww8kf_t-{d)1nk4*^04;lTdHIKy<=fbouoiaEYxx)22w`4 z8XqWjl^Q9s4yCbkO|==R0o^g%Xq8&jBlv%o?k!PXxtm|kL<8zX-{-LYFq(b$^SEbr zg)?7&{@SF!wdg!(b!?PqDPP+$s_eA>ITMk+N&3l$gNQZtYvdvFpsC)v`4z|QCcfB_;0mD zHc1Y0HKav?RA`Gir0LJZDAUpO6MUN3EGjLIUa?(mK1f`WMz!7xPCxQ zW@6-n=zDz4lMNe=*HY!vVE+h6&=HWJ;~1oymTX(NO+bhR4?Z!#_hlC6Wp9t`r{(#d zcwjD!lxeEh>mHlOTXfzl9L=~Bd?8)|V06#V$evg8<$LO|o@vGjB~M|vH zSIBew#RF!#;aXy%#2P|(6`q94#y8iEv!42swXf)(YK6YX9w9wY27{8$&Zg&pr3@{R zBRZ@uhBg@E>c+AnMo6L2@OLV8r1q-9e*{vI(-29Jph^eG^TvwI88 zHzs?~Kf=<>FP{M|URpXC3nyO={{br?Gb(*$1DfwYmGQibbTMfUv$bf?&C!H~!92t4 z6b>Nu_p=Z%pUhpzWRX9gO!NKR734&o{(|K^D0>_{+g+K;aFE}T2P~%uv8^_T+4Dmgc=Oj-QC(_&hK6=oFuXHQY3I<~YT>lZ4eEj=mu- zu+RD(-FI%G|8E9`*&gA+Y_k~#N2Wg=OpLr*Nb>Oq{LP>5O$x<9@nnSmpy66Rul5%7 zfB$JKwXnUv|J}+|zl2zgA{a~8Vh@d-Y-S_O&sz5AegDS@M?&4MY@`6;t z3qBLc#zT_I4UwUobS|oUYF9-FMv*cphRwaBa%fWzpg+ z*2VCu+UviSk4|4p5c3g#INWje&KDBEu?YNLaDXYXh9;*#SR9>2F;C(CM6>qWjb+hS z1=@LT@`u~*^Z&@1x68O9By7+_{K>5R$g@K-<00d?4%aqNUaakUouhTSW;WXAShE#- z3}cGwzlPiEuoG3Togsemqh19Kc1%I6X$9{=)T+MOnH-5w48b<%{7b#J zL#p*PUC-_ff05|NI8l+-(j{oLBTq3p1ZEq{AIs>ixK(xRFBO8?Cp&H9@I_qX&Y4|x z$AoFk-u>!gjsC3*Qt8y-kRQl7Di+A{!%$z0fiwR~lWd%M+>Nva5VMX$#5jxdIMYfd z1i{+mN9Kt=eS$nal@kwrOX^!61mB9fZ?lXF=Z*0rk>)W>afK3haJGfKS1NV0+Y~tF zRB4py)=l?0Ou@kN*`?X+hi%}kS$G<05lUc*Z!Im_OVwoI(?n_vVveJi_ZNReCyd7| z$?1k+KhfL{OU=V%bj9h@`<+??*$trmM=%6MFtJ`0+`2A{l`C%J(Lm}N?6)0W0>4+I zk+NGnH{7e4#oVhc7@gFUEpCaTvA)!+OTZ}Do=GE2*`({%^H9|da(Cd}rs+r-`T*0M z`-;T5J@o31lb>qNyT+czK)%ONf%*K+fcN_=JtGIgoNXLCd;6vsQW6!TZ?+z^NAZ<> zMM!UN#GTJ*G3AyxBId3*+c$qe$O$o@wl76ZxwrRpEj<0Lm`>XdqnK^H!{P3YcU?nt zGC!1}e(vgQr^k7xB<@jPp2H%i{H{u+5AgVp)ws@FE!eA4UauYkgKDM6_Zx2|E`s{> zdq%_*`jNZn&-Fv0k@`_d9-rzlk4J~ivf}B*V&L`Q3Y~X~b|qV>o?B#zWYigNoOB4% z=9mO*#3D`+!-jud9qZqE@fRS2x%V)f+0gvrfVi-Q#n3*nzgBq0q;yzh&YKRZ0yt5j zWWwRIi1S(~i|oc^Fz3_RRFJZvT4nyaiZ~wVJ#JcBmN8w(mFyu@){Jb$q|3={(kktZ z+*E6ARlNrUnn1*68!xxn-+{F-&e58~Kf1}7AM^x=FJcuTZ+xiZp#LjOKj5>XC-0glKcOyFm)DZy-Enk@d;vJFGC==0D}VYP%WP_t=;V3x?D6#T zioT1$V>dB|vmBW^*qPak zY;g$yrB&)fj?%SM=#wMv4tXw(N|LXr4}iaY2QgApmgdTlM%@m|bgJN3CE zx}CQVU!Egp*=IaV*q2kzaJ+D+H63(eIP7#qq06&GR|HwVkTEj&`P=Kc(S_5FRu}pY z_)=o}xL2j6B1yv8i2lO}W+gbf{p~VZA`d=Px|T0;f}~W|sh5M5tbLe`Hedj%IglTFtS>SeF}^$2u#bSO$BEUyK^!ZK z2z=4p7Pk$Xj9spw2sTn$p_~x|Un0P8urogdn^Afcw_-g6e=P3j@GxIrMBr=oxOUtB zDOut3j$Y3fQVj+*dd5Y}MBm?ySJ&!w-a?B}K~86=gS{{qhw5w3v885$dz_R(kBXG( z`%)_UYKJ!7lu7W`mym%Q9k{Tr-`vkh9DRv92z*p*#{)c!tie9~$;asP>=6vUX}>}5 z1Wyk6f##UOEDvx<9TkJqlm_2+iwLd>hSB^a*PgYCCG_8UrYg9ZfXPsC&XrKfLXuH? zs@~tzE((4>?2D%$WY!vkD0`l-ZF;wpC8AW|e;{z+*|cT=q1WapVB4dvkzRk$__#1* zC#%4CGA*om-@G=h7q#|C?#CH>rtjJ`k^1J#jocybuC*uYfjuwrrLWzLb{g2m)7W`;e%~SHn)fqFj~UvnDyMrQu-AvIYR@+CMhH~vkVnaIBHT9 z9MBC9CMRU7SM~15Vwrnwn3)~he$zhtmrY*BkTYgmWVMDKfrLAH6;8&PZC6>Y)L&6;^We2RG zyp~p4tSk@Y^=uD{9g<}Y#gC5(heW@wjLS#}PhoV>l@NSFE4r_>FGl_3L@3PB4)wAQ zkV*v$i{~pDzpF^>LHtI(Fn4Q=fJYMZt<%0Wl`O*THu7{~F#VzsvN1r04dN#X4_q^de zd9B$$Ac{k`ZYDwt&|p(Tzp9!JTBWsb#0(10x7iOo{c+(92Q0@~n`#pnT9@n_dYr}a zqqP8YcYtBk1A}?*7t5i)XH6ZheT4?B2Ay?Fe#qvt3!SuRgH!NQvS|#J=6t+nLZWbb zcfU)d_SL_mUW+khY{)Z>g6Gh7*bMExo@MhA!i!3g?mkXI`0*fLb(k(#7o_WrWKJG5 z`B*eDn>?s+f*@}51m2s802hvTS;(+XR#~fv@{&7T^hCIUfaxTr{XDN|HJj*am3X`7 z-T=f-$L`Ky*%CU$$3fAnYx`WnSFm80mt`MxLi>sx+k2KPH&3a(AZR+p&$W8%^AS>$ z3#NXQ+4z{pZZ7Bk%G2*{zq_7_7VDn3S+%~U-4(v`vka-t`zyKD zH|;w%lL@rWiKJV--|(}h_Nf7M7e5kBLZZDdb9gWuu~ZmXFx%-p|MP!e%gOipCz6&Y zCM2NJrekSwSM(=uz^wUF;T28=uW7#)XbU=7oH5K8t>A@CO|=v_cs4GVIQUp4sK3#4 z&JsKeFWO8BlwVZ--!-Lc01>tU#Uv2wVG#s}CgbuEs(GwfZ$%?Vtu4A$9t>tbY-zYdQoOU{)Q5dfX%L!r zSvVFPIbBq%`d3L0ePwRcHq+8@C3;gTeBm@5#l1n+H-n~pSG03sV-K+~ddYcaPaA6d zukQH7+hkhW_VaY^w~_Oe*3(D!h(DPAGhKL%SMk#QIHLa6Q3&hT52{icZ|ZH0%H-`= z2yS_qL_IB62wotvqNw{LC7^Q>T5D5dyx*4@6*}5%k)TD$@S$wn;Y((e52K`UycIE6FAs6Oi18vrJ-aCQDz-XPj-iIfq12;I1bD5> ziC7KVF?6iwMH6M2y3$$9e(vD#(#~^+-vN*!_qhZp>p42IUwR%l062yoSvzXOZ_>HM zs|ww;XKBd+ia4y9s$kMB6FZ7jNh_T?leC~mUS%P9>W2i$0{KUloBzpjTEsa~w&+>k z^2HA7yTx-c`}J<%2q@f5?%H;Zrl<7$QWm_r-GIS4mgnzU{*kPrs4JRWbwdhuV3Ut@oy2mTDRlq+I!>Kk`^cA9=}}{1 zTp3#OTqEJlGO^PVHr29^7*R}H?W5R<81JPfm!GG}A#Cb%c_PQ~N=KYtV3IsOn>uOx z8r_e{hd`eA=18t{+ImC7PH8o_{ni%sbI@|jU+nj$pb7ndS9>sO*lCY`#7U)cR^jR8 zBLWmM>(&+J6--;@=R4Ol%2s-b=55s)ll!UlZR#0#Tgy~&%ak3Dc_lM1Rb>${CKxGa zWba+(Ml~!)?_K0P_MHvPe%5pB|25q^fTFx8#Xh=tOQ{rY=7~&oYmvqrAX|sNzejY& zgj6=C8@-m>+A9?A@?Wrcj8SB4$y1Dizrx*Lp_zKz%6_{)Ie%41>G3JZ{Z>1HykfIt zW5!EJ=fSEF#96vTo6ej9iv2C(N`>#X}om$_-7kLF#u+6l)mb65-E{Ix^Pj$3uN z4UKhZEX%Fep;&a+L$Jna4`j*s*~c1pc*veSBGBNV+}t@4Ms{CZZ*c#YyrxEj0PSP3 zkzn)?4O5Qo>D(1b3u5{E&Vl2J^P{<}mOj zR}DSlw}{SrF~{IUTdbB@pb!t5%cFi{(>Y{^t|y*+vY(Imm?}{!g)Wc0rr6GcDh0J_ zuPp6)A~M$Om$XLlinygxwfFlcElv1KK)FYN1OJ{I)c3gE82LGYGsk;d=5jCRkEUSC z_fE5AatR$%rq2GEfZE7?C;>ig?Sq#_2shN2ouzJ|_5n+$mU@Hg`j-k5QdrBv6zYQ2 zqBItLe+P;qRZ^K@*DowUt$!x`6j|yxPhaK;GU1c!zb1T=#IdX>zdLp)$7``-o2~0m zSkGTN`?&5YnJhRpxxDxJUX!ML{KMm@>-u8j{@u9FeP_ECvcV-W$4$GrKkj`&0ODES81kJf*gb2NtCo^|&9@AJdIJ#))XKEXhcMWHQc}gNg+O@YScs(NSvU zT|Vb8BRZogWf3GHSyGa`j5eD>IHQ>X;+V+N{q<5^^)S`w5JU=-`;-%*am=f<8&by7 zK0=yN8V2&hy#frRcx04@PSTVlAaky^FL}{LB2tcL)p6a!_|z4|{FPq6X>ZL#UzN^9 z%FUev-_rSZB}|ggb2P6x{S^}{S1Op>sC+$n{GI_y*xRDFwb4Z7PYlkKq;CQ8(GR*Q znz9=AkT0waT2z2MQPX=2-t4tCROzP7JoB2zW74-Sh*q$C_f4$2CXxarU)Nn=?^sYh>RH29sWgLe-L#(u`7S#)+)l&q_f_Q7*r7B^k@1M{90k^+ z2tV-l!1Yql8BZ_7`ynbKoS{y?=lSL+Om(|Y>vwNd;$*UY#WGK>*!(yFxnPg3;H@u_ zb)L^rHt^=H_*DMB>4v)9PJB?yV6?`pHRG4LsH=csX+scoti_g~3*kQDq0Z|-rfrQ# zl~+2uOE+a+wOpq7a?-19{&CFtSnZqbtZmk%wkK^t(_>qU`_X>a$KT5x4ym>G!N9ACJ>Db9knC95)HfBR)(a zb7XA(oGel+bI2~P9;cbd7^b8h_aabHTly52@wK_$CM!Qb9=)%Alqe&<_bK=IYOyZ% zH$Qn69s}U;NF0u#wnn_Dp-BE0Oh)6!!<4<&k+0!HdFPzBo2MmDWeT}L9)+jWU1UzV zw!fQeagAnZ4rfkzUAJqoGpW3-RHF!spy2_8!4Yq+f^j&V+>? zt6_UxM~GMUB0COD$B-m2h^}ulMWN%OS3Vf-nbU=^7TthF;W%%-iN2$*s3wji8#eK| z_xSG$@5-DiUvHiV2(Cz;4k&yHmFIXWR2~EO^j3msJeQJ9HQ3}tdNX^m<7?%C|K><2 z*6{iJ@yONafcMkhV@B@8-SVaM<=9d&`w_jz_mwuSD)l?VinUI0T0hoC8uz@zCg;`NzoI^)=Blespy&mB&;d4kX6)b2! zL`Tp<*MZhlfyaQmOXWj}N8r9|Ry8)oynZN<#YNLXOs=~w#J{4K zgoNtyVZI@)2p%q3@qKa>_)`5tk^t0Dp43RM5eP28538i4^ z)!=ZelL7K$LdEL5DCGGYj%TxBh`9n#-HaRv-21G-PQ|*J`%bP+^Ubj-+gyehz`M#5 zw&j4OVGz>}aUm;U5t@7b!}-R{tHeLC&|l6NOaQ1H;J`HKMljB49#>wN!8%0Lu% zzycMce{rER-!$IxEGT8K8SQxXn5SHJjuHt_fEYXNN=K0|AXoS1s>EXn4HrD4)*heV zQ6npTI63K<=9n$!{qC1?IRY^~<-jCrOZchZiHS^0zqNS03x^lWyy%kaiY46gyLCTR zpq_s+Xz-b7RT%%Y&80_B-UvY}VL=i^* z?oaHwbC?am1HBxepE#idy}623*Z_k_3&MtA1-nG1GWH)F`UWuS2KL@08^x%K^u%{s z(0z^_8JW7g3UmqlHVqHngYzvbPP7H`U-_&Mg*DG}_q{oBy$I)aWq|edmA!7INm4cp} zA@7H9yh@A?cy|cK6cd`#uUr;W=88!+L|WANUdue5N=4~$Y3l!tS!>~j|BP>xKZU1n zAzfshznNr)O4a17=)d;Zt2s`O@p-zHHBO z5c-f^aGB`%hk$jvjWX{TxYO)C8!F4fQL@(dd+9U%V}s>o=$||&gIIi<)ooL#FyDF6y_&ZhcEvGsfiA~ zjB%-odnLow@T@6=w}jt|I1UYc)@6{Ge)2sH&UG>LzF|PPdHE1H;S87#GUCBRY4=L$pd*Mr z#;c`e&u_3nt7UIt?dD5#^xnNXZ{ML@(e1Xv;Pjc))E$#xurlX@GIcB>)VqtJ+lSLhs3UaJ zL5WAp(#ZWfZ2*9V(vFt>`p_E3vrKZwembG@Q&5sYqS(bY_IwyOTvZEq;Ps!iG;qSU zkpv{@Z6RsKj^6FNptJ2)Hs3ywbgt zp?;ngEODCl=}F5=KS3wci#zEwEto}zE{LBA$F5SVcKs(wUq)Nml{e$9T=V_n#?x`+ z?$#U4)ST;|{gK0pz^i<$mkE99$mJ;>5sFY{oGs~k2Xts_6#P1Wn5f~D-7HcnCx>6PR2oxW3(zGhRbD>7%a5)+tBw$c>Dqcfemjh>#+$W)monX^m{XJZBm-AbKo=)}8qGFb9sl zc-4)r^UUJ9jFVkd{vDZY?CuQgPYp-6R|h6E>AbC?Zy^S99te4(RBTQ(AV9;(|n(pdr$=KJ8n z@;h1L+fPvk1o07j1WRKl+PY!l7;XYlNUm=#+L2wXW&VPC6Cz0(Kl7*)Jw~z2F z=%-XH$|3u3EcywMPZI@WF)6`JG|=O-KGi65xqwMDznow|YewC7wg&6jqW!6ACf(vi5Q~bMi z3YO1d&Fx(Sy}qyk>2irJMKh&nF$Q7UJO-gjxTZPSZRFG_u02^4Jj>|t0_C}V=sIUX zEE~+q8x=cc1P1^gIq`M3^X#hAerkId&q2@-1WgJU{!U3f-JJ)fCo`8ZMV{2Vv0C3< z{&J+5eC3zMj|D{P@*`}@Pv4UOXie-UQ(YFuZ^pHaXE^e4fv%)wd{Id@i7D4We&D;% zSJJFC_N_=um`8TSFKE)t2o4?W2|D;$Z1I7lFKAFTgbE>B?!tcOHAk9TR=+~@4W^MK ztOV1Cw*@m-+SqFFWH;rmpv>!Q1^<%We~Y6xfDE+>ZtQ!%2jf7sznCnY#MAo{O@)zr^=1Mj3vJwiX{X(-9sRKbiM%NS(DIsWvuW4qw~ z*k+;xD0ZWl{c2V&ee?U+f22Q|!rt}jbHQ@zvlUo3IyQ|l#}i4muvYncBJM-2xx z({cktn&-H|XG33|1atdofTBC;Yu{&%zq;9#v#we3)M`$4OImQDGl;r0Wm{$D zLNir=(=#obd;IA!`gk{+S-$RetA-5vpdI*+?m zTYL2{S=AW`zO#nK6;;{JUKAW#i8d^+%dI|E9G}qoNhAGEO0BU-oxPW4h^I2<7yyMF z@OR_tF&RR-voQibX4E>z_=EWZx@f?6jtz#&mK1JTHvjBa*z1FsbHty$Ci`wbEUYp|4 zoJm85d~ljrW|=0g(edR&eoP_5e;#@Tm9sDVueO)wuEcwCKgqJS`OnO1F7>~2h#86q z1;>9b7!58MCM_U$OPW^I`fto6pJG1>#ZPP7gBy7bZbV z^FiSza3d4MqsEqVSpa^&cqok2z%kF$353C+jT0~L>0*hnBs3E?kVyjtf1F771%>}D zY!f*9>B@QaQ}L845Pifu@L-UsA!y#RNnn>+5Eviub&qE6$3ueX%;tv+9ps$mESR); zZ{H2s>bCxo(gFwH68OTwJtwvToTC-F6U3w*T2*DvrYOt+?T5IkfFHFZTZsA0G3cf@dYSoL41^r?BG6BNfJM zm>EWFx7B7ivbBWR^e}q@rgKl)oKx^TrP`7ktuY7}ZvB`iNIJipb&-}FpO(t*e_TL3 z%OlU!5cxURrj#vS4E@M5Cl&T;0!ZG>FmU~ukTi4e%~hmSGDIdP=IEp+r~ z&K9O#bICp5z78T$o`8FGIi^}mGBQwJ<%J$tP3t=OZvuED-PqjPx3%3jUhq|Edm!G< z#xhsdS?{!$ZZE0nXO)5Rm2;(DvNj_Jr?=;or*U*bRFUo*|G@au7*5cKbAmoxG5wPO zgK^=6!k|4G<<{f-x}(OkheLmm+voX9TMuWM~5WBE^9w6 zcxEN%Dy788dbR7HMBUInnhqm^RyuRPOpQ6*g_z|+LBlBr!b8n|w^ebY~Qo(|z1+q=oc}4ZwEdXh(&)P-6uq)2^C!V=x z*91>|coa=mUPMwA6{_McRJIN$o7vF@$3IBi&fBC5Bu5uW4q!pJWyRLh*6HwOTYoTU zqi|^Te5u|hhSB2Tb&2srs+xy$Y?}aIQZz*=H_jD@Cqbi)b=}e(fH~@+*vt%PW`^%Y zVJuIfQ@$%BEYMw?GE`2b+9mVQ32eXmkbDFT-&}Z9SQQf+BgucnYSbJaq@%)N%mthc z4$?>1o;wrF719F0-v0GQAJoO6g`Rt%g=h%#Xg{2*9}I%zYIN|0`b9_nl}6YzWT*0Y z)fn;m;67vEs4@#ys%iN!J55wi{f#<7P?vb2dZlP2F6iq9B)ybbtBnrfUWT#CN>?+5 zh^`^;{3$Exaw&q>W1-k>HInVJPGw*dd*S5yXX%F)tSC<*DxFew zDnGT&qCK6tn04wKK(nD|4(}AmkvJJmR~Fd7EQUnOJmGmOhA;0M_co$8UE)dpc)&a} zMJhm^hCf3@VHf(D0?WZRTvX!$#Fg~YXZ=}U2mLZ2ns^0Z|J7IKD`1Eu)5U_|s##6t zSIV8oa#sL{u(?hWS;Hh3Fu!}eG4qez^UKQw>B80u>Bl;flvjoz54Xe-;k_R?_iovm z*RndDBNJuIlqGBON$juL-h*YH<)+L6%%k@^@GHvr{r*z1*pF~Pn?Yv%%`1z$B$p1P)`t_& zZ(&*18_4IvS?WV;24$n;#DJ{-nizUfe11<6{C+BY(t7BMJFeC%Hy~s$F*uj<=C_?! zimk#dIXBicZu#BA$=G@lks)}+#P%U_-h*(hwTn!D#l#7sV_o1N<^53xPo_U1DY_@n zMbhgDN3)WH@b4rqmfc2npiH$8Hj1ubWDC`$Ce9Qgg7R%vsoY1k9=>y>BQ-vz6|gh= zjekRjLn2HpgwUKEgi5EsO?*RnXc5%eyuPoDsUVG7@Z;q9!gEXdm4CTlDnFX~NoyxZ zz<6W1Um`0|3;xNuxK2Uv_&5r;VLwX~brkgNq_8T2<`^WEPB<^pD4~K@Op$`N_QLM` zx*iLUW0C}9u?U{#k=nHx3%cm z94AN|l)5bm_GTjZAkQP|!`7>B&qH%XA6xmif-dmJxhKasz)7foKc_w?o7l$ zKgaaE=0L=2uheSL_SK8!FWf_eRHv4NCa9deUf@9fe`m5E3H0lTSn^Y89;0mydSpIy z4M3taIBvPQyYIcAz0W*aXO2y2m^ED_%ZhYJD*lR0p0u#t!%aYWz2_+4ywY9gf>ttp zLw;Cn-6VXp2Ltep-tPehTUisoTxj~TQxA7An@t2*vMk!5O`Z@PirKvg{21DIAE)1! zqUAVr;Z9hmpe#WE`~NlLw4%a2IwB%GRQT|;&`B5po6-T_3q4&s`B}R{t{(64mpk55 zdmh6F@;ALqSPD*iS|#-9TNjR)TG6hO@6 z3%oeM{WmuI2zJW)Ldkc<#1Vtyay?z8G0##H$$5l74p1F616AW8Nmy9>WM4TnY~#K$ zMT~%|qNq^wT!;_-(qDaGh4{I$=Jx*8U<4v{&w!XC42cpL1B#N?d- znw86YygsttTX3!EcPcx5G9JK12}hgAo0;XmqM#AUH@#aeZ}PEQ>QQZf{D6F~m)H;I zL!?e;i90$0Ky}=l#*wgrfdL%+<7IRcH5`4zYdR`);pnCm$&o!C$j4Z-=66=#)C%q&sx8kbi&d5Ik{4 z4RRq?Ga(qPZqbFO`k2~NB(2EeC+NVg$i{4O9tHg4zF11=0aknUxM-I7EI;?*bZXrf z2BP0Q4@? z;dYb*&*~{kGpo{(li*+ke~_==_|u(O}0dck+0oa*Db=Hyu~l%C)iz zV)0MymMC-#BwuxX-_jrBb(iyWU)26H!1FRUb7{Yr7AP}CX=UqRL;$UbUKJe_t>C9# z8txG_U9}USiZe}JXCAn?{4a@mj5(wSR2@cya>{%1U=oNtTBcjSBwwcf%cx!~sWl{qFPe_woA&&$Gv~ z?`LObXJ0crJF`3W+Y15&J+HKG26}#>{!!^10K$)c(sk)fFz;9*)ygL`)8a@V;j7XR z$)s+q_x>ZMt-jHZ#GG;I>{T*x>Dup8IkUJ+XgmSIddmrcie=0y!t)g)mXwH)w*Qqb zZehr6*B|$7^DwP2H<$DsfkzV-(r)~J1(WYKemc2(+Bq~yhxFAmPj+^vkXR2z%P(xC z?}n2ASc}Z^hL|GGo!!rS{hleXYndo2uqb-`zPTVE@e8x~;5wb?o+qSQ;EGBi|J$(F z{II>`%TGrD|Etja=(*(8HxwZ&Q*!}a&7&A_n)Ro}%8sLGu^aX+ZvOuYOBg~kw7SU_kOuM*|<)(!*mU@ zlgu{SzZA_%%F}#Wk)vYjr~Z8N-H7E;DyekC0DgtwLDOUuG4&&BHqcc{?jNeO`+*K*4z6b? z>FJxyoNPD$D_*l~l9%)iV(ZRr|SL|8sX=I;Mr=@E>joOJF?L`dI z=@i>@u0B-gu2ci)8!?YtA<$*|w%+|6he8g^wjMSnq5bgbONp(zwOzXVTslWBH7G?O(y0YA{YZ7Q;Sd`bY+bM1|cEQJ|28S4os}Dxx z-uIfSgu9KmB);XH9Q&cfw@T8kVO^VAS&Mz*n0&}S1Vo4;5W?N{KJgfKWFK!_AF6Zx zL}WYn%`F5aU|^RY7+YfPq!?ucpBmmfcj6W31F2% zs|pDC(5JH-zGClGU5kwbNkK?h`D;a@$Y8eTtf$;QO+}ON%u}*;+erM51i3g1N>Cm7 zdt%NkK@6M@6iK45^4r_?;_%MW|7qLjH8x!j4LkUb+&#$m0doFN}@IHOX`Zy|+~V$qaAy@hk2?kh zzsfQ>$&SS3dK9nml1)sMe|=w@WKnk|*1x zVw*=%ylx}0=%DLOK|N?3cRz~RvHY}kflsV#Y$mVfjrRl+{%q*kc~XE=OHlWBKJ~h; zg*9bwL_FeIk^S-FR#u7K@9itp@kSyF39ILvDkjJKfEhDKt^%s(e5>NnQQp`~wx#5z zh}Zcl{dD0y==uJ;H$1k~NfW#UF5)hJ)t&uWl(wYt&s8S1)o2tjYC zxnrB6KhIDPW2(jT=O$}}Q!l9|G@+F-Bm_Sb8U&}r^5-V3u2~Set*bQZLj$2{r4?$p zbGml2TJw692{|A6!Y?y2E)~($!6-L8)uXE9@Aj1}XB%CnZI)CLsx%Y^Rdj~myx8_@ zVflV9uY=^Gk9S$PTv4euK>iaPppMpZTdldQ6%fR`P zoBbOa$oUfJbqthxRhZ2pYvg$!kne--7BhZmrh*VVz4xip^xOZ8(go7sQHrU5 z_cFgqY_VzIi*P$3h1gv%ApwmG)^-8O?7;(ULNOvs>Gy11*&JR1rw$ItFnK0F?+SY> z5+#p$qeGfV=K6O=Zs7ab{TKjn!c2KC*h^R#&tx?Po#qd=O zEC}wjQPa4OD6fSZP#If_;M{Y{;3(6Oxa^lm3Bm&u%q9#R;lkUNq3MDphHElbXBja@ z)*AnrknaqD{c^Q$hFSRx(rkHOCF?Q^83=SE>0WYZYG>KqZG#;uRvwFh{({Sku3v6K zSVvzd@InCu!^NiLyTiK`lnezeWAERhFi9MA1$0*RxGwz~vrR|4mP`+>sI@pBt2Py$ zZ%wyOAG3~uC&PM|4(}Qa8kVRT>)rFxRy@hC09rz~#yw!SO|J8u1I_!JVZbY4AnQBkN?FAjZ;*m~&PE^?@9*~;V!{!yXa)iJIJ#ChsqLHwi{tWGfR2C^Utc%7#Y3S#E-}91=nNq6Q;&!WZ`@eO8-dnU8cNzFqE)8m_?Z*H* zr8#Mypi{y4U_U5Z_n@seRR4HaC-kcQ%7uilf478r4U=di_jC85vBdbd5xskH)06q4 zS_T_|X>D2qrUpC7x?t-1`r8&m4o$8+O@ay029Py- zh7{MHrYi%XekR1NUBi4bSwo9ix^R1k^}_nD#2=z|Xtq^!=`2m(rS-nnjJsZnr@U}z}qY0 zjli8e$WAg@RIGW4$^&!VH*qhmz*qJ~sZtN@xhPcI*#(!Y_7-HBd@#w9YCYQ0*sZP3 zXEiLoC|eGL7J{%Cwcm;z?!S`#g5yod{vov?QP!bUOY$&Sk3fy1sQcLq29VEBp7< z6|1#DNe4{7r&0Hla=Up~UpAXRNy4Crkh!RfhxeHxpUkOdT`B^?A*ETMl`@QM^k!{W zrCIO0$w0Y$w*X?(zy{0ZewO`5nQ!jojpcVumdo_a`=eRJ!?iP3rr6t&pjZU)TZzP1 zd_y7$HusZm_V70WYoaCpb;7?F0)|_jw3zp`*_zTcQ|;+X_Cf@9 z2mjFKXnly#$8@P>Gujapvu(AG#D|Jh<xMp~a(yHKLJ-m_(c39dvGMYh z33#>=YRAYp-l8#krC5Mpp!35&B)`vVQ^Fz6pk) zo3R-2G$4S+5eYAKaqjF9?~ckf?xJmPfrhi`q774|)2cRZ{2gYLcf?QYZahjf>Gdu$ zV*8v_8RW*S|KXp7;GFAIk^XpzsZ(4|JcinvR5bq`oR{zMiE>$}IQOiQseB~euFLFf zzr8`Q)i}FobjL_HbPBbTQ;=|1)IkYe{OW&G9SmfC20y6gsSwS)(VK0KHvY_Vbp+zM z-+y|Eo_lbYf;{SxepR(F|2+b-4R>hJyO+2BacI(6e2~30Qj!HiU^ZWbIA4Hmv;bZ{+A#?)*N`PIiDrESEGHh37)6%#Rjpag#wac*f^No;D{ zgqTUQ{se;6-0GMor6}vCH^aWW-{^Z?0qUxAq-ppK!+vf4jh{@%(J&gL20PCqE1xZY z6cc(`=3jOztPx?nLwX7^Pp~4MO96Sb+kRt!2FP8030lOse3bEJ!ZY4_=P1Zqtc^&d zU5ZI`fJL?ys0^edWr!tY{H)lV$!W_5VPM0r3?t1`L~05K{57gfv(D8o#eQ|EUT~Ib zN`pC)S|%Dr@223Z3aEIwftD!BxgM`1N%td%V zY^zj)MATZhTH)Ijbg47(nxBNvHfO2Umz{UOLqEwi$1Wrqh8)j(&=G7i8$Dz71n_9; ztl&E})wMN(f18b#4*Iv)}o1*p-F*5H7rCP65VZItBYV#Yu?%L_bAvh{Z$+ zZcF%Wx@N_wG|e0YJ;J~-E@a+}K86@CG_yPMAT>#l{bgxsj$;7M5``L^B_Nz7VCw|F zTD@A@PY6d`-js7A)z#j~iS}CG=&Jo>s%S1h~;oN~s$p#dB%JL6fbiI-_KQEt)4Y`iTV4?qNzy0fSPfSGXiCr_A`j;ka zpwlj`DDq!$e%uYk@GljyiY)-Wb}cy*FaRh`^Wzeub$N%&rM)eF+p#R~JOPH?4i#Et zoXK*%CW;3;?)Ny9C3I;+>sPGO6B=rC_CVQbA`Kn}5T0+#GyPGyM$_6K7aPV_k{i;4 zV_WnS=RBJie+Iq<_zOC&C+!CdSDjXv;OuCR@^t0-CSKXtyt$B{oXCIY;U@k`?&S*t znU^oT{xqfC#CPRa;~ak43yr6~X^eDUFBrK582MBlQ@@Wcd40V5>@S)Pn9vJSTr*B0 zXtU+H$khQ7TG7m(S6?1Z`>C032vZAZuoW^Gb!%eU7o?WEaA==|f)3#4Nnf_StW2n< zYqD|Pcp?(C0zR$=R+6X3BLZ{ZC^pn2j9pI8*tat6wsQmn1jC0@dU8pr6k+&W} zWt`p~ss&Duu5#BxQmBk6YAIvF)4%iPAF$V?>>e*qR8Q1Y$uuoVpL(vtGMmI%amVNV zDc1wYGu)SI2-b9D_9xNV6U>~{IYQE96xpJ%DO=^Ba_-e45vof8kYTN@BXr5EBOs9d z+eE-7QJGJ@a|KwWj=Nt^BnuTUfEIJ0o#zsYc#RZ9RZyg3-5K zhf6TC#RLY!{P3h+^pTa4qND-@PI}Yx{mzy#YmbUq-IDQ+pz`W@D>hc<{g~`|HvQ(Ql4f#-%uk&(e#e7^ERTzNGsQVkF!$l<5Keamm!=JHxM#pvdYr%iD+iif^y>}wuQ1?D~S50bC%q0vu zT=ATzvx+ahG+Ksj`hC%{Ui~L+mwaty+ZFs=c|P3+QH!GfTdCl|jBk)--JR^Y{h0=? z3q4foXK{0M#IuK+QIE<=p7j75k#b;1iIr=AFvC}OWJ*N48iwT}l#%{y3qf z>r#&Sr1a&xy?4m`cZ+21Spg~3-`dxLeIA4&c`H=oltk`uV@MXJ69ap~zlIDqkbHBp zi?ZcDv5dAoKUfHP7Ndf~`c(zx_)jxz;RVd<{hBm_tJFHzc;oDbfQgr~PblCfizIZ4 z?;|%^`X|Y^q+gvGI3y9HV7+uN#Atax!#5Fm;SJL~x7}DsrT)Ht!c=qGk+LjvIu8cH zqyetn29$m^LVz-yp){S8rfmZLRQGa=n{lf-1L)pC-h#;xzg)%fMp%KCDy-M_*VP+qIgN9+#pIrdT!yr06_+shPs$$C+z}xCfJ=iDfX9;M zK2ZjVW^_C5*u<>G!Dh^X1YQ^P7nNgsRB>gFwQ?DXO=W+_+8EjP`^ISSNK0wBJ#Q+4&0j?ci$HFk7>H*{KQ^M6Fa+l@aFP70=&FUXfjhrXcWF z$9FT__$hc$#!Z-}0F!9DF~{wY8O4B1I`z%DI6Dj_eG#%55c^ViWE9T_QJ4nlKl^_h zMCKu>*`56+Uh;yIZdV%&UR4qBaiov*Gwvz5G-K+jfQ~U{YHSwQBCnRzKVeULl+Jr_ z)z2v|4n`SS_Lo-~5wr>IVwQd6>*Ry-yU&_s-}cW3f6U+#;n`96YFIB)t+0nS$X|9h zH>8{NoKMx}H}5o?j__YJfPP5|6W0S4 zgem%r@n&2;Yfs+*AWz<62~jd70d2IR-cXr97riUkrbiPiV31F*s+6LHMRk#$C%v1q zobAs-ecfg<$%h(KvGRq>9;4^=n~-(LbO&s2;!-<#9XeOnL{4MB($KivF}CV=6GFgW2f)UjUY7ozkwXyf01zwH%@*{^T^a8AQp|jNW#k=U!#s(>33abmmMekG zw+1b4=VO)#X@JJhe(ybNH5}4!rAb5N zuz#+0#IOgd`s0R_V7H$emadd0RQ@Y$hmMgoQN^dw8#4dD(*74qP zUMivP?=G)1lqMt$Njh}!lFpVlF2bH6CGFSc9v-GUEV~U`wjYnWjgbI&T(jmcU}of- zRWSg>TWqT|@KBESOC)Hs-Wm7o_0b$fWb1~PYu3OV$Kr#4<1}&u{*_PkBL)1?b}VOF zvfGrVF^nwKleN_2+_h9J%zvA)C|QH}oFf?w)`F3+rnTw@P(y!obUhhp5&5sJ1I?YF~p6irL!2@`5?Dl~C0r%8j zdDlw1;dFB{Y-}!P-YIxYC-$1RPq*t_(jw$@d#F>s5=ryG9|C)aKQB>#elSM!A$hvL z7jPrnXjaCi@;>|M7E;>-loW>0wJ|{GdjB+Ox`844XCvq)bW&jiuMa-SR5}@~p?08H zGUZ!~QemDrk^EIic~g1_-96(vFI*wx+Ru}iS zsPKc--I)VnVX&@%Cwsq-+UHj2<(}82eBxXv{==h{5bxni1&0NUQ<4$=boI^_6&PEsix=a^8CE34CO6 zb^8P`am?`z>Fut7U%0srt0<(@h~n3NN#WGf`BihdyH<&kid*a_T?XJC z&ISVSx(os@CE34CO6+$yU*ZU)o5%gIWk=4=J{82jwBsNS6aFg9_BOUcMEEE2e?|gX za0ay+HBj*r`s{EqM%?e$Hh>oPx-WK^mH=B8D#6ch_?I(1i`^4=xN7WVsmdiL)1TYh zyBO`5*(8@gO(D4L49bbT3@VActu{#Qle2E%c)XoyF(H0>cZ88PL1Hm;YmZ;3*&;Mu zoP(e5VLcC+r6EVC=U{aB{bYH5fUUH+kHeaAJh zG~Fe+qP|4lOv{%ly{Nq3M|0>_MVC_KVzH`2H^C#9gBwFN!(AWy5`DSYq08A+w2G^U z4=_&O@5IPI1M|12v}xEQJ>ArVpW)o=nvORK9a-4R4p6K{0l$wKkB-@i@^DmY zvFS{+y&6*H8O&UU2*~{Onx;uC^-f>lwU`u+g`^_nSGLZP3R3=3O>zG*vx33VQq)nQ z=bYBTJCIvS)2^TP%2FWHz7n#60Q?f5kbOSWLD{RNcZwEcijQ5CoP0uUg>biF#01wA zZaL!xgxd=L2{UC`+Kx$$kz(g7ZgY0!&akE6HYlUY$mAH zr0T(5FuPA`QBo0RYMnNkmS@jDr&2%+=JU4KwBxQ=+Lhw@ek&+wCVMwing_TLU8rx( ze0U)`aeRXV6j?eJZ5FF52|9nE+K?AE<-TUm0F+I2T9^UYzUtTt@|IAOl}&+Ot7gtL z4FvEkWQ{By$nap`7UB{U-ounfXk(PI!P~`K#IC6hTek`+ol! z0{PYMCPh`kpHZQyh$VgPyZf*T?J|S1QiQS6C-F-=0VrJ>hgft{eQ}3G`9(y0+k}`?kw@{og7S<5x#k7wiLq#4GGo1TbQ;rHS)Vx_u9HJW{ zj^(lbn-=2Y_w;XQ(zM$)_cJS9;v`ge0*pt(W&xxHL*6ak>n-#dA z>>ZA#*!~b#Gtx*9tF_wa0+sU`LHfJv4OHZ+^ z%e%RVRfknSRns)0NP$wZcxqB#`f(4hyiJ3K*zlevf1&O}F!uY^F&DY^1k16YnJ+;c zw!Jgp1@q4=0Lp^>JNd2@lt#z@V%QU(dH{DG+>A0$uQ6~QqFucLHjQdd_(AaZ06^i} zj(n|Jk92_{qs>r}SNp%eG-scV<9)m^BDlP&i!u})>hZ5P*K72SBg?;zSay^)pknU3 zA0Qv(i2mW#AVv%rhf9RHZ*&~nAs`y%%yr0>Z$t(ePlJ=6Wi*HC73eENG(oYaa|keN zecSr)>{K_I2SgVq-ntqnp9_s`{Lvp~I$|wmxJ*`iJL#Xg(hmIhYs+#fxQll08pk{v zf27?3@85t6f^wOWM@kd0qkEt2=INGgky$uEvX45b<*1*J=mQ^mAU0Wdcv6;rU*aIM&WjR*0$m zO4od$@HEH~ngk3zE^Dx=0rVDQI0VafKr3C&>d7kPj_>bb{m;edK(4gJ3_oP+@PK{+ zp-%WR_sXc1-n7jqh%6AF6QLPpRRX$|1H(${U^)CB>rD!hJFh^?wq}O`Qi_iJKOGKY z1o6sKyHk#is0HdcUX5Q;=KiZ7-A#klpOtaxl)q3#*~0{hHf8!|H}o|0LnecoCDw;2 zSf&!w%fNC?gINEe>MiazAc2xTQqPr9`9er>9gP^iTI3j&d9tM6mnK-_t^kGh&OqZW z0!~o;sBd#@=_Z%S8-f7&={wm2t zn|a-)w%}$ncTqfP%#`0BtsM>To3>H)$ekbfP+M{a*`xZE6kIXlacA`zvWPvMtBypK z5slf}b8AM8`ikFb;Z`04UVvkNM<|$PiI$2I>D$8(L*Go~W8V2i#U_j|?cFC#hRpms zh>IvJmf$^>Kx#8PNq_tMzk3-9r+$*Ysx9=q+luzu?JaS~z4w3`5D&lH=p)FeCV2c* zU3|R{Xl3^lP4*0aSJa&D9KG^Olg_StFJIGfI|LJ``jpQ}xv!0;akrwO@8e~~q~8;-stHifi_n`0c&LjC;fq?u4b~YnJr!`TR_`^*330|Zj|_p`~xF( z{h8)}srv5UF94^CH1D>+M$I5$iTxedUifxk@fF4GhOZp&(T>r_p5C%|lui+Io>xWu zR+#bw{N7Q}-z!RL4ZipXS^yCX-Bo7q2Zn4TFPzm*k_NZR1vy|$qUOMLVi}9 zS`qVIn{O-@J{Ox=Kae?XpRE%m*xIm#kkl}b+HbS?Wy^TOxVo0brEQ6=kWQifBLAaq z;#0JBq}d>s?1hr;v!tVhiD$V21qfn^R`~Icb%N{$&kLJ}LoPDvb$VUeBQV}jq}BTZ zUpo?9=twY}>G2P+A!Z-W<#X}{xuLy2WjW`fZ;;~NM}-+scUt*P$BcVab;01b>9i~72~ncfeBU@ z8eM+)Q7mfuvWLvW*E#T8xT)ILqoc=Y@Tnv;+XU4+r_TgH(#BmxyVeAXZh7mM$pMxC zMO!UO(k*Rb2u2I-@~?kCL*%>o&KXNDsWvH!PUvaUf!TH$kL#8A(e$W*eHol6TbG1oRaigsv*`o3-p>fXk(u2sdoE;G-f}jY zHn+N>o;Q>N+q?7u47z{D-)}mLiL9D6}~tzpGnPk9wc;H#QCuCY#5US z$26evQp3D|PZYfHM>;K=eI3Z0lbP(7mRWAXe9wf)XMPMxrJr`C zeYF(JR*L)O8(H|pUPCl+bR2$!UQ<}x@cm=jDmN{xBBoU{VocUz z_IpDs^#WR1(#+faP-k6)9~b+Gf)zg>Kr?wH;EySXV*eVMgsHX19%N2N^mVb<)J`|T6iCL(aWFIW+)@NS;hnC_>3p<%Ymn{?Z7rpl9h`X zT>&LY%vx>bhN)OzlpW65@wdqrx2dHk| z87KZhGe6S?l}5q$bA7D6uqBVU$Ej{-JBd-wC61mELZ-SQ!|lSzLl@xnEbl@`s`iXW zLA`1Lq>h7&q@F0gr`K$tWlz~5Pqqi2)0u>a7;f;vA(QN$0MiiR54OmY#~Nu|>pceI zg>z3?JGUMV>CI8Z=+6J8#Qg*o^&IXKq7MczI;f4%$hq7FMY>s-LqnB)F>>$^RXc6n zQ^S~KR7`k0&hq60X4*i>^%HFS1U&9$y6%Lfs}EWC{Yok8`}CB&eMk@QxcyCW5CNMP z#BTNFik>dPg8*kXsuENUy1MtG+PO$R(yCvWM63L-phIkGT2b z1gt*^yPxJAK=bp?Z{Tui%Sw@t-nu|S-5cn0I?xQ(6xMm!`Tpx+cVm?t zR}sWwK_&1W?>vt}3E;q$x`=QVl3B~}n&z$7d*6nEQ)ObkX_bE2c=(t9e;O0-3y3%C zXOh2Eiu3yr&A%^`DMPe=ja0I|D;L~eSF+_*aDibp7bq!`K-U=XV};aR=J(2_FF+3S zhO;B3`Rmg0!28Jd_?@NW;}d4MOmt_y%uCWWyy0z&ZGE3&C7`rCp*L)UVEcX=DS-;} zx$RwZI!Rd@4}fG5{^|dh04zW~7kmIDWQ%OS=E8~A7#d7t<)iKI1N>uGe_3gDCa)e` zkw0=zC-3f#U(!aj>(mb-Z|t1$ggh@XXu9|9d^=v??QXz-!C-1&W_MdPY={8;DruM0 zUX>d(Rk$*c?s~IM_w=ZO&U1x)@&ZQLc)9V6sBnLsBEfqmM@|&so<(dv8x->od@hSW zc(Yhcp?7D~lg1T!Y}Y`XXSGGKkRnLM%)8I>0ZyF*uIB8H(?2x$)C0->WXgYbcmY^$ ziWZAGNS=xcH`rlVZldr8JlIq>3eRGU&AZbLmac>}fVF9He2ez?fh|I|eR^q5sx-^U zkHQHA7tSL?m`u~Gh$Fpn0G}<9_1^6Li5_^?J|)hH2FMgGHB62FJbxfRxqx@r63T%o z+^n&U&s;0QC<8@?$jluVOJRck%cJbY6zc7amVy&P^=JWF;Xh$x-;IlEofNY|qNu8j zscOYjMZaIoj7CK8!bi7xjGvgk{EPy>*1X+SU3@m&rE_eqRqN(f!@e}TRP$X}LZDN! zfAjaOwSiaWl|W4Le?0!6&r6qv12lvo!148|Bu>{9z~>nHS4a`~?*~E>ZXsvW#$K{u zQ@D88)xrOX=bbd5t0@`?r|M1QU_-leSJTgWIbO0CSPegV%mS19N%k*2Km#a~heeu= z755Dr6S{LjJ1YxrGcjQ2S=G63-| z=t2(DN8|Vec<0Eqs!>GhO>OR%y`R|g?}h;W4`Z~{YgPW=5J*zQfNLravcQ=ze~Q@x zR+=6^Z!+18GT#}%eQ5pv;Zi;O$fKXp+H86#XUGMe z_nnJVHQ&B;mDmi~QAsP|db) zN_otx-3Fatv2IltB~&+vcE?n#kbKPzcyv^Ns6lmFy(|GR0wjT3i<=YNOU7xkW^%t* zN_ND_N4-qVBHjyE}Kh4N_$641RLG=c-b7MS_*u2E}%4 z7Ia^@jN2nrJ3o>A4NGk0Zm!l=ZLPxH;;j!gfibZWO834No3oD8E*uq~4m@wgv6-)a zqpH4|UmG3$rBPfT=;2j5)W1#N-dgMy0+^4P^7&!#gj5u%EJpO!EIH6!3_}Tt$7z4~ zur;}=oM1Jcuk-31e=vjlh#D)J^Aag`>d(VZGnr2fTn~eOQ-@Y|FJMS@&TJH~mg{2` zs8QJ7Z7G3&n2b%4+5z+bKVh#1Wvkn@z`Q&O9>APIfuM!`f8HTBfbF|KEgQuwTLE@L z`==0D;|(O5?5Il;=FT*pAe(Y6|2kz@b=~N-hNS3E*3)D^rty-_NW#L_E-I(|t{EoGp|C;2@HJ>GGoVsuL%K8EXpd zxx+96r{g)e>EwSdRwRt@>EJEV6Wqm;h2I;99of-)BPU975UN(^+dAFF1@e)^l&PF4 z6{}KI=~l_S6ll5_o+j%)4RqRDWk!6B6WDC9in#9{a}*y)#pVW4mS0|6XbWse#rii? z@aj`KDiES}1vO87$v3%_Wc<|nE{>(i8kBWt{!gF3+vM-h09-l#v|N;M z$vjI)H)6XaaSpLq4MWBf`Slf_%EVEf=sOt}9io_iqVBFg}%g7NXrx?%` zA*U|p^tyT&%$dx#!I$j-9umIYeMZR*JIU({GxR@LBol)dtl@J`5?x&{HuaCw2?ta% zOU8kS&|LT|vi3^}TCzixElSSYxRbiNQzFau7UZoVo1j0FCcYEhKi(1F9|KL!J=@x* z$thR3JLjw~i#YM&k<%tbHY0{|rtQ<)n=@S5xo$^FOroR~(&ijN) zul|%^*^S!%9OD$uQIyZ$jp94M{$e;37sH{LBf!Nq{zO_0chk0UB?MJCHEH~~lwdT& zgtX4q?CnoPn)=~cFj>R#S}5y&Ld(Hk->uS6d&8q6-W4A5NBA9D(3kur(~RC_dx(BE zZ##{^CJw5_0))=mi3r%`Q zt`|dkTLHq>llC=-ZUl!-dtYWdLD=rD&Q>457BF_rcCkLP*^>1b_2tyVg@39RDG_Hi z;C}vV?IS5hSwO*^Nd%yHfr>6ytlIKG+_NG9y(JJleMIrpKB|{`h-mlGsd}P)%lNF)^TA8& zz7fNrI8Qb#vrMRV*=_e7Jlc@U2`hAU;>(n3+9T$B9gOH9^LxTd5;xPG-55*5 zt|1w3Zy<2grc!fI6<99L>RauXHXkro0Cj7$&*V7eoj6<*x72h5v{Roh@i+NK5w9+w z`84>V|BK6Qeajy)V5Y7pS7`(Vs%u*a!ox$PW=@pT7xl-A21#(f_l zy|U;ok@K}c`+p_9!Q)`=>O_(*wXi_E!-yzGawbj2iM_>&W-^a)&-_9t9ey=N)c;s) zgDos%yj@&?vuOJCDJp91LMGI5ZzmW#?YwNy^Zd{d;^;{`V;7WAF6S*=OrC!4E{5w4 zTWjF9W54G1ZD2wFH+o<93uuespyY~TWQdE0rspN#T4StIi^ykArNV`e6xZV)X9bZp z?QdfF-@tW;3sdlcr{DuGJ$_<|`pzC;K%+PP&PSE={#o|(+$yses% zW--Qo`;TZ6+EvRU!PIO3 z#8jG3@OMXrukO{^f7M2MvtkmB1JhYDl(#-(O*O(`jd1qOck z$K#|c+;pf#=H$q9N>|uBo@mhe*4ok2ri{Y#8B;(BNcQ`mV0GHE6$Xs=@3^AV%hBMG z_IPk4H2Iz2YzF+#FL6)XJZ)`DY8F`wfbgmw@D5=mhl|GL3w{CZY1?UTWXb2aUk}*l z`pW1IA-`bu)c=Z|NIz22lf~klGr5oGLL@<|k3zPiHZrzgS1Oe3H7gH5;jN--rF$-6c5pK*40Ge>gaBt z5igHeLG)$O39ZlUjfnmYiZ4Whhm0Y*+ix0b2Hf*^!;mZO8Qh* zQ=joRM}UX^V&2c~=nD9>RKTa@1J`86hcnu}=>fT*AE~6SY>QLi)`E+T3f92N0KL!; zTd{zOq3UuimV<_L`i~~N+GwYX&|3>C zaKfMu6&zu9ZIQ!Q*`mzYPU2TuIistdgPhkpSq z{zrpTzXY5H33zCkBgIY?e!+z*hu6}q9HFwCI+wnPb~`N#@2L}WnO;R2RdLB>pP*Dd$Y+6a=W%wScT9{laO#`V3FDF zah1~vW~~n7*QoVO)J70H*yj(q5@3S1v> zYd~NR#MrgL(7rJ|R;yXV%zF2!=Z&4@arNBfVy;Tw5>!D)^~de=QMZ1Uk2AnEw``!n zAD3|1c{nY?XwJC1rVlY&DfuO{;edL@uUQy5XF8tA55A>w(7@7l(<|CyADc5?&x z!x9E?ld>yX!OEz3HSA}HQza^SWlJ;zy%H5Rl-d5^A1FBBfF%!zu=P*;fM`1fjd65k z_%Kx{B4c&Zq!L987~5E+`{y1Ce9j+)d?n3I3Zt~jcAt}3U3gTix-Vv!Mctl%8;Y$J zmVX$*b69f@`PHQGKd@(prOZIyrq2AcyHaS$M36UUn}Q|eDo?6TmFx!YmV#t`~KNBmW^fGwc4_+)w0cH+qPZH zwp+$Kb6Ly!z4!V2KI{8Ww?FD}?(5uhpZEC8^gAzZtaYVpL_f`zc=W`THP=s={i}fS zS<6}wqwm2w;311JUVoh=6;xq#%cdI*t}0*uEo%->^|=qlZDePk?LR%>NNN2zWwxCz zb+*JCc2sFXlH0>WYd_)o}gQ<{>ARLL~ad?r{~T@YvoUV!f>}2Mymx0_}$ab>mE4k z;u!{QC=!z+Cq}*`9*rua@fo%W;@7>; zS3VKkRZ{WFJc5nxp}CoNfMZ~~lRFBuJ~f{)HCY)t(S8kTb)wLv#+%xC8>R*OVvN-S z7Hgm#GXBHBrh~IhWB9+S68WHxCE=OjH4L`ajX=SQCLggt5i#l^@L-e0ik+gMME7m}^ z#s2U>5dEvilIX)fV)h&4uE(tzd6LZ2HgYlYlHMf+`!b=>ErzAd;of=yd=>iL4CDWG zzu8XrunF8AKXICpyX~iIm*1keGD{-t-l~=<^i(i!uCCI^$L+HFad&9hBJ0W4q1V_G zj6Z1uVi+HCx_GY*Jl?P#@t8J*4XUo~ixvtvH0p5GIO*Ht`)2|a7)BeS`mnBI1heBQ;f-%0{ zaj;w&<=)W;HTO(7dfB_zvkh+bU!4C@BuTlg>#l9%GbK|_ns?e_;v)C_%0s*G_dgqF zjm^*x+w&r~Z0`RKC$z5nt66}K@KW-gOH=Ze>4ohkH}6_ATD(SiQ{yy+I%hX7?<`kw16iVFFV(C z7oG|D?CCIBsO)gKL0hY=urRBQkRyQ||x~Zwp z&5==_lw`ZvRt5inN|`1evy%#kv4cL zjttJuQK9oB@eB8LuQt7|dz{1%Bz zcBeOj>?s{2av~g@7;KH4iZ`T7v|l&IkWCKZicc7)6?)Hq-ta@+5Cl9G8i{>>l*jIW&v40LD&`@Zbv*VR?2#8+6=xv8^hp3xJ7Ho(bQwh-u%=yh4N zoJdO0r2$g}VSFiS6w`9{sq4RHeEdIV{O2>#DQGQvIQ$u2X4?s-sY$OSiK;&P;Sb=U zMx?wfEWkzuz~;06-?T&De&}*vZ{$+qCY&|(8&~Xz7$bRn=@84PabB&7J?6J6_^5fy zHJbqUOwkTz8CCCOooOoPr?;QKMW$oP7@gxK+&U%(gvDazbd-S$pH5uC&+0kmwPq8_l>#e=VQq zvy`o8y40-_Z#!>vM5?RwUxB-vH|i1(U)Z3$!EMg>koXQ%O574-rdPsma_tL51JcqO z4@49MZLC`{!CPJ$1x^}&r6xyvER}3Ub`+UyW zFVVm-*XiIFG28{GPaW&kbeVwSouKxYj(Foo_+thMB zij=pn7D;mJ8Q6-?x@Fgg=R|g|<ctFDF9tn>c1IG!)fKhrJG0~yo`WYA3JufPJ{J}qocQH{(i?+%nfWokB#|!-N*aMNsxA0UT2kH5h_V%JGc|%0L|d5E;du>=p4Zsw zi^$cJ1Jb7fG?o6XOc{-PZ680=%?X|pRag;>l~KYgKXu7rLf^D*>Uz+Zs)?(LXi`EsvP~@~f$>^3g)jKypu6u)y!9b@Ox|dzn|8_?v~`=pG*6_rhAbUi_ksOLVjz z$;r)4CSMs{b-miLN!zQ>tKj$ZwzD_)ucn7cQT^!4?KIh z7E^X`Qof~7<$XXCk!g&PO_^uc7%%h1Klpp@IdB9!89o#{ALbdW;FSAH%Y=T5mVxOU zIBH{t+&WeEht2q3G*P|i%aWec+$FXTAnRZsSNqb*k;VLcuoE9I?Doq43MM@kff|d*_N^<`b$hh5g~&3 zu^EMYWW!ltUD)ZwGQAp6pKzTEd;SLLa<11Zh$Ny#L|;9k?Y}M+CTrhoJMauSoXr_F z1Z;U>SlNYCwE`M+mb+AjJmuuC%nmr5-R~6p2*809!GRPf4S*Dp^nL}A5g{}-P_1}@ z>1kyie}N7ciGr;u6Vaqe@jup-*$lOi-8u^P*|)+kO%rhXaGK4z4P%xY>%?^ymoE`P z5qD*(wfnQ@PyE+xm2^>vQdSA8Wd){hGlHP(gGt1JHcMs(n7xu~6!+Qc&`0~f@U!VS zM0%h%LMnL!c!uOK9pBGOw;AyUy6g2-fxaA?1AdXqvAU7iXjmhz>9Y<^vBiU(13Xh( z`zqCgFL>$-%k#OmGY@17JD)BE6P1|@UqK$Vvr;i8v#nf3q5t^LlkNJnz*Cz)nLz@HcP~_~p-$HZ19kG6a%Q;6|*|)&Ucz zw4TsOT+|-4m2U#4jxBTSOD4|dcw}XdpH=o3r%4Avt&{ShLhIZcm5>O=fpO!C!AyJ5 zvjljUVr_y{Qe0(X)2#Er7>Ge59+rUx_^aM=^HrL6(yA^Q_C1Li_CV4aUx1{`8D&5u zql~1pV9L-VwmFk5XL#XjI;?g%b6;#aLfh7@E#O$^2eI|rzGc@Gessi~8Ix2{vzL$V zZY83Vd@`_w_p%~BLz)j-Zsc)f0-A?r;MV09#PJ*`jjcQj6s9pGs+HSbBLT-Hsn6UC z1C~L^wp#BxYD2D3Iee9IdH!Q&1>)SjCT+**(!}_Yt%f<5J-H@9lHNp_5Zmh<{X%7M zyymk`sqd`jRc+v|Yd2o^XE>s=!K}5Gf`Ep*!iK83 zx%0_Q@Lh4Ax7z4pG1`{kSw#LB_}-hP)`x!rdH2zPZLn1=Y?MZ>L*QIlhiGx!jJm*8 z6EjMz3K$l_3o-_;4bM@m%|@=j!gJAO6b{^QIB>(`KIWc+-EU)cg9;PSvH%5k;#RQq z7exV$4aZX`{`z30CdD!}ADy6y98jL49|<0y>8VzbO;f=)99ncvrIg5(yiI9t8S$S4 zWYqH+W;!V96*sN9j|deCQ>+sIxnS{%o2o4!O{0(jDpjQ;2qT61n4qaf;q-<;XJ2;( zMzhNMqb@yNI|`{*H>&U=s|p9)Rt`ooMHZQ)-zic|R*T5Xeml85Mo_;(*!s)ZAlthaEnpw=*kJJ>Cz zh~tafBo8Y8K1?Tw%i&*)6jI<}=-8BI;4j-42@{DthsM~etE<_SViG4=d4VmH$F^F` zn_gGgK+3^+_P8QC30F*c8b!%5x(b9`E}4Ja9n&OCv05uH+8CHc9A{aX2nPS~vGd^> zwxEPhI+n9TYmri%OG$%u;?>zxtsL#aEE7dMO}9rIIC zo{v~JP*>z$DeERjLGol53KQY6{Ge=}X8(GVwI>@4P)U#2E2UmAm#yO`oeex%$_u^u z*amKmZic6orUG_{tmwjH2#;i<1vC9eiz3Hp4g{tdiwLX3;9H=AAAC<^1Nxg{?o?Z? zx{>M(LbYK2#&C%-2;dEDDd0)w&y90)206v4OKRmsgd5&!>k^c0W`7%YoQ@1AJW~X# z&>Ua=n1>K`YPL95EUxoKjG6pgIA`X?qK#=wMd~DIRK^5|2>HjEtkOLZf@rJ=*&DH> z9*M(+lVW-uQb-!9PPGoL0J$0w@?V_MO9h74r2j(NM67HB_=rc@_|e7~ktl!v0A3f8 zv(gjdbapJ8c^Ih)^_v4HtrGSIUY)0+>0m(A-s1`D7V9?ynAmT%s)9ydI&`gHc_xAo zaH90Rb}!VG*!qSQoSd@hWG4=q%li;+*ppA0`}S%tfFl|Rry(*p)JYE7f6}pqN#y?o z)!?RsKQ9!GcJ_B8_V5kQrHT|y%Cg0B^V)>qWBz4S4hliOp({l`DUeZtDVE9~6kyEh z6GX<@XcSM^IkJqol<$j-g_3J%vX6t@x6ep|*LtmE!*x~M?S=^#BvT2tj@=b(ctn!U zz;{n1N}{xIN^_$Xyc)w%|8cA;59vgZoEaj}U>g}cnNbql+$IxV_lvM>Nut8H9JsdZ zKo}Scl)~6yll^r%m#o_{2dUXJE567UJsM;0z|5D{$}49d>KClcn_>t#wy2N|r!8`S zpwEa}$iMe^adoeVf*EztjFz?UN;*7MVzWUGY7UIW+rue0ZNvFTZu-qv2XM9-24ifQ z_a{kj{KriVXuW=1+*wg#iTAG#->?e8)nU+tpl&lr{Drcb)*VBH>RrPEAe0@AFbtxq z>Y3;lq{YwEl_E`Y6b?CjE$f3Fhcr*qd$X?jO~inhz`{nP9PUbBiO@yY@2+%?I9$oW zAIiUkIbSC{fvMZz)foUj-f{Gaw9Gdhdt`_;53c?t{2vWU5puO_Nr+N~_&MA;Yq_(A zwGqZ^gl_~M%dJsgBWcfjc#TPF!VFY&wd=2lfvfzw$L^zhz%KPZ2L_~3Kjuixr}n1> zZuU0#DnC`bkdX=%f&|Pvs|4SkMQ_|xW&Mn9y2V+jcD|`r>^Mqv535|wl>X6dgM^vL z;@Lr0iCxxmgYT(11uoF}f_(hu8Xh=MG5X*-Y(wvn>vNgT)vaKVK70Q5r%!u})EZ_Q zDqDt?juPU^qc<1f-CkFRcSr1Yjn~bRGM-1`DPj3Whxh7U z&Pp}FCLq-3@NFX1doa-=fd=&T>F|dEg3IYds&Pn-f=Q?QjcLnJ-D+)WGK0tR;_`E+?D2c;a!M3&7goqmPF?*35_0Lx1*E;E*hDR?ynkYMH+u< z<{h#UQ0_F}Hz&)ZJ9Z(hD+An|Y{&w82L|1Qp$IO2=|}jym&K{B=+EXMgV|x4ash>p zW)8rPfN)CjL;Ed4bqUX1#JFMWKboJeCvPH!(FflD<3f2y4{(<_}w1qfR z$M2)lz%TWN1w*f-0aNOf4(n#siBRT+DGgXE*6qD)wH11j5x26UDam?<_o;1`x#P)g zPJ>QnoC;NPG`!^C0>fgfVS2cZOp`l_Hm_9-)^3nNWnHs7CVjw+`svl^@$aQ~99jz} zInzaey~{(eWW31F*vlg7WeDhNKDAGhh_Ye?#`{38ItSOn|LWp79zz{Cx+5J@H!?pn zukck{UdOemR^nKFR?5Ha^Gu)VP)R*Lt1d{s@VtPEaS}L3r!~2Q(h)6E^b4>%&ZkFq zy4o(td-PN(kPLiu5lkNp0AX0#S)n@ntje`SR=1sG z`&r5_GyqW`pv2VU?MimmS#dH)dwW;2yzIaP|KbfCI|Hd)72YrK}W0*Dp;3~|H+}e zo^W221#@ehMeI?sGK#%^f}cErJe!ck3kqCplk{D$*HDF)eU?mJqs|Kh^Pr{l&b^)_SAfs!ce2`mgQy%j8j zQg$I=cdcH3${x4`Ro5f1?pNMqodKkgJ%~}ETZ1ooos)Qut zbsjOIJyxOHV0++H>Tp=hgQ7&QGd5q?c<2i0>aX{M=yZvQnof*}Qtm>3@GjkoJ@Vas zik=r9T#_p^%NTxjELKJ6xDf{S`Jt*2SA~rKoof8!Q|Vrgi{pc>^aO7RsTxFRRCShl8VGs`@VcD z_D_@daxhoJK^RVWi2x0zYu8CK>h|q@j%)29Q;{X4>lq>U2htGF9k16v4HiLH>HkY~ z1S6=|cciE%2C^Fy$nLW4z{Ch3yW6Q&4qNvN@mdo(!=HDo$&gn>F9>1IxG+zKB*{U@Ts&gM-Jm0Q$ z+4^&88ce|vmGxKxH_M+?X<{!2OXC0l;@{IJ1|?`SU>mV^rR#dB<*elJq2RrzMczza zEc}Ap7MXge9BGsjB)}*ckGK|>iGmsvPuMS2m2Y+@zt)WxDpc^u1+7qYieAb}T!}9U z{;1+b-Zlg)0N}^jI_tqpld)aZ$Jv7F3t_?8@0|>ER8JBYxMrc=LMtE%KcPp5$2Hc~ zk75k7^?yGQn000xiFkw{BM2&<6fxVpXfxn1xiA8I!V##RSNsXC3d6|8oNt!LoO9$h zZRM=Vi3`Cum;B91^KE)B_m>Hp7jmq7q2*f%*{1|2dUbLSzeq=SZhN6v6tZfti&D|W zOUKoTPe9Bm=o&q;hCH=aNT+nBB(Dg>nmhg$141R7FTv-3y6t5iRbptTNuYX6k$4y@ zBaw4QF-o9XacN$$t@ECs%12}B06@?0DTEEp%xneoxLm!gDEA$aEq|Q6S(fO2rFhcr z8irYNwA|*ghBy%oTJ*r;vEFT_$7po#0HkX67H1i+_wF|yNaX&W&_Ezvh536iysECF zP-Em+z@lt3kM!XdO9d$HGLHf_9}A$Fd!5Q&4rWb^2An9w9nW{bm!~rMR>x>_ehH&0 zR=$)k@`>SLxYKPuA+4YAyx!+jgX6+Ft@KUR#@^3SC~RLZXLY?&c=R7&yS=7GA@Y4(Xmf9;SjQ}e*trw?HnxE11}M@yY>?Kvezc1@AoXA+Kjy8G*p?7ofi ziI%%MkF3r7rH=-nsm~slg|3JifsEY9jRYJ#WSzX7G9_N1@#C16D+<(?ZDkOVQ^I z^C2EI7r$HW&nK=&_vCVGID(-_l$Y_NlCHiDcZ1Eq93bW!EQvH1TxspCv8QUD^d=K? z`nxtX#h29NpUQff6u;}OCn_>EvQnlv2JKdHh8S7?S?r8HP(|2ji-|+v+LNZ*@9#N} zis4|5!;+J4#FcjImNhfK(=Is0*|{e-TE#Id)pk>ol1bzxq&WQ=7+SlpGlQn)`cwl* z3{yKQEP7kNc`^C*;+@00%74~lePK}fNJn?uSiB1KyL1_wtiR^*NZ|4T1_$l%@w zM$yJV)^@;d_B|Jf3&5Ot`KhR$c~bUBKcZd?8lB5SBUP`$ExEoQ6Ds55T`)TqvWQcn z&@KLtEU%acv;3**=}CdO%*a#0iN;X7Rmwrex_=hCbQ~&6L+yR|OfBQWM&!fPyDQXk`q+Q2m<0ER=38eot_V`fgT1 zKy#>=-w-mt^{CVQX8Ho}(Ie&RMO!nL!{}xeen!_du$Ky03=+mx92>#Z?bJIJCHYbmv;sh zvo~u06ot~A>GLPg93m;sw{J(Y$7)418Y>UBb7)AJ@n^=0s!c=IKPO4QY7B`AA5(sH z`ZD#j3ZWfB9i=hMNdfFJo>0C=ZDbastP+=Kw?+JQ&ss6*ojR;$3CE0B<>OdI4Z(2_ zK~n=XD{`&_<0)jcw#$>nuNkifYlrn!t3AgD$_K;7rwaa#)I6|CjN7dVSldid_RhoR&qF{K{wpm8tV9p zt8zBn1v$1XXg}QAkEj5++R9+77vEa|D1W>)`vN%LPh%FgVc6ZMT@5}umnT{Bc-)<% zCosZk)D~s#rFh>o>qzXvz-P~UT3Nw0cdDEFDx9qG^ckz-!J2sP`6bGsns{EPABclY z16go+1tGf-6>;Pe3M#dH+ce?VEMIzSO27nCY+5e)KJ>}HVi;dc0L8fsf zgYH5`DdWmPLrl{d5e9Km>?R>)^5sbc*H_^gJOtC96+7o}lK?}KE6{jNO0X&~)*g1e z!HP~!{5VariYgl%-DPl!S(K=z4|yP;{C(StL~4kUWx7gw$?2i5(>St%cNRvv>46vsyC#iP(qqUV+0suK6Wmitt^bm$ z=B;3?fLas<<7{7n0zj*+L;<)jEktjY5cII7sv7Zot`kD4YYTrag6s2l#R813b)xt0 zq6nkzmWo~r_MgckDHRF+%z6b8cUWOZ;&yaABaK}2>U=GC#ffgHS)tGrTpcQc5};k z;L_2$0+pXC{qS`d4}l>_qv3K-HN}*qTueKZiDpZ833WpD5z|nMv=R6N8Sprr(U9*( z32RXSO`B$xG<*LoYhVP(YB5&v!no<@*{^No?bl`=E>yBr^Xz*E)T5{SBk0jFdyBh} z3xw%Eoj*2FnOx3%EFNr(&-o)^jq!PZB#c9Nrp^-yDtQp0DiT+2J3>Vm%QR1Vb8-n4 zAe)5sPQ5m>(a3{R?GN=v8kRX3Lk}#cF(9h}bFPdx4;LVSgE!af!^QnW0#I2le+%Qi zea{PNeh+Lo&X7#a-z)vQt8S`gG~*BNssUCAV00`Ed`9i(GJtKa3W?3#bg@~y#^DQ{#>G2gv~KnJSt5)b^4 z*n18s25O7`3TL}PH&)=~j-q%5wsaGDq;U#_RH$@$Wzu9>y@d^AqnRg6{f%P(f4TBj zZCLxCml1012t%lgGup{VY4ns6+E$wKGmduN_%WhtiZs(|ZeNw$o4?0xx`+fjP(&H( zg?5lxolCC#@R&N4D-L$zJ(Z{zj3zYEK^Cw7fhg{(FT z?_AQ$OxKvVgD{)knPmnvZQaOkRmPB$RB{%z zCs|{qhrxR@_)#h~CiIC7GbFtIJ+f2C)Z}8NA`;=d9lX_F58x1y-XYawyQtpd!B^L{%QSNno-SIIU~ ze;0`Oh@%}IiEW$=`#Du+HMQbHd=E2cNu0kg$@=us;m5fc zyAHL|#mauR69k*ewGw>cSl=PU+eSg70MTbpkMvoCZv)S_N%U`b6LwTAAa$Xb?ZP74xCaQm3# zl9lXVtd&gQXq(8Mum*mBNW$d_2bzLO96!j?hs5*b=Ep4O+dU1qT7YbcI;T< zcYa43(6DE87uPo_4@u##Jj)Z3!`82Sb?MPDYn}lo`{>4;GVTVp9t=$v3cX=px>M0i z{W*By3FcIYNZS5KAesTjoIV`ORzQJh9*SQZ-pm?t0`d)l^9Fd@@>4F4A5Kp@sJogu zt^=s*Q=5*Xt9J4|Ybz^-504JW){yazXGd%VM1Xa!u^T1(OJE`|fa73Mr{xjx@4Dm{ zVFYr3p;Ot01r)iHw4%!&M$^71r=EV_Okp_@tWR=pCB|K2pg+S72vg~{D1Q_XX?VXG z0#yy6&aakvYh1_}RS{GxvCS;;rU&L5J(zjX$Y<$pWu>5Kd&2%hxdPD=$i3WQgtNdA zm?G8J2h+!%0lEidzj?BA7B$=v{Q+*xgEHz_P^e0EcJh&uiO2e&xr_h9fIPr&9v_Yl zYaj#ihGvh4L$XGy{s_+R5>s!V<>WGNu2yAY?Npd^w*Yy)m-g2+kL!np(^s<7^^t6+ zMjX^ln5N0>q00QU*)e}I!Hvc0rbbc)hp=wKGs4LV4t5RgaTuLskO-&PDWdix4V%aJ`VXfFmJmG)&gaFo%L=TkZ?ujp-GbLs4|J znv(pQDv1DtL?0FwvnM{D8uu%m{v?YPN>mN}({xTWn*ftgPEZ>f_32q=`s zOwq8P*x#~SabQsvz6#Yae1r}MtpvN*z#Xe|>`~SPiyvM8P6Km1WA;~XNtrRxfvVR? z-rw^Ws+z zyok$aN1I9Xd3_#iR-xvU9zF)jc~8Eo5Wzh_!m#3nyB13dXk(#vA=}S9>9=NiNCPh@ zjN{ph8k`Gm^@K;79dRtCM3kQ06_*^i-p6+-5-4lX$nLRRH~`+@GEd$Gs=Y8V%p*5% z4P-V?InH*pChryudzFtFYIO<4SS#8(Ta5c;r@%ssS+^X}UU0g5qm=-79P%ehf?S`j%C)AFSj2KzJsB$ zu;+AoIp`1lUJz{4a#Ji~_yq?-_;Ladycaig8@VUw&sJUw^A>dXQ zoY9@G9Cs8j^}XQsck`4jd$^|vmL(sMPAnOn=|!H&n^Kp9WYppMejx$w$7#;3jqr^G zA%ui}iZ;8n9kD3I7n}-Zy=3;Uj$xNKfsbf%EivSlW9#>sCuF<--`&{yod{QY@jEab zsZV<55O^uhW^+z%457XW>;2@Z*5oT-lSp{VKA zZ5P}VnB=$@4_IQYFs}E zYBn_&v=;$!pINkYpHV>IbZqW}lwXW2xSyl>Cj*3EMD%c1F?L-gDbl}Mr?bD5fbZ%yU=>)Jc#1;?tDhip#{ zj%u_|cYCY!qk_vv{vxz5{)b|-*4g~+DUxi3Y0*RBbXF&?rCe58E+6%po{lbls7e-Y z?~0%V*slO_wqP%aIVZ5@8`+!Ey*O|#1-w#o&v#;&y}9@60y9&T0aZ^^47@HdB9yXX zi=?w!ZztAk!boXGWuJ_)2M!I6KX2X}jH_3}Y!N8f5SiKhdNkx&YyemxGw$1c0kVLq z$YuJw6?gUW&aGqT1%b!rUdKt!cQkBg;*8lUtIe3cngR8K@)j`~e|Lt@6iZBBNk1%o zx0QWAnqUHhbO*f2{R|+U=|k^93`OBq`ZzaP8$r*D`V+jBWU3GiW2>lSZHx5|z-NI6 z+wW=X1TfEAHCyO&Nn65zU72jJHqvhNkHVPJddrPi5_hu zN8P7fZTWNzAi`?PN1GGQw5_2#&ekG(df7#(K<&Y3edPjofG{V1p0OqDN-!7jR#Oah z_h{-m6R)_4EIqAicKAqh(uYV2DNOSNgApnMQNH`DeDx1QTG-%H{VgH50LA~=M8P*D zY2YSi>+j2-_D5}YZQ*wa5V-vmJa%o11 zTg-AKWKZ7TZBLF~3&QFo>V-)=1HN57d5TpcS9~EUqdf*;CS3ZE28sV8z^W@1GqxP% zKmi6*{ia9*OUF7=P<2b7PV#vFwAYv8ehR)e*BflVMd0=zUO1}ejxAduTvR9CcW60{ zVh|p5y_BcyfXC&V1&X0y5UNd_%RlBrQFk8*Bg#gOlb6&!;M>xZ*A5o2S(s-{UbGnm zPJ$BjKlp)~H-Um^$|^SGMvUS|84?G>9FKEkz99@lyGH4Qfn<(7KSvs1e<>1>GWv{A z%ql1v@PIpMF) zw=C`Vxsb&WW<$9~aI#W;XXiW7`^1QR-kwKLdoZ|XCoi)FJD9v-htBRZWhW6(?M=9% zGt6|52N^}u5MXBt_5=V2r4 zZu~qsUVCW15vrFLoh{~dE0FE0tJLa>z<3R+2A?Cm*z>t_G`hjZu}cuxR)~~-)Rr)O zrj-!EJm3Te%~(=K)UcZ^Cf@#xl~9#JiJSU!B%-7|nX%-%$^h+@eu6Ve$*V}{2-tTy z3Ni16op~f!OGEe;2IaaWTDfRYMmB$+UDp59GTV8#zstw_sf^XU2vi^<(nnRt(WJ6OZmRV8jeNz zD1A!pJl5Ziod!(+U9PDee9cAwtq6ILwm$}S8Ir$+d&|lCz5Ere5iPQRsr43&X#m)} zGV)?;tpw7yj3G4I*KAuv?d-}m^_dOGURYCFM#_R5y==yL`5LbrfKOd<`}$#Bb*_D2 znf$@L+>Hib%9n;~k9#SX&2?e9Vld~YlfWxJTH<-n{=GEA;}nXCC}8{Bo-N=qBF~Llt2U#@oKA4iqJ!k$^AE;oob-Mh?VCSA$aWmEvTt6H{^6B z%f%v<72&LB4}p<1X^6#Ag%(^X%#h2FEWqdBFOI#0SY4mzEkE-DKRtvZ0|iwE%S?jI z8RFWyUvyL!X)=T&?X6v{-fgGQA*!*u9T{*vB(oJ_*xTe_5?wTV-s*KL;!5}uWiG(e zkxwzjw7eL)crYuDYPOWCamM}2B{muaQn;&L8wYA}%ife|pPn%;qf{HJs5cOt8s#zb z{i*++_oXY`WcHjIdB@k!Fn3ExxPj8w?_0;?;RImIp;h5!rRl(niw`c*eh!opL&e&I zhd`DvB1jt)rD}DFIny4SB%$pa;U2JXNYIx6W{825%Q=anZxb)8N1Si0o=f5GBC*tR zs~ai6=>6NhPQE#uNc|Tict7>!>UGrh( zm)qMPbb6qBC~F@-Q>}=@Of#fOHsq)I9EfnD_BMvYG-iI?VQRiIMZ-r+y7uf*W&u|k z?fs4k1DJdlZuMysfOvkh{qbJ)xpyn&o#K3|GvM*$<>H}WwD$Q|H)`*boXtk%hfQX4 z?XD22b7b#jZbeo_Sr~*|O-7%NOYiNy^kLxj_s2?!m^}Gc7N7uxW(Q4E-JQJZS z@gZJr?mQefwMVQ0OW2pn9_$+-nLG|TdIQkzID+T%1OvEdgj%Ad{0wh5B}3H2GVB{? zdv}vlre@W8Ze1HTd+KM%$vPB6if0Uo-;f_`Vj0AD5XfWq-71UMa;vtC%0z;4 zbWg5sf8)|_j~jDoFGtpO^WmB+gbEEC_CK&|fEYG%82~tPcN*y%&N_{l|O-?U4~2SyxG>4D(X& zb);WeiMa8Wh(9}$^l3$>4V%F`CGDlGxJ3__J*YrocR{dXjT`Vm9QCi4&d-k?6vH)N z#xx5RFUSkl|9I;&NAJoVq}a2wZwiI0Z@^c0L{A@LXfB_c{A;!-wVz^1CH2fh4Rs4wX|@tq9$$x1mF~xRx_K z!5#H1K89a}t>u>7U_jJQe)@LPlB%*&Du z5)CUo3=%D)fC{ch^Np(<>Lb}2$*6GI0WcVSPC=#zGf?<}PTA0bxN){gr)aJrgrH8w zlN0Y={N~_WfK_oSV9jH}wKL@^Q@HQ;M6CZwd%1^}Pi^cl-pYwv z)toqH`txh}y+ircM^3BPFK)Ew4}?;0$nA>fUccfAjhE$T2lv5>ttTSvmd>-ZnPl3X z?}Yaq8SDaVL-XCVw_&!>Bw>=dNSpi9D?X2fLDOTXjON)YF`Y4D(TA7UU4eI^^#0ft zYwmwHa)y>TlDY5(D6%4I1MZrFN1gViC{R@n#ABRrey8#nlsN7m=G7scWG3n*T6R3o zgZ>cf^8pzsed0>WA~(|50z^Vz{jPt`c2|6v>`+xDfEBpfVt->F*Yx=$&EG3_|3+#?(d-zNwgrVG!QYMZ7PLn1;#E!5#g z=*YL5y^>J`kH`LLBqi&IQ?r7r++)9yz^g{K5lXrg;9Sbm^-;{5ov%&URJxX1A)>|B zG0irE+GC6L$@z{3XAuyM(~g}k0T&(lZl32bTON`y8@ze<>l9O*;o`kzz6bQu+rA@S zJ|ncTp&`k&Qt`PP*EW#{220}i>$3lbmAsa$t~>G-JkLjJWbArKsMoEIuX3Dy;P`+J z@4f0`N3)uBZ=$C2Z%q*NN|l*4pB1`XJZ<9ZQsTd_gTLCm+CDd}lQm)w)Y!&zsoIbb z)ca9G-=mSWtO0M5Q}fE{xH7nhd?13Lo^lvix7@D>S2TP(zxiLn1Y4a~-tosmT(;k^ zn&#>)zYKkx@(5+U>QGN!`0n|sZLDv-qLx>wPk2ge4f}Gmej7*1jqHFH$MlYDy<;;P zKv3}%ZK&77qRJRJ0eTW?NlW5UUbX%Ep)O0Lzs0j~itkoL*&HqL*z$7N1=}m&y5RZO zs`o|6-LoUrZ&*&j^sQ9RT)`E-RpAZ+U4D_`MNm;|+C+}t9qf{3BT|9FHvkzXrNC6d#<(b#T1e&jLnpA*FC4-SJaC-UHSvuD^GGP8+kA>Qw<9E%mE z2%B^ulUrOa1{_LXw(HB+X7`_fWy1Ao!jMvb^V1BTkf0h$D`Z_cIFZU|Mi1PxyWsc; z3t0K!j;aF7pHf>{vi$j^&p$i;;`QD5q!6f`tHk-Z>8K-u3{eBT9pm+*TN8Y45=<$Q9FmG(0`bv{cwM#De*rS$rp-(Tw?XKqh$XUBvoSe~l@icq{ zp?m<@R@#Tr|6)sV9ndzD1>F&kYVVW75J2Mf=Knl)y9E=vKEAuKK682>&(%`nRYp&d z#vpTeyWDr{R)=xyjsid(kOJCsg2)a&N(1ow!L=ZorTPzk#TCEZP^{}J=)JJlz!f66 z{@UBffSpD|a>7EK)UeZpI~RL1*h2DPyUY*iI)X3W$Opg@6O&A~h^qv_4|^jEwkEHv zLOnw=z|NM#^&Q0>sq>lZoZX>*5Kwp5?t<+PFW1o%NPRy(Ju)59WZhiLI<_ec1kwrV zMScWPp0JD5eJaDcaRS}o{{jYN6ssdSFTwx!>xp1_7?bHS5>EOO|c>V zw1}MaK`TKDF;?oRSH7X-Q%bRcc3JyX;T<%j_%a*$#NNl6(nR7qrqWkEr=yqM2YTIq4*LD!(6Al{HGSZ^ z-(=y2c$|!-CME8>6^91iSMD)!m6{R^wEgn1dU{liO=$7%mi!9sh~e&xcTdx`6|Op; zG!zH!{-;nJxN9=4Xuk&y;1q=)pN-rgk82$x%B+!#@v_*T6)8e;j`9-D3wlo2eRC|+!B|Aw2((d`gp@GA4kGuA8 zuu?G2{*ve|#Vg+#62QSj(=|WqTgVOta zX9hyHn<$i$jH=3TR4W}mIW1EiWD$xy_i)&Gt&u+JC1re7NM=(7jDm`o%B7-;?Z5zq zPL!yOdgeU$cZ)_qxlzUDlA3$bxP%y}{>_5DkL=44sSYk@eE|d^c;4r)evWsNf+L=f0 zA80B$?n~_mp}Z)TNU$f5i&f5?06~Jy&t|hR`EythZ9g#u%6}d{kcdS3viv+bVyHXX zQNtNgb8X1&JH931dY0Y`Z>Tdgq6N8|z1H zkCCf)9#)1yni_uXO#@cVmtkYe9_4Omi+81|@KE2r!_xQFff!!N+9cTEjiz^ARwG6B zw!SH{D|M5%#J;ueL|2J5GQM;|>GYjt_kGdS>Z?3sW<2_m`0NVVmV4Q#fd=4@N0*^_ zoVlBAY*!2DQN@09ift~O!W%@0SHmRV!wmaHo!k2Ie^h;CRGrHbCGM^v5HvW!g1Zx( zgS)%COK=PB?(XgoAh^4`1wFXSoZLI}a_0}M_0g=h>Z;u(y9f5s9&B76%DR^O0vP+) zRXAZdsahe?e6uP|z5({fsbfBVahf6Uu~et)em@kV+_^OP_l^^XgRe8dFQs7nEiB_lrLAzs0!jE z(;v`P|9XRbpUfj@cY!oj1s(CTsOn4wA#G8Qrb#PtR_g#wF3b>l8=r3G0c}M;hfWs%=D7GR?EihK=t-y0MQ$fnHg~i%+I3jLT`+xeKUT zzTPshwkz=}XRjCM#q77yX(t6u9>Qb_aFw^?G4-*1d?BTUf4BRuBG`#MwODhgMVf1@_Y1=X;X(1U| zKbOTc^9`Uz{eb6H)q$B0nO}v?46(ovMC&JwfFjeym<4hue|QsrTEW_8;W82aGnM(V z=8h`V{iaNi&$Tmxa8maHuZnWQw-pe-x$VG)uhy9U)fLuGbE+__eag`xHP5ZhidD?0 z{E}zc;>VDRp-9t5%({8zOEMiX3>MMa*mRho@wzR(2%%c4cv75*{;9sV1vkQAIgzI0 z|C=ZfGTCIs`c_q^Ji-m1E%Kb)cSvVUv;1*uw$qYWBVfRc3O7^Br}On@G#c^|s*}jb zlwSiTlgo7JoP-RXj$v}Vox1U%M*YTRK@$uM16gxM3>Hc;PDL+k^t?s1_1NHnwhZx= z=Qu%kWloWm(+F&6Y!IcGyKD1}z4_|1BZulb)m@h4?A1a?o{93y=q+}S1TybFPj_Yv zzm2Ftb$`986(*Y-Kh^D*mrqL4g~)zHAdkjMt}{w(m&W-%F9F|tO$b+Wn8cUN>J4Kp zIh_5dQ45VT;Li=ea_>mUu`pXWUdS|hv@@60fNOUM07#Qhp!=DD(ot3gltlL^9Y{bn z7^l#9*e&Uqj=nwziOr9}e+m3BRNz0s5xWhXP>>uDgXCa4!>n2uH%io3*#ZYDa&vkE zjxL)9yHMBv7cO3@B#N8+h0nV)GP+WF04CgVrq-EY(Smr_x_$9OyqD&E-ZVkmMutd- z?jk?i>*7vD>aJauj;nDrMRVBz>8gMM>knNNkMd~JwEas_?fnfQ2;6f0c^y6YvRun8 zXqIA;3-I`R<)}2E&DbU%QCIk^M%9=ryGo=5ovm-DGdR&@UX1do)0t88EaB<+tSrb; zS`%VM`NvUOWKMuROlo2eGFM6o(4!FiM)vZ-?ulV^cD;monSZSo;VHTGnbDPYV|>EB zrt=Xi9E)R|0a6#V8eD|kjNCvo&ukTBu0#u3H-ie2dXO_t4OMZg$YC#2vgZwG$9 zFPqkOr;aJj93F8fQa;K2BY#?>=DYHUavk1ebO0pA#V>AWu~ybiBg@vZYXEhbOLJx7 zd|#37Tj}t6?qXxeRUS?|L6x3VuCo-%OCBMzW()bOXu!HnJ6zHjCNju-4`*U647bpT zeA;(SN{i77jk;HbKevfZo7eBJOnL|y+NG){NOpxM{rGoIeEyB10mH7?$RJA$h0od) z3&$qK@~!b4qkxHujG%MgJgs$owu$lV+^L1&c6|2nq{mLuO`VXwCJ|Bu&{pTSN|5M@ zQa4Nu;}3Zd>i3$T$h3)4bZ0@;0iLVVXTR6iq!LlNkcH1!%JDM>807BXx5x`edqz5n zb2{~2RjpTc+_;tpG5;XQgXNL=prK97YNO*mshfD`JKy?KWUABDVnYF#*>N?-zT~@J z^!|KS%emL#v>7-u>y%h+*%^*$U%H7N+%kLX37@wqb#Qc#A<~^p{L~pZ1%!6Tp@V3Z zx}zm(8ZjSe8N#)y4{M=v>j-Vx-Jue^@%-x=5npTaVR)>1;vM1kYsnvA!>~6!x*uA= znu>$qY?Wxho2KU?--unjUF<8hV6NfStZ%eo(;5}c+jIdWN*attJQ4ttlGgk^4B-8=N}w_SSXujpFzF+mP28*lPZ zZdnz#g%8h9d$_C`J~w;JKXTSYKZ!A(rqd5ep$Y0R%f%!U`*%R0?~w-*SFZ$u_&j@X z^hs3HeX?rl;1wxirw;ciHlR|;L`D7KuKptIXm4vlohxl<_XJmnXDajz@;;W@-#=b z)};E&(0Q`DURld^&Dx4J&!puP;+xN!!|e7^4W@^f{*w%oC#s1+gMM-&k+mh2>Q8dT z;j3fMfaM3xot*5_PT0rqtGiXu+cfZ7%WJS_X%WP#S@6dZj#ue%M{%7{v8UwMpFQD8 zm!;5#b%eg%#qo@K^GB<7eA{PM4n$0{j?;QGR}41J_;S_X3qBueH2K#bEx(?0O1`OF zC+<#}lSY$cisL{Zm{mAUrm0A)r~tukY+R-mg@Q!ErQ{C0U;OliQ5Yyq5o{xFaYQZP z0ya15VHS8x3;fEp1WO{=Ji}#p?v4EtvGBl~^3q>9S;p%VFeI}8Cr=`^6oiydDfhNb zr~NaPs)qZX@O>ovX1TPK7*cKcJL>$Wkd1+N$M)*E$hpRR)eX-_Q|FwV6z~`%B>`X7 zj*MflTTHI`?M+tKhe~$SPxl_L;9az50k4Pp<$?rCxOtlPZ|l+YT3LWKhSaKiDYQ;q zW;tLou}3%5^fP(j2E(X7T_x#6UEYvdf(YV3IZJ%RvCL_Rz0wz)DoiL5;D5paW;Q3U zalo?s{El~;GVbK0G>cU_`b}$~$XSfMqAZ-7k6d4nuovMz^gMl`M zNey;f_R0d_K|9l2=1M}s4B}VV6wH8t(ML}m_R@gyMBiHO1YJ7HGQ4G3)W@=@-)grl z$|hm)@}-wVaA6Bic?_(3t3r|7mM3tP0Z zIK;hzC5y%afR#X4@+(=vSc&F}&~4V_0k4_6{%k2V?S*m)F0!iKRsD;bl7GAE&|+H< zP>uyYwJ}^)si|b*ZcS;sOa>;uh(|hJdy>z(-Kjbj{LYuog{tVjd~WS^6;Np5;~zo? z)DLHt;m=075G^ees~mh9l1o&`(xfiP`r3S${3dOClXOy^L9DEDJp1U;X+b!}nm9g% zLNVJI0H60s`oJ6(Q-nK(c%>(B3WZ(-Cq%y~ru~OMq@R!tRe((Y4l}Z2_m}~ItKbCG z`mg?dQ(9O+q1aUB{^l-T%$#@DQfifC5o5KkjNDuPF>yav%Wr2M7}eAO^8eO ztRbInl?o0=v~#?$R+XhA*IX6~_R6PkZAKsWGUFx-m{I&UbY5GkSu7OMhSXQSKk4UU zjya|3_z&I0xif=K+7WrEGy{o|hZk8+ukFxPOB^N=gCh(sG93~vKW(pom4o;}DX7)o z`;o7|`RGj?kY+Z&BOeoK`cCB&1&8{OlB0ozyC3l+Q@T9ih$leX>A<)hXWrg0N@(vT zC!wjBf+R6RcaAcvVq^Igg71g-{TZFiT|()}x-8br6ZVV_J4|`64G-J{e+x{&S#vUg9<)J;27@I<0; zJ^4&ckXY?itBw@1=U9!WWhH;jNQYU>obgSa4J3S3RD>2XAn8)0+upq;8NCHs4|Q_@6!G__z&V{x@e zGRX2R1)%dawMtPMEz^Kmt~iC5s~>8bnj%ovK3;j+1oEhnlR;f637&Q)N6+{mSu_dC z9;>BF5G^zBZ*cH1x=EJlv5HG{gqzD(+WI-lMoOBnfnb`+bV`Gde2;T2^8sMM@T=}u z_F+tAy;urV&%A{b=Jic}J=$I8MNi*it{mf&x#Z1ca z_jvHpH$#Vj;0b}k20)8qr7Dnq>{#GHeMhLS5i>O`co743k_KN(N*z9)Aq!&aJF!p9?v3sqndsiv{4Q6y(Qw~2}( zxuqy7@7J6IWm;db3G#Rf!m%da+>g{Td60IKm&x6ru&tsQq(#5;>3*$_kZJsqBQL#u zu#Hv?+23|V^Cv&BBE6Uy6z;D@0pPhAPt!L!t(D6P}-E1i239rqV3*>4`TE^h8;`*6rGlXs5UG3M4nk zl}$LyXb@{6OPanZIp+im+TO79Ol6Nu>NYDp^Op%*D~pJB@pvO$RdC33j&gpRB;e)WU740NbjuiPCx9N^uTd zCVjO>BpbfuhLh28oggxPo;*t*8a&fC#f*`1!*z&Ycz@@bgC&`0isPnYs=i&MG=|y7rd9G#j!Jr z@pyovx#XNOJTN7$gou`nyl~byAB2Au6}aTsEVNN&Bo^3M$epbx+aqz*iG{ii^gCh| zF`^xk`XdsQbF*QLQ$rB5kmMw&N%8-4k4>0MiY(exW|MRuEdFd^_K?6LMJd^6gAHp# zLBT4+3Zc+o>2Z*G9f8g_kp3E2ev2K~r|tZ;oW}v&-rwG9eF`;V=F^_1yNuxU{|m8~ElPaVIXE z>;$s9N+FE#C5yn}dj?Z*;>!#Xe#Fhx?DM&~X`XTz(Rh;TYk#iBBvx;eEeVgh*kYAf z7H^={Ks7;to(i_?YSOCX^MNAiZmvZGn55AZfG7j?l?*pMqB`}Wda__}WHmm($BO$y z3g?ICO+G89rq~e03@@JG~!Hp4;l1nOD?&aG}639EcDKz zz~8J4aV1o{(6n*T1<#0vDpm>;{uMv!L=~*Vhgfxq^Hl#jyC-q2r!AkfMXM8By}ELO zgC}w8m8z61J-R*svQth2Qy5M$h`wXHv4&)(qB}ia2VYe^o>*_WjG_N>^RW#qR7u!8 zWp?p^E1Q~9*FH?E{PE`1EU#%wIa4(>>LjYu37BCIT_-$c%gOXoo~G?Sj=PGyk%`*h zmZwHjz^ws2urXCF?~c;s+>A*3x)W31$e-M3LZsvB+|-Gu;7!SYb0Bbt<>r_PrhNr* z+%C9yH!IpkO*$iU80MrXQjktcx}Jb`WHUnZV@7nK4y%f%zsM-V76Yf4N0QwjRZEx?>y5`C< zu*6PREX#*>}7144J|4^A0Y z!z1XK;hTvPP^JRvzUcf@>sLIadE}DHlzdv2lQ^6CLMV(;6dN&=wg><707$gOCqq`c z6l2wp(RJ@`g1RgPnpX?`sPDUZ_;Otgjg{tAp0RmQdkk2@z@xTxtm(6&Yo~VVyj2oPS@)+H{zRKYjojo z0$g%^p~Ck&H6H$}e4<|f>CM|{mlZ}p3!qb;44;pc+pNq~ho888#( z&u)rl7V}*{@8+0_x~Q8W-{IFqz+2uR`|LVRzi-jR!V`JGR9&h)r@b(-QCdp#V=$h^ z4W$i7a{*@qc>eQ~m6e6rdxNnoUE8ffn}-2yxzyCwmK^0 z3ms#kLBSnibKBncgPY4M9SN%RaJHglop+DDX!&>T?n;oJViKbL)d<%CbsE zQ$7Q}51R7BiMP`t>Z0o-y&u$VmKyYb*@!OXGY?M(H#}@Kk+#U{pMKT1ykh?gS^at~Q3@T{nf9blKGb+h# z29})b@h;{S@;6h67VbKrtK8{6#&;H3{myz8h8Cx=b=B17w?aH(+<#VRCnio15c{nX zLSIr)&@Rh0Mp6F_SAL+GpVCQyZw*arD4l1sW?8FcK;O5^xH$ zpHd;I(UlATBGlNr$};Kh^0K%qSyJ+8A1H;18P&K->{@TA%YX~R3FZv}0DT0+*^fRlT;)qj$49@ zWVRh`)b3TGe$(tJ^-hgytc7Tb)S7*D+GTDl&a`ovuk;)*4+hjhkxvS-Kda5xR|9!F z@0vvfG6!3Wk7u5W19?r2c)mdapMc}&Gzs0jYiIN0nqQS0)vU*} z`7@g4$63?!Col@TYwsG1C>YZ!Xts zJ4ipNRCvvHE^gp!5ZEdqZkz#l(rlIVv5bh%Wx_;Ar-n1wS3 zJR)-C7OMI(jO7@wo#uh-i$4uB|E;X`aQwEQl4r81946^re1KN=+QJ!lQ-F+umbBd^?cz#aE%kItwSeJG@%}~7FOc-Ex zWKT*Dl_JWk8mN$WG6vnwSyYPED8g%2ZBuoitW*1XcOj`0P>iwC8qWUD^sYE0%4jOo zevA8y@CO#1&Ej#JFfRYFoD++i&u&*%FwkhZ4O^x{zh zL{zjFjS-nip$Djs87PcJ2q`vG_<(rM=Hcj7k~(d~xO-sf>CA2P*%6Ww(lzUnZx>$= zcGZ}8Rkt5%nUAr#FMJel-x5Pj>(J`LL2si)Qk$I(sr`zg_@_Ry5KAF7CSB~8PnQMv zc7B0fy=$k+PeQWF5tVSg2=NZW|uurWE{!mH6$>x2g1e;3%qiEC4-)XW8XHF%l) z4qL`2jsh0ja2(|m*y;55a&k+?gHMkeF>0sgjE2BKt%5r^>LQ3w0k}mIm=$f^>nA{1 z&n*76mq#ZPlwX&8+HO)EHuu9$Y}$4yB>sI?SzC<4P$77v9Aj`j`a}CWOql-gSs>b_ z4n0w2gd|wREIYMrlP*YW^q$dQ*ce{S3BYWWU7 z2M|Ohm36eL(D~fuvR{ypjV|>y=Bm3}lycCSYMx9S@-P>|GEtWE(rZ62u1r0C^k2Wl z{w?n6w}V8k%ceb?Od{E3l@-SzoZy9*w>Jt$o~>m_Zyq+zkc;_zOvg%U;nl$o#FmunRLGjq0;2a zSQ|8lW1NEGnYHU9akqIf6>k#{J_489MwZU;PtZqSu+mjy&7OH1_?B0y4evOftv(q4 z4E!*?uZ*&E31jRmy*TDHJ^{P%T+CL9q9EGn!=uy6o0xp2&KsgWILd(CgnR3qes<8= zI5-{*MAFXhPECLNwe0nN7Xo$Ek^LTuwXFq!e5FE?@y-#BPx;k>>xeg1l&WPZwhA#D z1#cES!I)n4bqp<2pH0p*g@mgQX&TQYaAIomg%~S6)V>wP6hJ4GREXa*BZDQL{<-RE zuE%r&E%QH;K$+7t!T4OoB|O5-366foz3Mag@>R;_TT>VPs078=eZ-{w3Bw;J9v%8v zH;tsiAM(y;(jdS0IBG7Ac+H{aAD%p>G`wjGu}Pyi@U>B0tXo8_t5%77L$84Q)bf%M zw$v#~Aa8qMQjH!|c$5Et9Zgr^!R|L;+Y|hHnPOC7T{zU2J5!czZT(AVF+#b}ZfC!f zI&I3F^1Wha(S|5fUaCW856q}-j!C#6YMH0hF!#FM%RrlUO)%JKrHP~jlh>APMN#s&0P~IBP<9mvoQ|`d^%}bytS-eCq ziTz1kcU9py#AS)33XO=>1rn8^CfRa@bK_9C<+O(PsBztjSi?<{$-8ONBK>JPAde}X zK7ABzS&L1MEt#aQ6)ASyIM6DpI2SGe;R;KT{)k7th7^Y!kqz)ukh%_Dd$2py>Obk} zzZa9njX@3oP&i;Z+KeCO)#T`4Xo2MkP}acoyEuZyd|**l_k(^*K@`8u9Ly4Pj`YfS zKvLAt@#IHb4y2%HZnU@$ul$;pwI`8t0)utw8%Ib5*H|8u+O+D;J>9$T7-|W`dF>&h zTHgC#O4e}8R1Av?l1t~{K05BhV9?!X*Dkh#IETNu?stN3Kq6@;T0K~hpG)f8gWc@W zrc3jdGP9UcncS|F1)I#+en-_#o31LW<`I~x(ItYUVdAl&b;jBDKP}zqv}$u>5dP)4 z%yX#|9D2_z(vgh5!&@8k9Vy7EuVqY4$!gDnRmy;Z=G%D(bv%nbU+eQhwtd+c z?J9SRzLMQx1#P6xqyjLuQrCe_;DPyZ%efQpRIN36qSvos4)?h;I#It?3VEFw*D5lT z)_%JvH+C86$sx#w&n18HWOdvTI%q~k!0*FPRYf?M->4q?$Xf{Cy_RlZ4NTZyXCl2i zUhUXCeY#V5?~-Qy2+r&W*G+5USv{AX#&tm9*|~|?Q}x9F`3SSSHjrJ#QO6pP$YA6L zz5MKzRSTl{PkK=PAkiUXxEUMHDa`VpKwij7lL^CfRT?Oe2j8eP{S#fDTdGF9iQ@ca zNHTIAa`x;18f_KFkYg+9$pO9Pl?Y5UUx`ZDqd<@;%*5AjN5$y@L1|q(NFR&ERrN5Q zpo9zVJXU1wGyD!T=>vy$^uk#~Nc8oM87SM0kJO{#PayLD zvpO4bmS$xM+n(ER)bV0d-8`@-NL`?V`WD!hgyGMP!Qo(+5vvgJ=v1<59BN~=LeTlh zE5#TGSph_a)jpBaoiIxv_z*yStjef-SY4HyqENWFJPDkweyXz^UkdOViKpR1Z196c zUT=b{q~GNwUc~qEUEE$4R#sdM#Ft!#q0!`}g>h^1;XbCi2bfV`_?E5K-^Hw&!eA8a zefXj{VUkEGdCP;P?&#bw)$t4um4(N7is^{s z*HH1vahtb`X_Qx1)kGU%8fS&I*#RiKmt)X8Hq@Y2-=08)Zln%*)NMdreXpNFPWTZu zinf_xdj3Cggafma<11iUd45N9CMOm9Vjy$WvSCtFl+{@Vua11KylMM3m-+J@3QJoJ zcd+Ah$Y_A+#1D41s(XkxIsZ5vma^WeoeC7eW=bGGYEX0S5g9=|JQEv707n)v;L5(Z z>6N=jKij68sRfpM^;(tJP3F#jSJ_+MlW|e^`1&~B6FNo3e;w~Cby4^8X|G1&r)vHP z%OLGUY2_mkCtJH2g9AoyinYXCP2qEk&kP|D#WfGEY;-P8>~9$=u<T7rNT>b13+L*tpWge8!JAY$`vlG2@`pQ5TdDknP1qfjiD1ui56mQ~gRHD^h&84q zS64@69Rz^={c9z6&b*OPbY&gclB=D_(15YcnsI~p6RzJp!w^Z>Uc08Ei9ucYp?Xmz z|Be1GTPy3lX)C)Y+}Ebaw30A+CNW1_RXThSj8%tq>dsNqBi}588mY&TQ{(f?Q^fwl z(LLiJ)jBiZ&tZ{yA)d>#$xCZoR{QoyGXs7EViHZ(frfj@M3n;iQhcTtZ@=EtaV5R8A=ipJ(Ne0(QRDSWvr>%%loF(XyM@B!&48c)EF$FWN zw;?owBX~}PnyTemuLmKvSQ^VbCP6UcqQz+pJGAIO^?Ht?nxKDxC~LMexmdmI@MdJa zs=^F1^vEHQtXV=$I`xraKTqN|&id{zU8qyG>|f3(hAXqP-U90)jc0iBkxQ$iSi1w? zBkJU1z5B)U^`qMR?XBe_z1*`Z>Rrn==uL(0gA2f`t_d?&NARpZZ+1tpYJZhB<8OcP zMW`aL!H#W(c5e}@<`p(7C zfn8)bTZz>ZHtL5P2Iz;G`!46RkDRCcvK3bSyMq;5p$T;<{qa4vk#WPbqGLQ%c`S0l z2gjW6QVuuhwd)qEN>~C)vX4B8icuvQ4kG&rm^8&y6SzJpzbX(wk7Q7-G3q2hmov9E zOJh8mp2sX7gpLgV_1ERDs&MWHzU=JhN^yz^C!1-(b8vf%%k973*_-j-*sNi43b|>F z-Wv{9hUXsTj_M_H{}OIh#!p!}`1CGlL(@ISzTu-e@@^CTrLL7DSy=NP^>xCNNuhLP!O&vt|<1wF7Kd(Y6xl`jl+xK6=-F!7aKP1<+ikl%(8bg2m z@z+=iw^U{i4;yGPAnT8ieC!q31(5LUgb|SNRPKAW8OLjsZV;ioTgw(rhU6C`vb-*e zy78;UBb!Cr=1^>BJMj7VN2ouvycKUv;!k#jNrEj`DJg?!bzf$&f77oIi2rgaw^oGw z6dS>|ml7iam^8`c3wmXdFj%FVDnMk)$FHwEBb_&H!Chyagr}K6-x@rk)7R&i|^s zUIlEWL>=mar==h>9YSHarrnfsqTNWvbE3`6lUD;lZzBdcQQ8*5w;td>Y=cpzmVL!L zly`YLQ0H31PwCa|^w>wR!5w}lGiaZ0D(#8(%|*> zEI($M!yUxeK%UOOKDt5g^t~)hmW|{=-hH%4&%Dd(5N_aj7BFjX65q_kl;eA_eu}wA|m+mP*>&2v%W^ovgDG{CYjT8_Z{Pw1CNA}#Uo>)FD;5u zPMjs$j&AEs$;b%Aqa)&T;+b#xkCLp)P32EpDA*X`OGWH7p3cx=xy~x+`yg7TLDwCp z1q&Dvl60-E%;N)f3tQzM&D5<`_k+_ylN__Nc+^ zBRzp3UYFI!J!6UI(banaEOzT1$R#l~)yfO#>7xDN8vBRc+ntil*-yT#WWUwbl(TqX zx7w+0h|pInn`EH90vod@4bK$Ek6d*}QjAe$)JavWTyqE%-*viGLRReNw3!myq}RPs z!N-bE3{hkm10{(i@=0-&2Mn_M=|=XU;zRU%M1Fb`7Ko<(Lcvy!DuMcok+^#vB9bJ* z-mYXQKdg{2_ryeIdQ7?QW*ON*;LX>m3(t%w&184>1WO(lbAu_QApGc1Fx}=SLQ;7J zQ+CBJ76TGgrrZctu^}5fs4j~hUL4f2XQ33eSc9}Avf`SJuelW_Q;?Mn)Bed~b@g6` zV;7dt_OPlCJ@EbY()Kxe^quN`w~ryYIJX=qw^)k`COUc7alOV6*bV;N!a zmlv*vkrcFsTws5IS}js}NRnf>`v1te_~aj~bBMncF~A~#^d^?b?kqI3G9mD>%Mk-I zUc{cmD|Ytnc5NVIbOXF^G~Tl{WE=aqgnbJv#r(_W?3c4>5b0l6H`cMM&L@|h+OA|; z>`t5MYCl$n9zS$?X5hbCfvI<#sHtiAgCI+G`#FbhjtRmhlMY`>Asa3IeCCG=^6R6g zihvZM*re;cA#Xxvz&>JY`@X+1`QA8{pua-Favmrpv@R=zsb5CJW%XY!H$%y(0WANp z2M6g~g1i(VmMS2_;qis@W?Q^HSbylC16Y4U5^xYz=URaN@Jx1I(I%7>MagcOji0nh z(>gsI!KSFBQAP|p@6k!A9CZ6)o`5oFo3d_~aUe6jBf{&Q407 z|JgvDe(?hUiBeBcqmEH3-vS(ZvixCOLjW#nx6l3Q{P2nCtLK2G zG8~}p_?6^-G~k!>L&@uy3GF>cd!H(Y4|DOp9ZsR7kdCy+%ILHqinPO5#r1z?BVl7w z)+jSj5IZ(kN{el+xA>_LGH7jVKFfN`F3_>|LbTTnN0|=8z8`_={6y6~#+dIu!Xky+ zkQX&SCcX8z>0fp+@!XO~q0N+5Np2B9sM$+J@3Bog`o1E3VOfo1d}+Y~;ES%4jsLS_ zM(^tGMo2&$bn5Coj2a4zIhei;%O{nHo%tv6Ox|ctNVYc}+;(9=x6OtX_r;Br$>NP) zpLjJ8r@xsFy+A1QX!HJ z^ijnFGL=Y&rSxDp^H#=Bod0*Ke3U59O5O%KbY`~Ovvs;3UzV@8G*)A8qiz7$8@a5X z#bf05?`5qYvuxbg?7inVJpIeN#EcW=CCxZYm==%QJ`7Ze@2Vy;6FQY;sc<4Ko<*iF zo;3Xd00ORm#^aFF{?B-({*33IX$zvZr6ydQzz`N3`5|BB`Kr)FJp zd<}INj_j0jF!>%XOUimP?%Yb`j353Pg?WheE-vA|*TaaMGBSDZ9K=F!odHLdsC)2! zm*n}B(I?z=D64Dq4h{fVqvzau>m$VXKe@EqX%VIl3S0pkjR z{L`-af7E&bA`38KwqvLipQ0e(!zp+ySQ!&3rJFjkVsfk8T}wmFH?=D3Y&?oMH1Bpk z25LC9=VbJ`^_vp?#at5bD5*_S$Mq(L_5ADM$;paNP=_GYb}1%Z=G)oFmnuCMO#Xk4 z>Bljfo#I9r6cg9Bg8{Y=V^HX`4kaIANYxUanJYvS>qUn}<&*I2NC|pQDGdH@9Ye}1 z8~W_~f{66UwrOVXqNihJ{Z}6N?n3X*Qo`ojZ5D!Y!z?R~w84g7%uTT<3#L9?Cr`GE zYuX3;9c0o!Z}-n-=fWp=6J$?>yQ6Kkxc*ocCcDf(mPHYAv5gQx%Mu@9t;(9%4jB*z zZt5p$oKV9P5OBw_?;evRp#A|xi-<(*Z&;k)ZuQrJSD5Et*7zk1g@=(MnS7 zH!dPyHas2(<@a|KEii3%Ts3v2+?9_n&ZFf#a;=paqP~lj#K`_J$jD}a2uG9oLZEDR z@W>hrZ~sKIM^U7zclCw~=uvl^TFGCDaPbH>@1Oqs^>4J8Xv$h8@4ZqzETInm+b) zpt&rjzFn4W@cgpzI3%a3%r6Se_gzv+vn)wFRXXr2fj(|wzedl>nf-&F^9i=$pRV2f z7jE?u$o6=%iGk`Ch#(k>6Gmm?u11$Kk`Hdq0)czhFFy1i2U7GEoBQPZ!XEF)c0^vr zg{au0(agrLB;asT-{_Sui!pI^^o{DXX$t{A!Z&`DWE1&Q!C`!0|9Q#YPGg(&D&KF% z3$Y$2vUfFYV(M~17)90@>8EO~6OTaG!#_)-Bp~4C`o^=7>C6iU2ZuUA>1LON-M1yC zE&J^Lx%jn1kERD^Z;?uB5I#NnV(Tw3LWQ#?%y_SKw*ze#IK*}YRN(MfOV}UK0FPco zCW)?-{_mWzwi_R>-K_a~Ew4e}+)Y}oXLJ-;!0g&De%eA)t#m|Y3xf-FpI2wrP&bv>Jn1steF9L*^*vz(phpH5}X zx5x@OiqBM5i}Ij^!a?+pJ6?fUhoEoS#Qo~Bh$Rq+IE4~pZs)ktg;d{>pxyWMx}V^v z|Kp{lnx^P~+)Tp~=k!9CMC*b}NEr*mpLGaC3UQbf3sp$QweCEmn2Vs4+e~##UlA#X z^&??WD&zSH(N1^acJ^A`{r(~+-a>Z6_Rk=KxrJ;&+>fhXfg1;)Z`nD`>THMsnhrSq zsYows^y|uZVBZMkuW~onK$ZX7cH+N5)SLejO554auD;mH*#23uHF#Z-7P*6F87q+a zd0ah;0{Z=Q&~7N7z2mQLz!@R{Q#DW9F!&tOv2-3>UhVzcbtOVSu=0RlKlFpxlEoWO zQyS=y^ucLXTH=T53mfR$=}&+vtwyLl$x>z>1IGAeL%v3;PxdkWsF~0Bzl_67YbNEO zWvCS6^a3DZcKJ9^xVp2S4}-3rsa0Z4a}qe~66Sn2-Z!Kexfz_k9b|ugKVDOrf)0WR zX+r%Ur)5%R@76%NsNnFvO1fha3y|0yxAr8E0M!0}Mvj3rfNh`dVIkq`$hH)z!`zlq z-Ll6?=qM9?@UDZw=)KeE*~XerYOE*4YPn>ShwIMsXp}JYEdFD1A2b5zh;zey;AyVP z=Q*%>PLl?!U+06j)+w%mbs4!ERVTyl<&s`DSqXUI(t&NU9GrH!&q&%@b}KfG)}-_t z>u)nlMLYh^yn%=dY=MZ{t3TO>VzfSJCDacw&?KpL$+PdbQh#Oofe7Af_Ma#feFL6# zPqRq_07W+t(GW&_tJg?p6?Afsk|-2o{J~o`RfqvZ&ANf=`ao1vui}xL6-zsE-o`L( z$;kqli(lC>o^37!8PIU8T8_3Ga){8cpU;iMdpgWV=ztc=d7G zD`oSFduqb{cE~vlq7`n@DtRK{ZT@8!T$1a1xR1%=y~Q*?TyT{_KbnSu{M9EksV(e{KgARe5E{ zf$-|grT!IMDBtnVX40$?v$W|EM$!wIIf1?*!hOs%9$;)q0lAj~_e-_7s9IY~3AeuE z2a5ft7NNy__P4*SOg`vz!P&s+nlYC$$sK^D4HLAXL&De}mCB^p|03@-`KJR5EmEr{ zJ;L-a0!voly(WloY?@gK?!Dzdi~*mM!P9H>)X_~U#_9^T1Y6;}7KI4)>;JP^^s82& z&8lDivst5@5*q_Nsbut&ipwQQks_kH=H*gW9HFacRaQwSUF$~RE)3h~QU7XLL)`5a z=xYue@LqdFv?xshyR|E?ZE>C|H8p=DmPncbDGp<)>+h7J>Q_HwTSx>rZ2mgdqSx65 zzdS4uu#e>GRB<69cNOyHzz1$ddVUt4l9gQ%YqaurarS<3vHtX}!)a$9H#2wJ$&Dk+ zRj#aMNnLrN_3(MS;f(0X`(Ee+Ne=WZyqRosH%rqn$q%$Ch`{eSXiyDiWG%Yb_&6%c z6L~G+MsUUCqYm9Ph`#YEwU)S1XjA`@n_g=OkletVCG??_NV`pmkJ<9Q?NY{w(T*q5 zlR(!m@&7}V7;GfWzHz)e*!yG}DbEzGDq7I>D|Pog1-;Hl@f zR=qg*DfZ>j-jhrBA&U3nN~f(_H~pX*m>oX*hs3o;=(OL&)5M{`05u}emp^QLb5DvV ztQy0XuwT*L_Yp$&J^2?o-jV6Rz4QyUFWOb#>7`$3A@r=M=MTdZr7F6VqxjN*5XJHd zeR0;+n6swz31Oi(Z|#yI|F0qMZ9|hl0_jY9{?E<~r5IbOW2)IuMs*&v?Je9HSsl9b z5onQIhiA7d*XF-*Uurk)Q8|hgA2a>{w|GCy+$(6fLuML;AZ2RcpmU&oeTz05vh7i(g)0|x{LJnGYZS6u9MZ1yeiOrfB1{jD44$%vrI+fs@{6$YS; zvT|X4*)98fv4c`Fzb>j!HuLLqD(>y3tX;`)_W2vD8=@~=7E0se?j((b*9no4?p3s{#@DzuD!cfuOx5)o2= zQ4HK%$RIT4|CAa4N@T>4x>)gIK{E=1Lj{5;2j*YaTPPg_kf*Q4FI#-*rqeNd1JGdv zF|5g+{Pq?dE_WV}x_jd)aO8#5O$S-EC~x(}FGxE?|1qyH485922bVaNCp}xDZV@0Y z9>pv3K(PZq>K!Y1{G4$aE>0&Ar}UtI#9$yUb_%xr4l(uIF7&{r$f_zTk-P^lk5;)LF!UMYBVF0u8x?D7kAWKLs0*0qImwu~d)|)*xM06FQT^T@pzmWc{Bi1*eA6 z$nEALHU$)Mfk8x`j)kx0XBnSB2U`R-<;T#H{xE;H(8 zHgfSyhu{)PiKoiZ!*%-m1M%w5FHvN}rlC_5ng6&j{ zACI=8i}-H;3QxajV{DE2&n-K2hwxLB4(6l2t%iD#3x!p@6ww?G@3&;Po4Z-HDnU;a zBi%oP`FIM~$DA=(gM=Pz9Lh*19Il^gVxMXS1sMe$fuSP^J{6jnUIQ1-2pJwkwuB!1 zpUlF5&hZ+gZq~jy2M*FD-7S5k8aWDe**`dI8S!qR@C)7vH*rw|D_sJ zEq*yxNouDe#%!G3?ztL4$HhW@8@h|{=F`0a9*J=9>~PG#W})^+42f_c5*~)px6ven zpGY9$U!xz_jE2eyrnPVo#4sFxn*XQ!q*bFKQ1>LD?hR5eYINR?J9kY{TC3)QTF8_r z9ZAKJ^jHMLuL_ruKQRZ$LQ(nd#-vDHhv}p@-h}2`I!EZfFWOx2y>AjV@0@HVi2CgL zUWe>{<~uiwO7I=gcqG(pDBT8_K;`+bm2((4G`6)*$5x8tb3oP91(ePl?y zzQ4$QNAN@ois9`$GLkD^)&00?6e={7MIv;E1YcLYPtKHsT=R_%L*>DKK!n&W0zqeadfOVbeL*;N5$hM)0y8RZILvXzZ#frFcj>)}bVTI7?^#GTHl)!hhaC89- zrL#Cq*hHtXXTMF|@OR9&!Q(q|Q7hhI-^vcB%j$7)0zl+vY^Ohf#zKiq`j;IcCX+}? zC`qpf5%>M`#VBLfiBvfI4glawzmR!|t z7LKAGnX<`CuK8syVc%b>!!Mp!^s6nAnnl^wxqP{j_?ytcrRe&{W8jwEl~O4KSWqXJ z=tq8D^~&Hb^1c1eX5Mz2E3|{`e{X$+`fowkDZU_pKSws!{SUw={`DP!`0$Fyz#Y6% zu#R!vN&!V0OdRxQ{=XM)aqsj;Tp!B=qJ2A&IZVRPl5FW0(0ytQCcw_Ia;$jbgd8Q~ zjsI$+snuFr0{4}+!g1n9W?OLIeR8U#jB&s0j=hc*wdI+o$zm0C44C!#P@Y&q+`hKr zeX}l$fI`9;jL}r-^|qHftx7pQagYtml$K2;`I=x**pHn%D{7A(J`8+n5F zI?=b^3fmAZj0B6_u8%0a^cVcA!r>i3OOgMFs<#Y_qido?aUU$`5G;6bcY?cHg1fuB z4i?4h-QC?GI3Y;TGs$<)d2@fwJP$oo^{!P_YgO;=_Q!()grgVg(4<$8PUj+k zEU0_sf0g|CdT&7{?}L0#ioQl=0Hy*rnF(CRbQ99V!cSp;{;afG5yCMyeYjT-ErO1! z6tp8#fFK8D2J)(L5YdmE~?M&YfIhtm^9Y+p=Kp|E+$S zZbLEep@?@-Tn%B5ODcc0w}L~ADzUX>p6FU=o(zl%@3^pN1a5pKnmdl>D4Kby$FSE! z?k7d>rZT`tA)nd}9Ogk(q|8H!&FEKzz7Vl!0y&vU?(2AnO6w%`n}A#4{c* z)7e&m<8CNN%s?A-*3y~%-JdsWjJR3K_rXX~PF)+-kHttgjHeVeOD+Hsw7*MHX$9f2 z!zQR(0=XXy6x20`*mvQ24@K&Y+1d$@$j1=pf}L9~jQIhhTM>HrAHyy_2*Y5*v40F# z63?VJ(NHJTx{tpjEw$aAhrg3uhc8qpxfwe8?Y-oaavjRy?ZLR`=f9&dT{*y!-wyOA zlx|aI(>hpyIP0~5Xj6o)MrMa-n}(=9&1Hw#eK0I2+SM}{`C48A0gL@1WS#+u9fCK} zwJdLft^POHxuQoXMB7y%q$_2B1ob6`jhoA;Ra7x6s&@tKdd6~Ib2B<=lOFfmt-Q;D zRQng}41g+yYVp1`*5p0u$Ez- z9kr+YlNc7vNN;*-t%6OqBJs z^xNI07tS9YWpI_-t^wMhE)k2*;ihF9z-JvUfFG{qm0KR1A1?69O#^*MX}7I^YAim; z04ssc4SyuJ!8H+E=sgMKwc?+j{XbYVc!hO=qvQ7{I84T#|3_p>ug&Dx( zgziNiC0>yn*vRRf1(o+KM(GhAcvPc={KD8KcTr5&48A0GP5omQlrZ``&hk z{iXIUyv%|-^YSNj##y$@R%_v3D&Y1=OBF%9|2xTE;JQW_VO+&aM z_hrJjNPNvnq(Qtvv0ZbN&(-6g-S96Gi2s3O*=cVSeMVn#YV6xY3&e*9HcM z0SXExcq`k$kGGvBSvew+=SbZBkJ$-tlTA2^B)o8%4I{9d)jre>>PsoyS)A|~n&H>1` z%i-89Dc#)W9*Ibdul6q!&&DOcF~?&%VIF0kD-!zk&tezZgdKwyd*%o$5 z=`vhIb_$Bm(9H&S7?i$5P)HE(_2msi8|4Zu2j3y^{sk8Y9GvUZyUA=7)(6nE+QRc% z5yR$l!kcb5`kO=$Lioe(@2!lPy8WY#4EzQ{ICOobZ{M%Dv@zSHgoLZ85nMcE`{T%^ z@sSG>&BD&7{UQFT%xf3`A^#Z}5QH4mL}MR$k3Mg-N4~?F!N~8;ag7V>AzsaOk+wa6 zORmHyRGCmGqvMuqZauA7T|HsR@@clI6|d|W&l>3`ua5kTr=p3HZ*8c2x2+AZFehm? zoSDCD3ebu3y+)aNs}%?W-cjhr9(-5eo4S=6&c#PAE__HBG6BNz^_Ip<0FOze+ZLux zfvet`uIBI|(>=$9c_46|T80F{BoJ1MqZ0L5P(vDGGBY9U<~Hcd*X5nciTK)KooyR8 z>hK)2`r7x8{Aj~F?EmqFdj6c}vk8>n>=5hkmwZ!}0Ep^fMIeIZN5LF1E*<*jn;6T3 z#D%~nYgnD^k!GZ~gx-pCd~#%KT!Ld&rgGdb{DOo%IQJwmrf>3o(~WVWZwUUM%fr3Y zU2DN^Xi|)!MHYNN?m)&X zwy817|FE1D*-r{p0SSl4o8PC2Q8DnJTX}RqN7`O!;m^pvDLj3@eJdP ztY_4y0zI%^9HmW9(K*HPiNgOk`Vk{e+&rjLeSYd^q=UaV$)6)c|0`TJN9f`B9c);0 zGeXwYkU-5t8_RobKhh53t}%mTbgGHg&76!o{+nj*ivcXOYMq4N$DkKl_Qd5Quetn z3ghb%na1YEb98^}2Y^1--)5XP3n5-$;Xfk@jTgn{KQj!0cdl;)V^2%|%P_~7EsVmR zVuu@c8OczD&0p!ib~qh^0$Bjwpd&5^6;n+Lhe%0a2*7LD_x5{E+?glgty4OxeC*NM zC@kG?6?PRd`NfN>zCUgeG|5OjfLONTYCnUz0M$V7o#|7swb$BMQYb#@JKi{Rh;P(? zLfoJOO%hcEDM<$KXPbqPB!l*^ht3s3EL1(_Dhz^C5{5B?Bf;)2Az7`2jLrYAC#(v< z#ELTlNZ7$WVGZ09R&4o-=|g4%$0E7NoCS^ zx_=r92Z!N{?yc8sM8H(0c+^WX0Dr65>2@rOV&}{G`=+YbZ_f|Md!dOTB*(5pXE>s& zl5{J*iRi;xB}IRU8^To9+lDXXAdn7;yU7%GlZ-FuapEI&y~_H{UAzYgTxA9k8pa3# zYSid_HSzB4YssREmiwg|nsW2Ir(up13D&ew*~6cuWgZ(b;z-QBo?_}& zuZlLrVba{fjaYz9{6FwJPtNb*m6*GljDx#;Zvp;*yj&LoA_`_n;_VaV`6|b=O}QT) zypNS1{&Qf#f5FxoMZbLC!M3?VeicSPK(Z6j>LM!h^!`S2INK25&f)Nr*tsS+A*bEn z@=`9CUvnYiQU2_`TfJsDZpRt1T;qn4OJ_C&2|VZ4vn@dE*@V`Wp&r#5ZzEDC%$qB7 zKcLdeed&SOS|vgXretcV%FMc3bBYOVh}xg zR~{R6pdpkz z0GZH;wYX>3H0;{0vaCs34+-$nc{&MriuEk7`Fdq^Y<0OSE}d1jx@*)p2%3+uz&lq? zATlXO#_(M^7IG_<{&Z^~F5rYGJ*4$QGzR=tm4`*JkawH}(jFbLgNfAQjPlzR_yNvB z{s7^~2)K_?v$pK@X(1fM#e~2VQdJ&Li;{Y&ZH&PIk{)yI^1NBf$p8oDdqe^0)LOba z&$hVmEd(+Md=*c4Ph^O{P;+e0L8WQPH zxn^GxBFGLq7}wl%j((lq(*B5K+qFjM8<{`0)Zm{E=D~=V`_AK6OYGbdchsv)IQns+ zMsbzKJQp=P+8uL;nA^}=VskHotWxwtH#16|2#}8bFXQL^)}t&jS3RF~tOWkbemR$o zy0(Lc=${~&dO#z^KSd!hrZH}TxJ=%UYGFU|4~ZfK?xq){46=j6Xb_5mnTr5v7*I|+ zk(_xskqNJXM*(5Yf&ER1kGsVAx(1YP(iZ^`{mPE_S70?tm-h%t%rQ-ajZ!Q^M1tj> zdo>Q9Bm{+sFq~Kn5+hYD7t*|Vo&Xe6G#iA`e}z@>>mF%0m#>9?ja072S2;}M=vkoV zNmSWS<`}lh(Z8mpL2j&W>dtjLr;SefT8A*gYWLnXj-5`Os~fTq=Jwhi_YxbQb^pq| z(TKk?Z*=V|k;*1m=Cwc77x%dyvqM4PVm{J1zW@wBSmg-*NMI6n-TneX692C&Cb@+n zMe6~vt-*BbCy;!*dOcz<8-8Z}N2-28n2v9OY)Udw*LtK7s8HUH)D@(MGzd(j{kz;Y z3%S~R7Su~%q1$L_Us3}Znts(yyBie8MK5i>Mv#!`Ni@<+7p{>>QI3Fav#_oBPvY1R z?keu34CbYS6Q=?W(bJ|uJP%A>X4O^H6j#_$R^3WXgDb}9`brg}WkZ5VXPe7#5mwJK z)sLRnJx)b+x4lbzRWSFZJj93xemqm6o7tJae3#$qQ2OGeBQ)~`!o#tCB|%2+QYL z2-SpcGSw{-p{mElt2rYsxl%iH2YYK<4q>Gq>D)KJ2Xyhb39#!!BkHzrGuZh{E8WTi z0`mWGzXf9e3R^ZDbQC+&^cQI8C;*eMU~v1u)#T|{2DkipcVK7l1wvb9Sy`qr3=AjpDaO6+Yw}3Gsf-aq%OW(RM`{u zPaiJQ55tJk1Cm*Sp+mzYIh_Gz6;$%|=G=P`n{IXu8uXsaLPjI>_G^e1pZgi6JpvD3 z+wVuuyYsRW{Yf{6*NK?IxUKugBO+&e>nB_l`f z9a2t;SU)DF7ai6U|BcjPEB8oW5S)hK#ddLJ<1{_lo zT|Phnt`)j_4O{?j2D*DdPOwyR{Q8YDX3_4M92qdadD{ak#9-e6ZAJ?K^^f8CHBuc9EHapPJ6*F~X_rGz4FIpSts$mN z1dw~Drz920nS;g+<0;ra#C;ZRA^2JS3mwZBeAGXR%GCfNJ33WRh2{fuSPy< z0=>bTZoYbqcraT*Vgc(U9*e~?*9T$)N#NTpPNb}=*$|>_{7&F0g+N9T=ML6?wT}%Z z8~6qj4ogfFu10E<*&qqno$(tfJlx1{0SZ$12fiBp8p+Bq3Ita6*8kvN3U7CLH)XKq zkE+E)!Td$p0~~clDIQT{3Tu9LQmf)rKE>YDNwQjYd&bU;s*%Q?SJuNiG`wC`Ey1z! z2mhx(So zy_{2-sUbVQ9+#K2W)tAp;OCF+q<03!Grynt@$&ublf+)VW+$Ty-1;+ukk7cX z(adTbY|?P-7d1Enm=dXxAX@mo$$cpq)0NJ$jh59Jq*tFrjNYRz3&{e4F5ge7>84kd= zIp#(mgO3aSj}@HUp#xId*?^N^DYLi)B&8w}y!i^>4Ra+B|1`9rC1R0>e zJAsA#szD@Hm?HQ!iux(9mUo^DNw|x7GrC2{>l@M~QooX&-nYRn(B4 zu3H>2YF~uH@9@~AC_)`Mzh2ybo_!0M{Th>5xhBvuX*n@cnm~eFER_8*(XVo?eAcJN zZpWCu@m~D*uhdPeSi8Rfy43}F%M_7r$({`@S|r_m;l`gwN7uT|4~&IV&S#(5KEZ^p ztb`s%M`(`N^Xiwx@sbr^CtI2z-HiT%4X8x@&*l1$BHB7XXPbGzy`(%`sFyeg17ryJ z&Kgs~-%QY)H~RE^c*?mlf_x_4uzq#xNvr!Y6XI3(XrfDSkgI+NrxkiDKIJMlIoXM- z%GiKK1EQFnK~{Y~kSV*p@tvOtF`w_Dpw6T8#)wRYaC3P#f*f3iXH8NU@i@c>?}65M z+-Fo(1pnQK63E%@^S@ySk^nXt(n6Y8Yu<#RzX{!dwrRX-oHm{Q}v_S!!*D(~_a6ur1+VRYb%u_H|BqzU{jMGS>BP=v>r5_2AH*%bs=FYb|a+U_wV%_3fjF%_cDIVB}?b^v56{!U+VE@Eans zaS8mF_|upu4&Ea&dk?Z;wF?7>SVB=9a+M}=wtY))4$q7T$L#gQ+Whv7UWl%u4}?jd zU}>DTlL>7v@K{`laINfl#j;oADtw=V?vw|)o%e?Yu;T(DbXfrYW`=LUhr-a8GALJ_ zs8u2msDiyDQiyW>UB$=%U~Tkxt{Cw2I247oLy&ghl)qrSBHSbB_`%U#oB9FaU4=oT zGG|I2|EtDSC}&gk@7hiVL?c^@CQLi%Nhl-mkpWkBId{&MgmhsLlY$R8(LN2f z{mH56`XT|+@S{2(I0m}k8mwZN4o~%nxP7&3ZXVJ4JMoOQzpF#mg68xRYVXRp-nXGkO-r>B@~kS6sNt|aWgTK6T(89`MR@X(5=K19Ac zdxB@yuF0L%#AE9wi+O1CxzC{tve;`>8-PP3V)^c*dl$ZM4xwC5vlep@<92K zC4Q;5eE4cOo2*X+?k6jX#+fOzDg_j zf{klW|LZBL_=ZT7MwZX&Fu(LJHrp>p%;|Xw15LOf;Udr_Zuzg;Z&ygRieetU`;$RvY)-Wc-Zehz3xKxa#=aJz8B7Gx5-7- zW>J6Cump0roVQ!gL=bS$e&uDOF2_r3bVuI`xVy01zQKOTYUj4=w3|v%b@{==|3g{- z?IzUE@i6oG;N0tBsmw>I<69j3lc8@lHBvrXK64(o+t(upadRpD-N!ryyq9d7q->p5@vzYUVOAXh2YVw4K=&_;=I3xPcjYkH~GyDkNL0; z?u{^)*MuqsUg$gN(bMpsS&<8ikA~Tn!=RG!v9RXpT``UmP{$#Wy@`W)f~;kj#O2V8wybw=lb)%I4edTY`?!3>@l08i(6K|48>rF14QbB6!< z-peLNqXM3Ru=|_UF2CPfo9!Z74v20p!uKdz(PadA z&L%ERHhY|YE^n>^d;-#>N7%evWEbDwnr`lalgU%5_c4|L!osyrXj$E^{9PU_$g$5? zpsP=x>;2kirb5uBZ7Vpllt~nr-6gWnugA?QSUdu4<2QVkKJB)7`>hfhz0G|`3(75} zQz$dluuEPW*saeRx7B<}twQy4WuK(#Y=0*%Br8dmC^yD9`BJ5z`?Bz~R_4k5jIZ^& z!{7TOtlCf4`t>$yFI4}_;GpMTKdEe}+C-5ikz0YjBBDA@oK_JcqVf_&9x)C%a(t#e zPLeM0=Gzr|yJab4%s+E2f-7{s>~y4D`DK4Vz741TTx1kM_4oO5UuX{g1!B9Y%&vAH zze8;XPAktt6xV%Lv(AYOL!F9h$y=`*2wcY_m+V(2P}}D`eA?Dcx`Axk!?`=R0D>^= zdh5jPBokfa`_11E=W7!`p0Vc(lP(EoE!MU%wGHYaDWRyKiW|~>tSndDfp^c1xHfYs z;3tx3h$suR4;>J?vN63xqofNXC6r`WG7PLhLv3pdz|4^Ds6>W*X01|P3Fl_U95Wy?YQYu z%VK!*+-0B~QkD6lssHZW@2tOHvMPZoAB}P*34B&EmFFf4!P>NxH01u6W&LmGD{O&D#UdNoi zbSQD?94d4AR83^qF!(0Fc;#3U16o4qy6KuJ{d(CfDqw4;ss#TQM*8Wo!_R!U2x*q_ zbjl*}Vn15&???Tyq>@Fv@?*aV?2%6v^xi`=8Z#(ku`iHo(q;wwp=aAQx04Yts^O(sOub9UcvC2nc|@JH281|nHU+qT2_=hSWotDA zRU^Ki$V<4N0k*24`5KtpHEf-kUgP`?eaFe!^9!{W$4y`c>IqbXea-=W_0 zMFeehh_?AZY_i7+m*IC&>W=*+)R}>L|HH2{0T+6T|A|011Xt7pe>N}?|J@+#opd~v zgS_`7D^YXH5iWxvA3F`zKkVfCeNpDO5bv)vgL5RSi|*;B)@<2D-|z~q*(SC(Wc^-j zw=d=Ijm#vc+Xp?KKs498Dw3oT9+Lb%9_mMNY*dnwi}=@7dGn zqmQ!*(+^KM;x{K!JK?se9y*>)r;7ZY@9WF-yL6~h`$rgvDh5D{v_o=$d+HNiR3Q2f z+8j$qtADPRmvN0(Ncrj5MoHCIsAZ;V8SQeuw+5{LWN=Q^g}%Hj!m+cH-S(>M-g-JQ zY=c*+q*|}85M)_LwLL*)VALzHR@ll8%W4zLnhS1!_U0$n*5ROSeUC+$2rBE9q%j@iU$)SJ*2W@N$!0xXT##@b`bMu%nXQ{ z`6T0PeZN!E!~cg(rY|c@^i)qS7TlCG$#7#_Mn;;^Qh}SsY0WvQblC08nhXWn)aejI8e$hT``p#tNobi+2Rhv zx74RN-aN79H|~>R<_XJ_k+O0Go%fela7^{TM%d`y8yj)_<$OXv%)TE*)LEj#lhZYG zwR%d4|D+znbJIwqK(M8oBZvKGjKE=+ik0}%`i&&PTr0y2{i$N1Z;E9x)ZLPjba3x9 zuCANvdXo9Xw{5LXuAIm2~ZIn`3@o{ByD4I{1Sp{BJ>!aCLm6N4x3 zPXh+&a(q2r;gD2;_x-~`VUdv!y|^9b=0V}~6eI512v(}K{t~u$!H9++wh^v>FbDur z?iqJ6;Dc$|B3zoO^<5j~!7kp=+g^U~1WEExx1U;|9!$qVcbbMHHT-A6I<@LgI?BJ8 z#%bPv_gdx3;SE*-@qWhj`m_e{H_gmMKB}n-4n+uc7>WgW%Tdi3UR1ej>ugle+)Vh^fuW1O^lATQi-*uc|+Dh8gp zCU9DU>98r_IQVJ>+LI2c>pzN)Te3&5NX@h5wr?N9{1t&^)yS5G)WTI>dI^0pAn?Lm6S{TP+di{*@S91r#e{k9z@&Kbt{9s?IX_i{0*+K;k%c|+tKKfv6g*|=T3@Tzn88WZ^Vv1B&$b=O z)?@k0c6i74<+R89=chZllo+4GFht)ig*l6*@2%fnVD?!<#{?X#J25imuf{4wJ68}~ zY$ikXcoW9NZcIqVP|`U9#3zkoq3SqeIO9Eana_|pRnLy>RKv#w!0$mvxpCaL#H|v| zTp1vEQNX|AS2NfWx4)Xhm@$j?I*i>`W3)*L_*InBobu$`dOy3FS)%K8CMuSuaIogV zI$!m<>Q1lT6SP-jGRIS}jy6X(AxYHCj8WMr!NM4YxMy&3lj|%~4y{%+(kS%bdb%YW zG|Jtb*4oJC+qmI?zU)o1(5wvhclhaWFB`{p4E%cZn@TlNTU=4CZ2&bm_VnX_TQKSoam1Yo_wq(2s0z5UjStZ(Ma}W1D?X zJou&pQ^_O~WD`UJ{!>DlAOlpfyHiJMumcqVLgh0+S?N43OXsLN;y8(!Vy~LV03=*x zoJvf_SHw-2&6Hn4r!Fp^>8A!fT0L?zc6BpBmwBq3_8he(_2t7z8oC*cnJ<%7x zsiYoOGUMEhU>yhj!C*}o`=D^bk63&b!VkJg3Fs=jtwK`0>oQWBIJ?HcS~jd~(H*06 zau&HF=znM}T}T@0O4XP%)7M6J9Jm^BBZF-_5J{1-K6+W-4ijX(sH3a+)U_t>BwcPIE`1m?p4d-Yrv!=ian{kvB*> zg9i_-*`+^L0MWGTRn=AoS~|HMYub8Y4%$fG;E6KufY@>8u0YV(20tE`3z3oZ`;+reqwGj|l*vs)OUI?tANTdYsZ$;R<@P0r z%*lfeT~E?((l{!(rpJEt&8fpZb6pOvDQ7GBr~?ysI{}qte$FZ22Rqb7ZS=_o5>$r}n__hm7L?reIJc#rZGhstsDD?oMar{$P#?j5$;e_O<;IL~~ar z=%-9Za$sxa$|l1h!onBCggT|BQU%nus}of^nk{wYG^+L5OFT7bb#o;$mFQFDmN8IS zcLH3gBqC~OP==uO*4($6)NBO;qFMzbp}%~psZ+J?_Po&e{lh?ra};&>J5E{dow#a> zyvspy+WfG63^RlN=X`sNUrt3*OM?F;M#U(T4%w5-4-Y)PXrC$67V76YD0u9Py-;R8DjC;++>}T5HNWJPL2!| zIpT!qyRr6zl&g5X%a)N)Zrdl@Lp=rY=kbKDms?SWTKu;vdOMD-e(22Sb8OX~H|( zmWk3KwXNTXg2H2$btk3BA~RTHJpMX8JZqo1Ep+bxT_s-Sw==)@)o=_~s;}5!4P$Tq zChjZZ*10$M`8EFpC-U}~RT^sTzCGL9r>UdW3&Fe;o|MSFDfIk)S$(%#BK?9CejS8Q zoGP)#hcjYfMRd)V9Bpbt#2@9sMj8L*p|ljO0O?SJx9mwcd#~IUXJUHbeR()PvD$5# zI}sV5^OA|9;2{6Pi+oHl(D$#@xy_lN`w;YM&pGbMP4;#lkMig^?*Zx9-UWgMXD>*NOULJIof z^cgC~#;ZV#&;35H5o_toF{^ce72PH7=5bh6MZS*L=vd|IWua|Kwrjm8jq-kTLw_lb zRIBLOT2SsE=gJ;3@|K<8FWhfn-*^A0AW_G$?_QUk&EcrvA?U?Zo?@D5TB8t%qRCNQ z!-u1Ssg&Gmv4d;EMf7q^9z%e~*9Z51J?@4Pfxa1Iu?Bk#hy;7wEjv=hZR;Fm!dwj^ zrgpWj{f=n8zm4=^Ge_18$C&FL^_{hG1&l>nxY&TnaKUEV%D2%eJRH?yJ0`7pbVKQ@ zNW48K3qIjfZ@j-aS&iMMck)~)OS4ZuhX|`mDc&HI*Mt$AR=gtmTAXOxeUUWWA_mAzMXoY&_Q)(Y zFiy*Hyrsc7UJc*Ypy#)l565G{;7gfh%BQ&AZ6-JP5=2f5O5JCU=w}W?3N>!m(4+EL z58qBh;QIe|k*bpeHRJS>zv^SzScw&xe8Bq+Q19>dnYS1s5usQqA;KgJ&2o|)O-jl| z1?7%TWF`44{OO=taD23R#Zj7YBITb7_r;RqQ?HvNSx!tbT;BznQEdOG`jSbBG(+@~lm7UCUt~f7_93~a+b7Y4 zY51X0XV=wWNfS?(C@AES_B5U$S5JOJwN?;u@0<|M68{PdX74?Fat{wIWX|*-%8BBR zB&-QP3eo17>3g|LaTa;a4q6?g)%A|6-E=pMCs4_5=TCzmVi# z`#N`hC$sh@v*(pmxQAkAepzEUJ#B|Nvqk$6nq26U(7|lyo@>sbX!DNSKM)7aroW(` zKEwPEF^=265y260OyvQPbKgEQQDx^aVLp1u)^^`Z#TLefS1LC+nZI}7K zz3w7oaj5h|j38eEu{F(Ti)lMBVjS_BV`|^S;fKtH*yBjI>R21Q_gmzqmE4?Xe|l-Y z{kZRyqz>I1jfNgILo95s-Q;ir1Q|q~3{w4>QUc(jPcAG9;QIVeP+8Lp3v=G-4yP|# z2-i+WNXqhay6NCZV8G?|C~a{4w{^B>I0SAlC9gFKjM_mq)uy;DeWq-+AYx`bIDAS_ z95S}bG_XXbu(x#76hbTjUQ3IVRsLH~E=oyBT(`mc;1A2lAogg2zX9RE^DoCn) zL^Ac^R=l_0Co+y{D&vRkk`)tI#uGa(72dJ-3YK%Q>JyK9pihROCy$PCe;qt|!C&#GUigmRRE=jf zRc)o1pD>xCTwg33BgF(CQRKQRb2fAO!&l4{)@)-*9#F)f0m8@IS1^=!kG))@=>DtGIjP5@|M`n9a-WQ2Al_P^0{ z6x{Zy2hhm~BKuI|tW5}rQKg?5q^lV}jvU+~C2}&TagwsU5LOJC{m-U^LsJC4TPE)< zEMAZy96bPqa>`tTNgO2Avm9MZflzmI)VHgbj!plN@m8aW>}K==dW&iFxa;7em3$MT zz6*?^?4X@0s0K`-{l- z+L-kF3U!4DhRcU8N7 zmHjgBj)EJVwpO++Yo8jQ^H10ceq7!wv6|7zXy3fcxHW`I{uyDqPanj6C~!%Eer zFCi+y34AT+34QLv8DaxLB*pxdW{tcOxwY|9A*_sr_%7YoAOc`AIe<0hfjb78Q>KnY z;WnJDf7=7kQ2NENi~gj&Ea_tWAtpRVBXf(*kaysvreef&j$M%?9 z`3^+4tB(IkoCw^=LP-rhf2e9G&LgS?uIW} zY7!=!<_)r53322nse3B~g~|wgkt+I=^2Qc>bU3fC>vLs;E%7==4xOA z(@so7*t|wtZ2Nd_j6pHD2_Q=9O-a=VrXtw^BacBOhk^!o^TQ1$<}A6t@8{SkTq-`L ztc2T-d_gfDc&SG%A0tPYOPB`lAScIVzG*K8Z@8xb8&~Y?wr=GV`#-@2(+w%xY*~rw zNFS?bh|k(u=(vlDDJ2_TQ}chK!Kt_CA2q23g-6any;=pF2TASA?fWE+2=luUGY!lk-T znm&dObQ@}SDxx30QcBG z5CQobm)BoO`4rC0R@Fq1_imz8%zO4Oh`#A4v~*>xLE=&-8*Qk&&%o3t&427MAHRhz zpY9r2JlBo>I6}t!1dg1BjOfTfx7Pp1tqFpuZ~<^?0arF!NRO!zxixQcjktbx{<5{2 z;7)m{h=0{UyP`I8c!5@yYwPNrT7+!7fGjDK0faP^kSL-fQS%jNirP(X`|AzgR& znO zpI}ZO@c4Gqr2R){Xdy@MP|JbOo!A3v-KNuEh|0q%R#xtG*EvHZaQKeR^ zN3@hfNdo%`ae2Sc6Qu+21wCLMKve_WNMX+kNH!m{q#<2G@FUQ)5NrT^t@3sHd6mTT zDg9~Hp6=+HWSJvbKeM=>pD)_WhM1nOC+ER08+3T7d{BZs;$M}_oN4aOXVfmPrcTf> zctMQKW=xL*%^G1SyxYBzJk#VuM>@rZ{W{C{&EP_8(_pJ!B$#kl-`m=AO6?1H6%Cjh z$=v8O3>aOkHIoLKr**7~KZdR5-z-b{A;|M3b3V|Q3 zhf05jr-1mY30fILLahUjpB+A-n{W#kQ0A(GlK~YPSja{jc3GUZ3=TXZ*f-vLAp$&vQRkpV zc~C$u89X0Cfj`_g@T&?9a6*F)9YnoxaCKG1vvUSKD+qf9z4=l0-76XdwcF>a3ER+C zA^Gh&DmD$Z&jprs+If-UX_D_8I0;JDIZ_%tYDEH81xX|OASX$PNL7oD87T9L`OlI~ z8gSAPqAvWXVZ0dO4nML>FI=7oNH`;8d^g>ygO7ZegCIK|R*Eg;GtFe$Qji=@m0Vo-SBbZQkB&5=yu=JyrYk zpf;9f6vfjRyBvuJ=JzyBsZvTb*=3KkHrq?pRdpOqP6(eFu$0eSq)_p;P}!TbB;B*2 zWin*&uXZ6>sazGq6-K8SB~!m;8e5Q-!^=U15r=3PFZ+d3GGZpG|0*yCF*GhC%!^sqxj83dM8e zz97FSA{Nd2RH&Ug2V_gM9oQO+qD!4nw8I1AQKw#F=V4Bf>v$Nw$V^P~>!qXKu^~q6 z`V{7_M+>f~FDiy$2Lq}S*DG?Ky&|}$)QjybN4kACnmhS0c#G?=_|xRbr!+shn0LV+ zO*gAS?q)wcG~>N`laTkYbCBnyjory0x6l2-`O(;C$1%b+It;*~d=>J~9`EB<|4ACQ z#*oe2+Nz^4s|wTCn`{|D2aC*w7Nm(JSLJ}eV-swn3ZFIe|CFRQ^H@W)#_di*r)=3WIc7SeS zt=D=8E}&8761wOQ%q8W7CvawSrF4V0Ql@uo_l7w?NDSpwHt1=-&2bgqG~IkQy!AaA zGyVML@`W6jDIp3_a*tiFaf1_vs&n z+9n>Iy3kC*+SQm>i{o15_=5E=E9Z`7nCNj=0o0jGCeoZ;=Z}G4CQMyNVu3FFX@lDJ zC6Q8B;GWa{~-1QyE6_f1{r!1O22HvQN>#aUwZ<7N~ulE=-= z@0F}qNf+8*si$s~n5f4vN?8H0py+YZVPa$F2+nH*CE>$aF*4@gD^$zclWs^Z$IZY zcDClFB5*BdwIQ}qH!`l~dMQ$Z9Q|ghg+)L85@ZI+T3ge|L1t#f)1iIIl#o)wdDKeQ zN0>s?MaTw?&R9{6nigbnI5p4L5ay*&*Qt^PgK*>t`Z3%Qmr7YKAewUBJ`PfaQJr5D zgpi$UgnA!+bo<)l7Ar!?@%+#*u4QKI+>ED0gKfRsDA+`J$tRW6NBXMQcUvr*fM@PT zc7r#7c^OlBMUKh?xPD?d;hmPTu+?8w>%mrYZx^l|_p9O%c2=rtwrr@?!5M`*(Bk46 zeabT+!eI;$>fF8HDM<>~fz12#u`{ZG?$CxW6%JWg0xmajh+mq7L7IdGiJ!yByaubt zQN?A0AhxdQ+Eu~R9G{3hi_c%ffi2wpDC`JrObE5Z zQP|pRuAF?q_e}YERo}A9Udi@;w-R4jL}euW9`4VaOIVBu>5|v|9zm3b+*!gwup>2W zjaHmXi|q{>te?~~RzmrGjoJPa{#Lk$F;x5Lv4IaIMf(saqd#|2LknG`8;bJN*-ttq zU%6@RUJ(bS^Ql_L`lFyxxjX%<8(behqQcCCsm?(xZKKWhOd_GOX?bkb?RpxrpE)GG z7Ea97O&I>@QdgT+@&oFljystlf;n&ThlyRK&@PkH)@k*RhF`PMiiI_zt3~IwRjKvh zJ4w*>C`n`RN7616f|wb9IpOw>dCIT_slYPA6bm2V(P4xqD@EXRtkmLP&hl+`pCC9n zi6Y=*yT_80>YDL}YnMtpSsARI1lMU!A3&fj^U-DoO$u$oJ0nu(oV0OVsqi8lstWK> z=_AWeZof4=5^rQmp87fJz42MxKe#?gT*R3)C-;f;{)Awyb0v8P(F&b2`emhg#%7@r z*)wM(vf=aaS4bc6sEbulX`n^!N9TRiJ0X%*84|CIX_jA7kcjyfJHqy#tJ*{q)vknd zKdMFxxiNFlGWMbx1lRGq5Jk_J*0W4qK(KVCM#yha_F!s%zxw#8ZU#eM*pAW1Vdh8fDce@_nXoMsOQB$}AZKHTKfQ z8D#O>En0W2;_y`wEtj%OkHHTHNn+SQn;7qc=@~~xy4p+uTvK<|W9ARrMV@SPc-oo>^%W!Z&S{~$-N9Oi`24!I5 z5NHZHLdHqLqQr^tF3j>&%@N@UNf%)<7~GP`HS>;7ZrhMWZ_Z-1xz@JFBhAxlqG#>l z1*|7LKHO0y{ZtgJs$fr0@e0ps>V6H9k!KH2JR&HNRmBWxn($^qY~wXa>cPY}Pw26xL3NXU^!2b`ALVwL3E5caJiXUh$^!A7=btb86; zFZ5`O1=!!!8(g41KXS zQS`&?qy6%ERNI$F`T4Rqw{mR*hy+A7fOn5u0jUx3cGxCk!ix?(?$0P##0;0$-59LGwD#ImZ_M4XCJHy z3tG2fP<6WksK9xT&wAj~O@ktvT3UF)gUv6E`Xh*^kE;KNq^pdotLfEHio3hJySux) z7k7%oDO%j+;O=h49a_r%lw%`)zw9pdz&O(3ThFY}~K%B=rSJc)I+!wr71%mVqFx`uPjZ-y|(~$h#1^lHlCtmPWB$Ep%)0xKJQ=)`fBSUdy8dNnz zaYsC^r`f#q2|{0hd^>2$V9BzOQY~gi(xsADCw4SOykbQ}5Gz``8iEOFGvgR@c^Vr3 zKnpp5Bt3KIS~Noo-8T48xmx$&R!dyi%|UNi@sBlR z1*Uf8A%G$+>L;?a?tKfJWiNZZY^r<1m281%neOc_vN>I4AbTs0hk9NP(^t zv0)>ksP4y=&?$67GKgx>w<{%HL$DGQ(S{;@es9YTRR4zv3)_Hcd)Al;IVH208hrWC z@{fAhAh^Esex2lF8z$O)>44R44ZSE?qd}X#&M7P7G5Wr^$ev=uYV}**2IRApHi&PP z$FP$x3A;xyQg0rNEh2Z>VIX=wA%2(scvB+Wl@sXDq9Y+{g}Ra}$_&*Uvg~^ChElnZ zeXgN1Bmfm**e$_gIQ&van!_K`M(=&on-if#1NjxuRsiE)-No3`TFZ17dN$K2_#~iI z>>wYs5_VMFtCmLT^=ena>R~xvR6qv|c1aM2g;0P;E(-NA%a|4NEDrjY?Gq}wp!+0I z!KxMir>>jo1Z0hpF3@VhgfPy;Jl-~tN`Dt$-Sy84UXa)HNcR&A8E>xX_j-ZZS-!fR zrB+6%bIE0dDd474hR+Dh`6@mof2^6HCQ2_4v=O>>yGZ?Mc8}t!yo0!trN$q==wO=^ zz8mK>+_lhfPp&zi%K9;EdCR_1U2u+PWW#saJ9Q}R0mDY}MPo4Mr;pO3`gIfZ13>Rjm%OogIKiIAcWdf%(&-_9mgQ2{A;3Bhhc3Ke_9&8Y=%ygfCX~+1&MF z!ds%V{$k}a4DuL#0c(z!XIliw@(l^?Xufq|kug(@Eangn5b`}o@Dc{f!eT!GrM|>e z6ppA(*8G=~OMVZLOP_T&?$`N5ZGeusC3a(>^5R+llCn)}p-+D?10u*uSYIvF)j6f@z=R#PRw{JPyU-0{p`Sj=wL*_RiFo2ZMGw73qrYg?M#y9a6jD+{?Abw_<14f%A<}!R$FxUaq?f4 zrcII++D{T{j9T$#llF-U)22;cYK%F`UDoV%N!*69moy{HhS}pP;PMLOMX&@*+!50v z8O4mGs7G7cpJ?SFN%1>(zaMda6XoTHyZv9(EYjp|jJQ<ZsFVdtP6q(q0knFv!*;rE= zBuu^jK%%)d8Guw1EX+~sk=LZe-ro`?&#O_fW~VXu|TdBG1w)435%&2w~@q9i>K5% zXf|L!9$ip1)=5DhGaCJjBLAet_Vrb>mWJdV&a4+rk&%>=ERp5H)1@B&$kC4CY2m0- zh@Ee4+q;#)Ev+L1K^u>KVQYkrxbZanB{VP6FB@m%r@SURP;58r;$bPOGN19xGPc)_ zmc}s_)|Uw%$O!_alv`;@z4(}O#fHni*tWYW7oAP(C)>*T>DPfLh>?cHM$ZldbV(oJ zF4Jjg2HS;ZWyR8Ihao}9&b*%M>`v}|b#2~{Q|qfo%UhcRS=!A1v}rPa{CVd`(Qn`p zcS-pdDJ{qh7avbFLviGsk(?8gN@&eQ)@*5BtO}$;eoqAC{YgX#*-jFHb2e(md;Na7 z4?Qx3q+f1}T3&??(jo%cR9R8aK_egVz7`!rnNCmVwB0tq_bvaLEcDp$D!lqIHeQd( zY}$$Ao34M}@PdS+u~Zfjy^3ihYM>~G4wy{}X&(*C#!sS(8Hz^wl5fe+C~trjfaXJA z+|c`1i3{mX=H++2tF-x98FnS2F7a$S>H%-PTDsHa^s2z@!z%*Xje_v``3o&yx(EG*SfON5AOS%AyJ0R5e+wD6a-1`LY-*IH9oFtLoc3Kj#8zrHgU*9cK(7y9o zXh_`sRHq)~6N9G?dYLx_YF7N9*h;Ti5=QyXbc1R_!nsJ2-Q*}{?JkPM%=5K8De8?F$L@mtRgv&6oj5eje)?x)CUYESC z$4;$<2lO8ADZ0y%x*#Yih&oD%|R#u5LaN#16A=kOwH_@I6Po;|}&brz1_hVme3i;`lWm(Fh2? zo%bnx3KHEIb-YZAjQxoXhda|FYAjwO&A6D&Bjbs%JwwvHc zi)UTQy6Nvt_R@6yqVbQBP-$s>P#?;^RxW6l&Gzw{HSy_T=51ws{34HBOr%-48+i_B6?PyAw;J! zqE31^T__P>GMUmlWfugI>GHdgO%?iFnX`?N74usVpI>=!t2Mi!D&~F#X^kOM2@Wt* zrO=#l8e6_lH5%m;+e-1r>($PGi8~&(I>7~uy906R_{cTPqAN+G0_r91$2Ee04sJ#$(a7i7{_5O=3RpLGJW&D+YdE zLFfm3=FBRHY(CC&Ju5@z_UN-Rr37=1_bi*1;BkrX^t zMCu~SSHP|&?_?BWsmMU^5S4pVkPEMhomNUf|9zYGHQWD)&bo%^5@24Gz_?sp4>I39 z1y#?65xk1 z&4cr~Df_OJuY7{S8h)%o>rT0O_!bqx? z!See>ymiuK4mN;hYlF~O&%-p-axEQ-!jff%u+wCI1aqE16zdG=opDIgSd+^e^J3H5|PnKZfjgH5fh zRT;4MZL-7-{O8&UAyb z5Fl3sSUdgXeNS(>9~*gVBUAmP+{HV;kx~vK!vvVSBjYCqpCi~=sRK|7FZyvmZ1Tiq zB#4Hs2ukpk?+`ulOq9yPaQ|CHOBsKYdqhlDfMtVWQHF391^8r(@mMx>X5Z=S|CeZS zRN16!%)aoJvD}|Ywqe}Qg(?JwSi9@bIxKOrow%&Wek5#7>|Em27l<(?Ohf;~5h~V< zr@;N2zr2oD0|j8~9RFvXS$l>Xdz@NhV$-*%`xqU}U@f_6K=!NuJU5l&%gb>syKqQ= zmBZ#=R0C`tC*8KH#JDLHE9R5WwYhtkXh@60$7etS_`-(~VDJlrnBN;}*mgoLMS}gF zVp48gPeq8=OdZ1}Wh7j3iA^t42~h`J_Zg05WfWUeuS+vr(=OFpHs3z})-R2fPwrx@ zU8?`yOTSVuO42CdWS;zACF5bxOCi9a>X!ADi_G~euBO!qa3M|+;~5?V)wV6fSu<zTe3^Wp-7Ia&JAhFOQ);e8 zt!oDJV{pKiVZ(s?Az0_M36pwxze_|fnn^jks01u)wY$L;JaNaU4^C>S4GcT2<@s$$!Ly#?Gw2KR|qeO z+?P%wSKFkPm$%)_|19e%0lqu4-p7?8M^-~(w)rG5WE<#UFz_4t)?N0)d6?maEC;@5 zfyeX=+AQZ);$Sz{^2C5L$N{-$9NEHdtXYp>+_}_^#w>Dt6?)-{mba2fVDcb*i{58e zhX`>fWt|8MPx4WjCe$c1qVb_Q!iz(;=kpwD>&vft)IN^I15&8v2@ z4b$BDfh|8S55y^O;-XPA`f15wN;5@fDpT$Bk4+;(B?hbLjAzXni>JrfMUWsI;Eh-VU!f_>^A@mAuFG7|ZXU}RPy)V~EJD~@V?0cMHFc%^sXYt#yM zdp=E~uA)4FRFM8&jZ&kKl4hA{!vLJwe>9DTwR*{HmP2b{@Yl2v*wruQCriu%t3AeF z1ei%3F~|t?i;fLunblw6%mtW(!4U^Qw{9>^q!`V-vgpp)m)F1$Jw#8q6|4Bwi>)IN zOI8LBf4Z(k3~qSIvbC+sGf78>k}7)P%)UZ)VeDVAwS{r2eu z+9D=drggh(DGy7WG;u5{=<6?Z&cg^5OQ*DBK(T*|P-*{Uw*grHm%L5;1rkMw?AiG_wHlxkshL?p__x z#Hz{RCV*1rs66$**=A;7aiF$9l9@6SKUY_X1-L+911tx zNRrcv!s(~;tMg_xoVhrsQmeJiV^m19G+i0AANw>;a}Vh$Gqd(+pKsm`UV}PfJZjFB ziUc~3#F0Q@!ObW)qC&Iz-Q43*ai!b8R{ZpXKq@nQ94bZ4^siRiY54c})A#7l9(b2Z zm_6=`)G89J5y^Qwdcg7M-`lq!8t6iCw8X?C@Q@}J~4?|5g)imXT)At zF4YHhPT8UwQNcxOfIjiD;?!;wyziUtg=RcD*h5@1s(26`yq zVLFyIn)Teh_9XABVR8{jX;;t&}$``xnrpk8I-c znrAAWkZW^uX3v}IF)Q>q{MDaStv2W;G$}NKKV>NrE-ofTtRt8u%&5L;fX|ADStY7* z{e+3;k}h{BBQ8$zx-IC0Y4|!|d-&4Gr?S6a(@2a{WQVe)9@eStXY{f&+r#XbqlCu| zIPZQMrsDdN%Bvuz?c>uMiDD2s55vV}sJ=xG0no$5hmkgS*$lFkW0s1}TE}C?1Qh`6 z*0k8kDi@^Z)pksrady)6UoVnpj-Re$sgYHUd;c{hdzIz~L5~~Nqq=+MF z=_HMmov4FMfSLAYWa@o#eMD!s7N{bw|38B&IF_+t4f`84r^ z=m|u4MUm4kIA9eFgo@W|2N7~iUGQMP&Zi2cPDH)Plpl5UT5S00U;tE{ui z`{@F-xVp1AP^a?Ym(5DfNq8~WNzuK6K1D+m_bFlBl7ka3Bm3~qaYVoHcTzGv6rNT7 z@JHT?`pw^Bb*x#vEnQ~9@Zu)B9b525LhpI{G$72<#h7i_7tgZg81&dAW`4n55YYx* zj%qAv?>Tkkf~XC}MS(K?G=n$B?lkWyqE+|SinzHEE3|`Wcn~@@EX3dGas_KQh;@*( z%W(A{dBnfJd2`pl+Q~P9V^Qs^eo`sbl)Jv}46R*?`Yyn1GnH|s{?%-oFB^wXX4Pp~ zcq)I?^*Z8FRhHn9Gd7?2d31oZ^m=gii5?;s zlY1K%OLJ=I?7x6iXFTv=b^!KXd}4fr9%!qyM6NLj{i8TbcI?1mCNB^ZOXJ|Tu89AU zShX1s*jhdxp4(Vr8@7!M<`WD5E=E6i?Q|yoBzmLTapkMEIjO-h6zja_=6qx%xF?Bz zGU6*iO$2~`asIh|wc8a<1VE~umPf_EohHh{+Wfpwef}8IYm|CvQiZf_F=&hJfxB78 z$1T61V;-W1DB{;og2_92X5uxfL@qvDZLZ)Scdm}G-6mR=j2-ezDvQf@_#5Z}q`U~! zd@rtEp?dd+zcu8%t{t)n1chP zgQF}ftD<1=Lqs()I}8#Y#7AaFm)0^}k&hj4fgK)Pw91y1ryNsOeAWsgK(5#W5m>OZ zp4u#T43+bG<@Fp5J@zajIA|>mxvSu_TERE|9%=<1J#G&MBHfzj;>gO%;vB8eO}xkM zr?_IkqyYc!(bET~;DU#-yB387e7zuxM+sEYtKsX~FdsT7jKQ{<&9mS}t>gZkh3|FR zQcI*#=lpP?^?F@N5!;O zSK5zaH?JX@`2fias%F=Ko1uRG+C1BbYIoW0-kvs3PfEU$@ZZ%ZtaS@Q(>Xuj=ME+c za2bx2RA`SjDsBIC{V8lOt2!hjIjr>=>Bq&4r*%4^&S~X&^nl8cd#ZXGqqA_hcC2c< z{74`_k}Q1P>I~|?s%i=Av|1PW4W-@RwUG>o;u3gy)np)+uhYu>l!qMR65}f<}@?{~Q@#q!AaZj&KMbKI|QX#S#ylKt?T!2i~V&|7>WD@!(W## z&zUTBK3yPDmmZ$#VpX9xQn^Lb0PLy?(ZjMRP&?e6W)gn+;@O!sWR+Kh@G)KQ0?SLD z@J4~{8MHr;!15j01*cB z+EMIT@w{2QK`csKyuQs(Z<9QxTF`hK7k`;!m?$gp+CBV|3`RiIrzz6WaYTpWd9W^( zSTg2G;r#*DIRGk#IgXq831oApAc>5P9g18mgW**tTzUfHO{dsVh9SPmiy)fj*cy%4 z;`2$CR_}k1&4~|T_W%BTe)WiOIdONzfzF5!azV0R7-MaIR79-6n*+!^=+f+aHTT7s&|=g;MAyv z*QSEp{896m!NBRs&#diG+PRXM&K(57X@P~0j)_~@NczymN<>AOso@6^5^J{}0m#S$ zrd*(Ki1HCXy=f4t!<}2P`Q#vri^TX3?`n#pRPK|FCRu{V43iK92?@R3r>FPH)SoB4 zRr?j}oxJ?gJsnW^RN(WJ<$o0lwV8L0c-P^XEP@%8KK%7PPl-fumj74SzH2Q9ORR7) zbw?peVODC{F4NxM4@nJe*UV?LY*aJB7$NXVW{8ZDA-{6RDSS;JLz#hOD<+~f`#s2b z`@oZ@S3weQfcYMbuZn|k%Uh$#@yIDoH0wmZ_Z-QrT7rw?(y0%v=7@?1N^sJ_T!zA7 z%4GpvXF+v%)f6U8^j|7@req-$zD@JUZT$syoc!o*_{E{+`9WttR8`%wzPA8|gWXiw zvqf`x-LI;-cFXeTr1c+9WA-I69Rd4tg1l$&$$qN(@xBB&2x5LbfU{@pFmfTV%xRx? z``1^#Hp;Vi`(9#67r>rrD&RGxE5egi>aYHVXn0E7G9LBu78Z}>ERC=_#qpiG9BC?x z>&h-S3Htkct_H%bfdN*9M9H+-GU3SHw<{hFV~LFz3&M`e%kd3r0pzl?49IqJ+E}Uk zw}5^_Hyu%X$LD^-8?ByUYjONI>-8n&N5kgY)?*-LeJA_3tu&`tTwxt2v_@6l1L4}5 z%K$rYZAJRe#OHCKqZhJg-N4ccXq9>owflGKgGr`3w~x(Usg{i-{ZA z)$|_-6}UgOGw1D%i0FlsS8HCKmb%#SdlSfiR2Rt(e|*E~C;6r$>gWgvhqaZSUUe$> z_P@FfNTcLitYJVnH@ow)eaozij&@CDe5q2@sbsR|`mD)kI@lN(W0NP(OfP{LqP;My znC^=xkKA}7*<5^@Cw%(Vx^<$tTmS3np9teX(FB(Y!=ua`pK{klxYV7gyn~bfM3?ul z9Urv+M{40djDP1nLIBp*GU?|-u&-$5AEUlUy^s2y&zPh0g)&=>6Xj%`hd?RyBPDyv z%n3q*^-Ar$*UMNSd42xG-hJWILXT)6@$>)8pRoQa_cmPkJN!AJHb4L3D8lyqa721~ zed8m!2^!DO7AA1!x}Lhb(xyfAciJaB6pL70tM87D%=8tzt&xSX4*k3VwbSxq)hMIP zEkU(G^c>vhm;gQv1=TGEdco7e1}}O3_K&QUxXYc9a}m>!hd;xDOGL24q3T#MKruF3x517P2R@QS|EfKwIDbXyBnmR)Z|Ck(r-SUldE|+k| zc}VU!Kmb3Ynjb?D?VV9y9*x%?`s?07H7;58cBKE)jkj*|eb`LXd-hOn6IGW7FCgBp=6J0IubnGqFJS?abToPIwT=ucu z9+gcZw~30(tkCH6Ee3AX|FZ{pzW#k5OfWs$Y86J&Zc->2uZBAN_DtA;>UjCtcR3YqCcyIq}f23UWK18(J7WZ|Z+cWTf z|3K(t zXbKyvWP~bhRmUp>%Nmuq2@YyE{b$WTK(jO@4pv2&Xw~~#Oac}oRm`qyVWGFP1Y%(o zh{WoMM9>;f)Adkb{8xh(h^H`2}Pn48y>IssY@PE*#l&WwjH-sD~|Dlq5J zjV|>B(&$rHdd86s4CK^WnoQwfJ*MFsJ)g0Rh2);u0)!Vg<7BVif3&RBxAkHM`q+n- zNNcuO8FtzVTWYP>HWmC6e+-|K@S45NWp9pIuQ$6}GXHpR-bx@l6Yy_N2&#jdQe6qA zpu7@vX#d)pgR4x=Sgc>>(=RokNCOzq*QTjdke)gnHuXwIYRU!zR+ZI+B2B4$7X5ov zbjFNSTYUC>H3E49rZtQQf@(X2nGU?3XQt5>OmPHH=0Am5;I~;y!J`h5)(4W#?}*AQ zb(RqwGjAmyVJ+;fh;-|nBjg>Ylb_d zm6tmDl+C@YWBZ5v_Q;?HPJu9f?vj6%_=EPPT)+ETm|lV`#fP$QCO6=S{NKWYw-=wI zbDM_udx(hWoHh=FAcD*}0j|TzH*tTGyw4GF=h`kKk!}~0#W(u%rfgCZG-{XQ&d__d zOKx77i}UY?T)(fQ&8Q%x`{7iN?)ie!lr?lbb+nau8>}gkp{tu)f7b5sWH5t5aW~mD zg@_L&N^afA3w+RaAwC^zr?8?$agYxf|b;z*Th`5Pr5Mh zYc8fb&XExv!Fha`S^VUJIDN)PQ?vZ4cXZDdly+NIA+5~Eor!EHt->8$`3;|Yj}F76 zYA)X=8$}a#4p0fDCIqKLh4=N8Du%b0HtbuNlK%`bYPLi3{m$3v4c?2VYWDoT`yq(V zBU)s!B=niwbS?;H+J#*nMvHN-CUCQ_SY~O|&?(<2p{vXi-H*CqHYX;)Y6lSwTNv{- zWG2`0dib#ftXvO zLs&Y5g()5TmxkLpxPk+|C?}un{RzCR_}q+~%0{KkF%8Nau33Rcm6Y9oY;k0{=`s*Q zA(7I-;)5!U|9M=bUiUCDFVkx9oOBmyRTq$~lZQX#anvNtD7!3GCA! zUmOpwK8#^3f3^;XQg(rpf4os@Z|!OkM2o=(f~z>^rhy~I%<3j3^b|l zgEmI#sq~DwPuT%r?v|yu8BAdAlx3k`Typ+rp?JC7HFKAa&GvBpwo}#xow>S4SBmIY zTg6j4Z&+{V=o3L*#N&AN?AC0cbYqc+o59@=U&rcW^W}v4;-j0U*gSn7$I|yb`Oe!o zo3K1OPl5W>slAp0tKvNwP?4D(kgh70POs8!;FzXhI}QUHm2ZXoe-u7wvl&bXWIq_1 z!t${w2;^s+#GLx}PhXdkNzk7jB7aB1`9Tc0%jR1|q0{9ot3Vihs5;Vq+d3XGW0ATG zJbQ5K+Um$dncg&g7d_%Z3qn`Q(aH{FM5b@`AQ^%g z3Nf@}7~+}Sjk}cJ(UHIiDXe}dXybNb-4i#1Dh*EV^5z}=d_8#ePWk=IcEUNK=$L*3 zvS22Xm?uF$B+WNIefFLe)6<#~cVke=rg7Uq6W$jhN79-(cce!AnvAcU!(pCj^C=H2 z7*qbu-gxyxZ~O#77xHk5X0Bim?)N0+T){z}!Z(jF2gw5gYlV!7yuWVhCt5Seb+|5m zawXRQDFQ51NEC!{2;Tn}5q-O0a4U9I%2cphI6$#D?(eeqEbxonO;}fi_VVs=yoN2z z=MRFs8In-i6u5!pX^TH#{zBh8{#m^j%IjGnwFPo@(1TJgy5Fvd8o#*!D0lc%p+kbj zeN?Re2=zs($>3tWOF{na@xc8Bx<9W&4y>F;eg6k5Fxzt3(1d8{UmvirykJFYPS0Jf$G*e!2>?^l@CDl>NXX4$gcRlnFxZCNUrVa@MG-znPyNQnN91u9$q_RLu+@4&pLLJd5rIX*YL+e!1a(& z+WHs0JmpyNDD+=Bva#YIPa4itYkI|4vmd?5U7Z(}#_Ff; z)%h=B=~UbF=)SlH*BE``$7?)C>e{g1USMx^-dwri%U725?U;%fCeTf@S*5V{+Md;6 zxUGW@js#AT7JwvrD`Jo=UlvK?dOIx?DtBEDSI1JR$p^FbIA#l~NENt{0F8I?4NwHJ z$3JxKe6hIcZ;}=>&1L56bZ{{NiEZ(l``a9JbnME|t*w+Te|ec^DwCdO8BdK)saa!< z1&vb*<-Aff!)T*=Fybm5&LGj-`XqbBa$x_3O=ueLZtjI8{Vcr8EP-R>!|pz*iQl- zH+kXQ$~DqDae$@4M-Lt~eAPEq-{i}H6pE?rG-x;|9hxEuf?>OVoQNuB2iAQUya^hQ z*M}izk52}^qhLH92K4wxqPz|@W^=7hv)>tYTbz?L!Xm`2B-}>77aWM_C(QmC3NTd~ z$7(TAjOJp!8Rr6+Jpbgkq<9vh!H9?pZEsyi-YcJI4=dp}I*ACwK zs7mqsUahdhotcLK`PdOUaK?>7dW=)QNuh)ubHP|Si^G~h9$-Ynff*$#oP`Q6FOrZL zx+@+_@rO*N90RC!74CMsNwjbwEyW)9e!<_~8yUa-z7P-|D3YV`&hW-IyCpj7ecL4L zoE>7Z;-uHCC!X-KR(x}=8hANh_oFt(n2Hp!{S^ks8R`3@MTk(Xv4^5E_k;KPeZcp= zvlLth&t6;DtEJNc4OzvkXK7D_>d7=1!b@YTVh-;cQ1E61vR>!zSHj>K9AU?okp@xe zz(VDo6c0>?$1&MzWRKK8tW#~YA?;nH`PF|EkOFum+?Fo2)g@5dh zC1#C$pQ!uJ_jt20{jNlVc&y5$>)5nOApj`~gq>5PL$YH}I0{R1I>Xe>(yf`*Si$R| z%fPDqCLn)PG;z|L6u_d01TguJW>;JeR!Z%9E?`bspNbncT5m6`PoYSG3a#;w&>Xe_OHCJd*{FV+ZZy2UmXdXt+1hcL zf>ushi>NiO>p={RbZs=QPExx$;F7Kv@TybSA&2+Cl9R1Tez<`IaPEta%{R>1cK7KNmcHc0AdOjuBZP12BTLn}G9jpzGTGvoPUO*_vm&Z{u2 zO(Vco1cz~xCF0GWtBrNL)-M72#KIZw1*u*bdl7*;C?B>@s@r)0Wyp-m{h78^S@NaO zplYt^(kiR0*H@+(a$1H%*CI8cc2An=@8Q6mT6Zs3>XddjE8CbrkCsH$E^@Ww*@VB* zesx545m7v9=7ZK*vUcD_aweNkh36MGzJiOO5)}}Im8Z$-MoGJ{a+;M{LJFX$B&|r} zC+cis7S?TrJRQkjWfwXR7hdwQD`$bOUziGaq(!`3sVPBCu_7z;dwY+O0tWT*|9Zdi zD(_Gg&O{<}CnSfa5z;3saEEIPfHDenI)Tf<+Va{UsZs&>l80z=TKYp*Ah?T=<3r<* zl%v9z*stXxc<3DoPgxv*!|dy5}roJRVam*wJKDFZcx_< zTy{-v5@KOFQ^?JQ4}U9*yl5^jGc*Qz_US!;`{CtDn}P>950Ij4HnMRAo;J41 z4s_Z_K&Pd0F|oGW?UvaA8MehEq%3$6Y{4l#qyM>5JOjLf()1xg;oz_F+wA%uue){h zW@AGg-|+ki)9|`(XJjD% zk76j~ICMaLeL^Tmi3(e$tPKH+(Ek9vbUkK-Q!l+FqQLtDPn(Y8i!bNX@FNL`^WyET zxJM>l^VK?QZEQ-%IezVjw^JZ)Un^qIzd+f#q{VOKmM`^P?@OIYN6z@uD@|VXqI0By zKG&1`ZFDZHa9f0_qFCb>tKCI)k(mm5sio2C?;%xMI%!)poPk|75kgKp3FY8ZRu~a> z_{Sp?5aCi^RQYtHN$yVDuz0e!LlCed06#ONc=vEgD$-)de15OgSHA&!$llS~lW`_d z;hR;{u7A3rx*?3dvC8!Dj_bH=PhxW1PS4Zhu_d0##W#Ne9KL|?PQu(EcAhMlP{@`s zfPeHYt0Q@zKv%fu?&`Y7(9Qy5J70^>`j5AMiwNd|01fHaCSGdpoNBwsf8~^#24tEPe;Q zr@ai%uo%>fnd}oLP!r`V(`GgSN~>o$>h0AJTMCC=kuhEK*5*T|^fVY!xjQR3i23$W z?A9Dflo5wQp6;|m%>7i#Y_Hu>uIxVdJ_BII5Dxlka0Ol*C&G=+omEjn#HWlI-@ytM1G zV0nt)XgeBe9YC|t+5F;u zcX(18NGWcBDRDbadB1aECVLR~jZoQIf|ltv^%8lt>6@rYk?i*fkf81m7z}LP!n()C z?Yrsz#x`tz;E(51#V&8t&XdkZ+X5`E3+Qu?8_sOm011$GGIeSNLt3f_U+is0s+ENv zbLyy%{(8aCmJ0psj!IUHqJQ zJMo@#Bqt^DWj;oZF4Y8zO{GjwlF<+S-I4U}7bF2D=~TS<+hwRS?6h-a&Zys zocNLAaiQ6)En%)AjZhymZ~fE`7aPRt*5IK`6#uzq?B&r)xvK?XJ^Q6QBUdHy@D@(P zwxi^EK|8OZ3X2D3`(Z`bbx1$ww7tersUW3Kg@P2Lq$8h z4ZHV7PPmJwj$uV$wyro>I6&B4+hrW-<}TJjw6VRMGV7loQ zFv?k9kxTD`zag0>}eEGf}gVHIIw3w)DX;HD-%ah6X?)H(P0*F6L+@eU8tm%pa$9P=vFzF^$;-VFx6}|=yFZm! zH1cY2S!J5=>yn6{TfM9*qsQ}a^&U6$qlAp2ERMX5Iw8&@{$em#$hakYl9EtzYcB(sA%uXOcbQx-!e(%Rr&6lHrTt=my8MjpmmWmKfO3!l1!#}bQ-go z%_CH-y`pD~4!rN8EBoY@(4^MXwZ{oHw~Bk%PkZSb9Zyh6Yc77k_&z7ffmp>$#Hj=1 z$mvB(Xl`vWb)Ls5tyDdiD1X&m-lrMlYdk4-Uj%2}wtpOjIR67hSop$f{XlU7u=C{d zfR1LZXBsB}<_LuPDOT$00gcuSY0#YdsW?@!oJnaWkvNiTHSJ%WU{c@QYV1YgH0YjS zP_BPch}TDu-kMGyVPo;= z0Zd=B+Jc;$HjW5K@u4~XQBCYA(5kbFkQ{*;GcaPtd{hTJ{abYbkSzRLwo+{2SnQ%V za8?zn;z@^NaBSXM4u{(qU#*0s=)$!)z0agW^~}7*`+j==YVD)7p!RF?#r^kr{YrBZ zMrdYQoKR^Kn~4&@A1P`~ohm+S00C`7V?;~|lAn1*jg~9C4gv$bIVMh%nWKtzS#Ppm z@Z@hwsqX<@0sR7i0sac)yl)NfY%_=Gax-o!bj4}W(Rx&ccFs-l{PSV0qnH#^S`fC9 zUn<+b{`{Ky^(PEt8rzHu=PcUH7pl3KWA84LD}LlrnUQ0a3$K`Uo>bL2xPvy*3Tb%H zD&9IiYa5<9ZU1u=d#g?qP+y<#Gh*~-nVRwwE=KsdP!+rZOSX|sX#?P0yDuPR&iXnC;|(g-!Id zE=;7d%EH%3KZv*^4mdh_y9C{`xoX|6!+c7MIf)b1ATl*GDBq?AMsr4p#6eaJO2f*N z46l7kgP!A-b>@I?^>9*t}t)`6YN9vP0AvloeEwN_@(wl4A$WHdNVlSfk)Df(Jq z=N1O`AXSkix$}DKHk;5KQr@n8ddv<}S<`*DLV9y5GJZc{{zxb?Wi#0;L6p}PfVRSn zn^nSmLsB^X_%WK50b8auHlv$`+or9)ePFl-JC$y&7R>ZSImp_7I86kbKfWA zTx)up$IpdBo-PZuy9ce|-wx9lfj#aYUPnL5e>kd}>fRn%Z#3*SX9omseL}2AYd(?2 zCj62N|2kDU?W-R9*_|%=rM&y=PpH(;R!FQjk9W{NV+iVCa)uNsLP&(SwX!2r&AaF8 zrQ4HHZ9}>9PNnGNzWrqrOeiwZ8dNQ=*9D>t_8IZXcV=w8b6l;aBGkJ2D^^_|z21$r z0>I;*osi_bh|r#?2immS0$m=jJ|*05XiSb;{Y>s0YKF>~PP*hGlx@H$OltbK5OB=q zkuQF^7V@Ma#=1*Ygbp?8Z!%`^&uzo8S(j9Hs#t$J-V3X8zwsq3F9^YE4yM$78xGl# z;jbq_FknfA&i8C#N|>M9)o`K7)@o{3vSR8$(?07fWr#r11i**GGvNCj{KZ}2g}WXv zK0;_!>V1%dE<{M*sKfk*ou*^_{_g*1yga*(J$VPltNMW%t@PLFr^BK3$JtR(>wD4v zF?E#7bxz|gS)%CyA+4w?(PnyxVyW%yWf4@PxlY3Niu7a*_kA} zR3}(tN}ArASODx>*4>EPcPZjgu zwdi+&svrUD?(cP=eexx`l07ZE-WyWJmSV)t-qD8uJP8n?)VY#N4FAI)!De3vxpp?) zvAWxeQOf8y^Om}FVunXlJvZ1^;L4xlM$igL&xwIQ0oz+fAxBlN&N{z`Gg?N0kvbKA z;9sLJZj+Qk)SMIVs1SAcq`+HhyAy4@tb_i#xwOkF%2;}NMq2cmfU6C?R{84Ryg3%q zT2y4O=G0NHeK0!MI};_x{a0?U_sJ=(B10@ea5P%HzNHkyGA#;CMwPkWu*WTVkOV8b z>PzbFek=toqhNv{`Juu0IunQT?vaH1p+$mPqM_}!PNGL-=YvS68k-azc=y3wCs?#^ z!J>Wb;%ssdDav^$mLurmR%|(_kxjgE=|VwC8U4K-^LTgl66sEH^Zn_DYt4plclvTm1DnHz2k9J6? zY<;s7k4s9)8On*5ClsQ3dVSs2=8k;vAD^CF4HkWeDW=~YXom+=7B5+TYVdYcyWBvm z13%i(Tb{1tuv+JD2rhZp-Tc-(J(%5Ip!)cC+{K&l{rU!$2xr1ucsWSkAgK9Qo^yq9 zQR02FjCA11Y=%l9^oa7^P2unwj45zb|C|7zQW{JXb|HgUyB8znKM z3IgMxt_I=HF1?7Z$k)=LkD}(|lJAs_z5l5Qu~Kn{X@aFOXY5&DeD$bJxM;qap0m6` zELMP3$qX876eEK86;p^cJt{}|ZawoQ=IrAAxDmzB`3AAPv)tqJ=1}f%Lq>4+$p$te zNZ@+DBc9xht7*DO9NsiKymYM~v7*4`l6M|v(K)lPQQ$ELH(q(3T%4wa>@GYs;63W8 z{HN^jz49(6B}6EQxhIK_p2uF?>qU*t&z6;UuKH9s{r0fwzEi7V*Yf8tSgbAZ)4LrC zDw>fZfI8}^w`1QD?f*#*OD#|t#{A?yD7rh;QV~8WZG*T6;_Wo%R+?z8wL{}9;M}*q z>5g6Jzd6_HD$Lx4vqrZsUJep8n$t3Lw`Cfgl=5VWa)dd6Qu@lJmAYEZ|3HS6)LBb+($UFG%M}gm#8X*PjWR%26vl;k1X7>!O%~!G$|*#?fM1u6+u~x%)MC5O+(Uzk zn41Yc7(W>`XxC}=%qizl^5sZ8D#(tFE0+8=mj4~>82tcv7Xdr&z@;*4ttjtcT1ZKj zKvD99F2kT=-_^P*Sl~T0--2K#`&}l5EC$%2K>X@^tZZTQTg-=kr`BBY)cXkO@wW=m z%98i>4Uk_0wU@R(dgoBCuJhv!~G<2u^P zIB<0F$bJf0h#lvE{$^}DyOV}j)J);=@tZ&ko0h}>q@{&b`~B*8C_GBfGkLXMnM^7 zGWyDtP*pgqybWR!APgr4DzB-M%tg*4V4=yFxsU6c2<#x6bh_gsQAg8KvYg5eoW9Y8 z+tFShZ@Flw?|$tLelD>$h#h}82~KrtWKHXHN`}d8TWDc&N`sOlKq@Bj`ypx?#f4$B zKQow(>H)@pCLW8(9Q`|?=ulN7objPjMweFt*{ElY9eF%Pe)UVEjl;c7Iyk~ z@47taJGwll>SQgb-DhgrWF09KlUP&=5u{YIu$--Ke%xnW{Ng40cZ5{G9hC&J6$L5w z4~G`oT{inz{t%PyRh+83hVcxgWKXG^dT|2;Wf6!bBls1iru`vYX0c_T8ecFIhU(qf z+wOdI)kHl`hb?+tl*8%rr7Hu1Ux&V9?&?iQ*akcDrh%%if-Q;?H1JC+Sy~}YO2H(l zB&kGZC%Ql+1K!>f`~Z#?#_O(j%WO@yptB3>yVq6iLVkOa4UJyGxDG?IcE?GF6(?E0 zpk-v~2`2$5!4H|Drkav?(L-hghe@}8LGtm`+At#u3W}woeMy{rD?az3c5Psd!ATJ7 zLSjE<$-5>Ecgss!uL9egE;%iHEbVsK9OeG&CgoX|HaJ z^q3%_(IFetoiXOZHGQl=*~I(hWFusc1XH*~*Y6yFmLH6M6czHOnZNJcOPJ(Td>zc> zLupJ^QhxjueU2n{`J9(2uuPuL@bF&iQ?I=?dfp4nwlL(3MAf^q+JK9U`g=sT0jEje zuV8DF6jo0x%J|n)pIk6%$6ub5nY)oIXR=`uAF6;P&0i8)r^+@aP~q~NbxJ(GXgtoV zYbxa8kB{B&wo3(K*Ne^LPeMwS^DV^)G-OXvuon}^yg^y%t4osVXPH> zvri`@q~A2HWa^w8h0Y|L{G2{Imbx{04j$U~zTm;Ov?d01*vOZG=2t^y@P2q%zasG^ z7k&|!&B?5pf)=01%dFY|lg?}DG(NM&ZXiLX#KJCZB0<~|mNcd)KsHKD#`u#*pB!8~ zYu(o_zAzolK#mB;x$Dy%tl`p*i@+W22N@mP7x#K@M1xTk2A0gUjH`nX={f0rZo@Vf z84Y%JtP!3>xxRU1cdVS8ns~6Ai3`pj!!yxhXDe(bg>pq#oi|~fx>M&fZOdYv0Z020 zxXQLjlrwclGhMcP;5A(Sa{q)#Yq%oi{w0r690Xv+8{6B|QjcV))KP)xb{aTD;tD=y z%;Mmm3-(aGP?dKEDbRbDG7OFnf|jOeg)-GRpxH1T9B?}MhbsA#4Ea{rg=qPo1aq0* z;z5uKOLeL&YUV<>xx0xlRaP15bL5us8H?e3S66eFxCzAci4bPF7tJfV)iUmy46=E< zrZG+VP`SxZYEJ#o$l>T-OAHp=@Sl+#n{VaX3t0{qa$ISaG4Wuc!jZlx-rOZk6ENRX zbfTFEv=vn59*TEqj~VkcpxWU6xa~6g$D9IhpubI>pL>&8^#g~wYAMs5qCU z*5(%SUCn7NeC&F#?B&OU5js=+j%%9!AqqS3kD20k#}7odcTbe(uK_tAzb!-fD;sZ1 zQpi@XCB~CXJnQz=A>3fdsSK#`1k1XNqwj2_qib2~hFNe$)XOT++~m}S>e>g!X~qv{ zI^;fVNU4=%f2}gZO$w~p(&7T@r{E=M1=55gp@>2Z`k>}wybD|g5E6V`8oRo6tFyqP zWT|?94Uy-LNeoDK)TdG7GMlM0$wOx^|H0l!H&RexY<06T*-as=NCOkAXqty^ju)+1 zutk?BR5ltjGqnRQ892FiH))l5hQE(%5xI2H$su~7oqo~;GgbH43)Xw6qzafN;7~zz z${{UGa@E(QPLd0aeG)s#td>lcw$PC}oovfAG*JaLr()t4(+mf0k9ZFVI;10>uqU^_ zJ4`4TDr?bwsXCP}+Z!bR!O90rPP4?amR9>x<8f5?oPW6f>FSj7Jll0W3-hs*x5zAa zSQYQS2K-ReK?T;3#ROMhzj8KWSUHi7I$qI~+q`Zd-GM%y*fj|vEQM7cA+@-+2H1oE z_6*1UP-nAiL%nFHwKZT8j{7;i!OB{|dcR+^RUUzmx&cJlp@IgW0|v;rB64DMiAf=m zy4*;cIjaa}(O!d1hG-32QA5ISh8t~OeAP_3*Iex|#{>5gLyH%T1v&DgL-(UUbNb_D zlY=9NX_fJy`(2mwy|Zs)%>~}R!RC^D1?42fzzojWZ;P4?8^~_%xRYTwWE9Ats9~7e z%evQthC#;CJv5n%t>vas?-DG-u@F*U$d*!xL{~%uu@RTKq59A~5kgXs^x$cSHa?u3 z`5@?w?VvpL4XkxCWQ)h*-4k&dGD?ML%povBW}QfsSU}1lg+*hx9a}Kf?=Ydmu`E(w z5|>kdASfsaX8fb6aJ1u&Rtq%X)E%?&>hQ8f**K*B&XJ}9z=SwIiL zlE`vUc@f@m60a`=Pdn%36}C3KhR4VVG%e|iF{OG~f4_oj2m4Y2${JvwbNaF<#~A#1 z#2DNy!ZjX>_xtdQZY%myfwv0}Hn=uxV)rg*Us_c{KR#rdodu0~(%LO9SsL!NGfB}Y z@@()Wc2sc(6RrmDUn-l+ zFy@z+ldpe|p6R}$az(|vDPbHt9S3QwIP(NC&S9I(v75TbOFIvYHS4F=@-2gt+h z0fUJM$iv3eV2RDT_3%x7eDz>h?Q`Gx&f!-5qGh@2)630%4BnS_8w9Qfav@PUkNZ)Z z=JM;>`S!<37n^scySD4Tl_qIQ6oq?Juj$z&?=MB)=Maa|Rh)di21*}(H%lmTQL8+6 zGU5g+U5P@c1XglM8>Dy^6JryL(<7ys?wc65ddpypwFRjN;J!qCWbFkVeiJdtiHAvTFvB81B_S2Ps2b%u0 zsO&TmE;(@}3+J})<&$h2v;bZBi`c#YogQt5nCFj9B7V?{s4x~*Nwoh3n+8*h1=xCQ zwXvtm83#?ijA1YJ4k=_gap2&bX%MOem&xlPlt zNO3+2JRfL3eQ=GT`$Z2XqqQ60C<+kxw770QY&uz|D?!sqt<&#O@dy|WMI>#Sgmf9% zgq?4Hhs93GJ4Xzob_N8`!K%XuCk~H`l_HOMEl@NjcG$`lPY%hTUrQA$BuAsJg-k&4 z%4O8=psC|n4QWP6dLiq4{TTGA##D`J0n)#6hG>DOkUzu>IQ~?3w}W|g9C)Ib&kprE zTq+8$@BT^;tOMruS!XY{U5fp*Y;9MvY=wkC)C$F#nGGLsBAAAzPmxhIA)yDJ$yNw- zEb%(_8cpouMv4@}#f`R5?ZnxNu*h-$Q#B+b6G6Kqn2Jg>!~tAf&JgpOrakOmV~_*> z+hX+Xf`+sJjXNW96~OhZ0ul|4O|%$_hE=?2~3>k?@3GG3W0)t}6!N&X3oO zxMR|TlC6KmUyq?L@TH)aPWc^cU`me)rIw8-r9QO|I}OPcVeL}@OHVz_L=;6kfwvVi z$M=xOlqvUAU$3&DxA`qMw-TIeU%xjQgIO~St-qYocywt9pcG69dSazzNIQC*gL>_I z@g1S}SQO`6oa>YBee|1=BYoCK=4}kmt7VI9I~Xjc~j@VSLx^J+GdYWw%xFH9lo{`UVi+>)em67F+(TCi3o}tJ4DHxs+-Zk z14&Yh1Q>ib?0sO7`%~6hhDIDc_O8!Eh?;5VJ{!xMas*E|__fS3#t!VCcvKPEH@&lb z^2$kyprw?@*Vm&_eThNE#joMGt*b;wgeL93v(jJ3Ka4K#7YXk3wb}zI?M^m=11p&_ z<@Rr%l&Mloi{_H{q|>;KNvILZAtqBJ;Ib@}jAafcZMTK_lXMg1f>%UsAq%#W?j3ZG ze^;HqMRN4AQLvk_w~!OTS>)p$j%5E5a+tqX>Gbhiq(0{aa!h>_hHAO{G%;LoH5j?IVmMRRCpCBGIFMow4b#n>C)7;rG!i-o6^N3#dQ7 zjMh}2DZ#(~eO<}-=)%iZRE7x_wTg82qHb72lZvX^NfnPwlu%HvP?k_lWGPH{`)tC# zDSXTGqMqaM&?JH+ZSH6L$7bgI$JWlflRwGre&q2^HAthpg3TG@I$1^tUnfzvSoE3K z0$t;xl}MEH&?!XPx`p`cvp{m+JaxLim9S9QB2hOH7f?PQ9jT(;_SI=~)G|gLEOT3N z7-f-Be)Mv}R55?={SjX<*Il`+#=J>ugcGS^2lApHnTAL0J>t zH|}ecfarWtRTHU0bQ#9Ew5q4v!?zl<33fsU+mIxMBV15z^R76?Qc0jwb0PQqM|0bop@dT&TqlScBKSovXo5EykF2X zFw>3*lvuU##5Ps~^>WV$G1Nc?$`*;fGzf&Kf8O#SOnz!2x7V<+1g)FDk)xBIAx1dy z`d`piCtnIm={#+C=;MR7Hs~u(y*-elfcehv$5&g8gLBM9I-Uj=zVZm3)jQ+NnXvn} zCGuvemh_GZD$+`(tb%-ENs_3lM;$}7%X{wom%*c<%2eG{7`RiIYu{^jSQ@yBm~-Xf z;ScU%cvl-0!gZ>%&hwLUw|~cY3RP>D<)+{Kcsf0dBpi=nFm{zP`*3^jA@9i1>?Qho zx{AAz39k8fCzCl-V*mD!vKc4>$PkaIClt-SPx|~+E=8A8BuHr-+bOt0RKW5YD!7Sc zDFwIg$pjB?maFbb{v(<#R2w7E-EkwzlZ7ElCe68PV-d4^@9K${cKQ0<@m1}8Da+7g zbYn;Yk^4XwwG<*dMB0 z@RXER3GsG+DO#SMyB1~QO?}3ex7&TCvYs>g+^5)4j4Li2C_~Oz#`r%E33S(C2v}o3-nOWjf#xYD+3uYr+O}Wi{%5xtfn3L zW}=d8PGN8&qZt`7uade*GcSQVgn}uItD==CieLsu@;&_1#oNNW>2>spU)444YgoMw8-%G6RBASbC|{0-=2lZGo#6 zi2do5XIoyWt3IsRQf1~C$>3zqk?`qx9<y&)Ms%_wq5r3-t@|m{tp$bYXUsjit@O2zLA2 zM}v+7)JgQwG^{E8in`bj=Z~Kw3a{s$FJd}h!xu;l?JH}css%hk5X&C@prAW$Cv1NJ z3a3^TMyu1%`--7$S9-Q$0c^17S+x5c05Yo(WpkWb;$|#NM6IrXZk!O2#&G=ZX((P9 z5vf=XobXQnKCz2vb6(n}2vx zZ>0oshoIpnNttu^vugC64#$7x(uL5TW;oMX=tM?Tb-ZH}#Q#|qkr)H06GGhl1F?4& zTgGahnTN0`l9A(^TeG_NH@}DB#~n&=nYb1$4Z=0Cga6)ZD%Grno0$_)^;C5+SMNuX z9+0*-3&qnEY6P--fd&FSftcQ)eUS!xH4mad=W!{!eX=9O!F7iHmaqcG6o-k#RIC)U%zJ{OVWWIj^d=AP z)B9`U+!w=qBx)~7R>go6;j>blqky13QZWYHT2PPVI__`AfbfpU=ed&Z^!M-W2hG;M zQEKYse!i=4SazPai9bG)*sP?Ts!yw(e4giwEqv6!xAR}Q*}{d)US&-vn%t^O znsG(fOBW^?C_e7`ODZiysTDP$)Z-!Ug+9g>jxmfV0taCmA(Cpa#}n5Wrr+oJy>RjH z-+cUJ_TOn$N7rA59CG!s+y-VRpM4Ts}zzj zUDM#91}uxf^Z;N^!a+nK7i(5u?f^oVWzAj0FgHHSb zEw?M^es@a#ZL?(9v0qZQ!0((enbHTp2#vBy^G{=rI-w0(A;&Lo{WGGYH5?vIWXO6~ zaN;)tzm2T(1GgsrX?We!P`v11ivnf6BfwO5`6dC9bE$X&I4z0Jn4 zKwF+zTfJ5=V$%)XlZYo%Y3$Jczov`VF}KvIJ?Ukp)P?AD{HoocQJTNh2g0(<-BiWc zfXAXkMG|zuO~vNm{8p($POtGQp9e|l->g%e)?cZDfSQ=2ilkgzAMnhpimXwE5M5nu zDXKQZ=HBC>W|&ziU5Knf;Y4~KdJ>B<#yA2C9PiwSK4JMxQ5ad4M;fxlym}-H!oWp_ z--S63Fsk{7cl_oHv}v=j=k9hqnQx`}wo{o% z!`*Lrd%D0`ZWiYaS~Z{3UDBdb>#fcesUf(l1y$L$n{Wgsn7JZ*9|x?vo~|D0?!6!A zc7OVlE(-~;mPI3IWkFrdQulfh7(>%P(!u6yT2M61R9GmFX?ai^ryTezUVDk-0E~hM zZ0i>)Oj-T;LG3ZN0bY|WisuoPmrE$WSJdvCL*OmOP&4{3X2Zv=DKhUcu-oGm{N>w2DtJ78N@0OGO1{c?QMvbS((1$H6ev-Q1nu9l=kL5 zsiP#OdB_;Xo~qIqWy5H3efB#@SP{heYFdfYfh%9sMGSN*WJxb`{vef$hd6L|`ya+d z)uWtcB1GoTd-QueN^*A1RZo8#4t@E}o#j*8bK}wOiDJFyB4^r;HSzV){Out|Qvx5l zq;mFT*q2fD{$}eY=X`TrsWD;|z1M4cR}9QL>^7XAip4;9jPxbPI8|I_x`aiQ(uH-Y zgbbLApJrd^9)~kO=l}ezKlYfGVdPHG+8^J)uY<<`w-l=1i|5Pl39U0KgQo65?R14j zwW<|$U+q~t%Lp+I%+)iH*z!ZqQ!_@_WB_0VCj; zV=M!cBh@vLQfH_J+w_EHp*JXYD=JROFr9NPw+Vk}z_&K-<8!ey+JKOB%kb~kKb^erOS-caS7@W2ARF zm3@oaoM%j7A#; zM1)G2`Ja&;7Fnwr1$KYWNa8_&HoE|AVuJ&TCWFq{s*oZYmw)nay}*9jlxq9py*4r4 z?mIVVGnyYkLK0TxRaQ`XqKoKv> zOq~{S%p#Re#^^@+*7~zQ_8uU@i=Z_)S#N2yDTzDoD^&mY5HT_}H}tb3deln=&DY44 zwypkmQAJTaJ~_^lxp6mFM|ZgmDNV-p2dc1zRZa8!_^ueUloEZqFsmn_zhe4>&v%4C zcKXfzj82+@<(clC6*&egL%m&qyE|Fysl$z|%yKf-=iGfx4nbQPz6Svellr0J- z#GL&o%A)4|<=Z_hAK)7D8MZdsTw5%axVtL^ly*gM?IcNM#}`Dmc^2d1zEz9$)q$aB zPr?hup-^QF!V8Uta3dc5(62p+hcWLp1Fih+BVasLw$Mo~{6wt!&JwsUk}6m-9%De| zLJ^TmAP|weRJ$4iH6h<}yZ+Z!$&nkUb%OY{DdKPDS8M5;{(TPur36l~6CcisFuqLa ztAR(RET2iBbMn@KKmnRw&79`6z(PG~Z{^#XN{_NRS-mI!c+!GIDwG~S8SH2zYOuT} z*g<}Ortj$U86ND#YXIN} z*d6ZxlE%g8Besg*a<4&Fo#b^uD}(qPghWt4H1W2YPU027K)(>OHM5^`hMzg=SN}*m zj07sM${8a&-K}ot1$jIk9_Md*1U(nEeVhWDUyfTD)a_G9c_40YVg9?q0DTC+6{dRE zP?@SfNYRNhK4t7)G;cxt-xFiOD6zh}P9js#$`_{4pf$5Ua)wB?`bdBM$BuE&iB5PX zt{41$O_LE$&1?q+L_=lnjEUPf-WsqnvM-;U-r?sgdJk`iyt#Qm6NZ$z`&}zB3f>rK zT7}X#Ec%7<2=i(R?n#8l!Y*|kR6H<^kgE?>d=GT~n3 z_Y2$i95=es>t--IToBi%{oP;nX24oRHcpW z3@25X?avr`XW*{jfnout_x;8*pP4^ey)T3hJJhx!I(wDV`EJ&FLSWs#c@4quAkjV; zs4Mz$h!Q^Kpo=_I@)8lAX!4FOF|2i3T?N%mm?2D3+d&lv1f#z&c<%glD1jto5L4!C zd6PdNN{Sbce-HSzx0N3C?#|!n<}Eb08S1USCkCFI%r+vOZ#$iR?GzCgUFa0gk|j&N z4f|!*%7|j5tlD2v6QLrJ#8wwbdwFm$`SoRaf#W9GzV#3&N8p> zR|Ivz`y$IiCG=pn;+?HzPe*MCh~Q<#3PJK?p%!Gj7qneN`$9bNdrJY`krwT_0nN&t z2%d;P_p`8Fx#83&48eho`xZN$RL?i4!d4);H^#nm@^bAt4MG6@J;|dZnmZ7qM1Li6 zZLdD9Y&vkI4CU1F40=BbGB8x)pS&WZEM;U!RDu)Hq1LOKlZu~U8rCgKLQTOD{hJENtW~> z=g(lPhx9oVOm^A|HqGo5V@o@6k#xcOVOKq-BLZvFV;t|<gz?f>$FAZ zy2%QgSEUGpl&0eZs^{l#Rxrua2{Hdm$_z9e; z8c~CMJ-+A{Aato4DhaD^roZFMJYxKnVx;Bm937aBP#B&ZV&9Uc0 zx?>Cbe6Gv16&ci^teq#^y@wuGW@Pz+y*+T(6k=){DD+9EF1JWvUNk7jd)W%zkBuy6 z80iNBf;vepFndAt9}v0e^gSmo+szP9eq!oIo#vCLOy53yeo`H;f0&Uj6RwSA7PFID zdWL*`;>*?t1is>l(FX($@t>AqWXG{kFKoQ8o3kiSzup?WjMWF=YXJB+0RAacv=V^# z(I3{mRNbUkab2bD_2;IqFT`AA zePxlT27nuk7q?C30@+(d-ndhB>*SI)_5KXC*X5%s~q*6>qGy!`B=Or62i;On`p#RpqT%3DO zDj!l*W-{oV z`?5Q2$Vq9Z@Q&8;-U~Yn`2bYw2B-!M8rDXRpT%aRItV25YI+^76WOfy6=*3CQ-i&u z^Z4lA_;~3ha`3Tih%Sj>%vt{%_1D!7EZ^0K`1cNlu8%Zykl zgRq9)=H{cymJLw36=wpz(xbPG$wAZ5c#LyECRt&DZo+uNI87YS=}Cc~tOw9c572Bs z>xH%Rh=#OXItgh#$ieT$JPI2fZ=5TL_UNRi-f2icR`avem-}`1^&FU3iJpT2SnSql zo;M3#V?u_ZQW#UZs8*kZJ`o{cHUdK;4>hZB1lxAp6cfpf<)wEYEUM8RJgR>Jl4)TN zk_i(JW(!5G=2hzMTHQc@S2x4-I>Bf<0`_&gSN~=90a1Sa!kT--X$ljQ-??Kmbd}bCBg;N zJ(AGE1=KZr!tMTgIXUY5&gHS_;_yD@>HrzWm(I{jLW;~2$zclMpjQI$KEKpNrs=Ca*3 z;^b`|ioGQzlwwJz=b|=K)%PDGaNG zalW~AOrVMePEiCKJ=*Df!dUuxdVjy2fL44JVDwjFvW2Q%hTkMTN|M;qH3iZ^ z&WFZ5%BoVT3+6hjKe>}=?2yzDw>>2+kSyW;VuinVu-`b|c~GCLy&E5X0r#M^_fofN z&<(w`C8UpTpj!8B6b$wJt@-#}OwEU~Tm2VaeT2p9~BoVO@_JGf&9hYP)bKv zU|^##^GPl+|1`n7|o9|r7e z&k5+x+)Kzm#+s%Nt5sXPQGKTO0p;Js8B%&xFUPonL(f24t^9^U=nnYrN4ARLHsdYF zT>I?FU?F{M%3Cu&Gp^)1D(N&$Dn6^~8jE3NsA!;Q01I-D7gVG(n_5^J`o z!D&OVf!QB?lX>7#oi1aX%lz7D@{u}lt8x&UDX+pg?;g!f_Wd?jfrK%;0uQbnMJ=6? zI!dHFNm}#8cqqH~ZgG5>uTls0zQ81qk`N^+iXX-8?V_weo1|2$_=xg8NaN}2zR}P- zIoAFMP)IZM4OaFR`A$Dt$0sh*_!0?xZ@P{@&G=Fh{N(y8_+0iq7#q*_N6i}J+4I!1 z#g1%-aIx3!zQ)Nzb>ecnL&4wtu4}rb$eUw2eU=#Vpyb&OR1(zy>R#&E**kxQ!xp+x~Adasiza{`6p_J@#J z>J5{$sxe)uK^oS8l&Z1wz(|LxdD0*5;ZE{g5X&BPLZm~G{Hj^v7f4oxh-3^=Y9As$ z#V7vI(YNM%Sc1FQFO1T~vwp+8xX2o^PFj0KrRoV`eFS$F<7Cb`6>bV88cLdI0_Sn? z=70C{*ofvhaEpHSNdL(*4%Uw#g#LS10rg~NqnXte$3fLJ*ipDV)8a+9YfOTz_DK_DQiZDK<1!<&KY5vqF5)9uTmjjjcP%(L4awu1=R~Xs zfvFy9;p)64VI786Dn_Wr=x>x+`mTsSisPKJ=DWkHWDHeTtiYv- ziCb6FSLqSdc_HVzTv~luZS3&DE|-&>)QuqA4w-GI9J2b^Z7uMyu=D@O^V(Wo(e_4{ z&KB&sA46Tnx=S&PbN~fdJ(1`Q=FPth-}3H|7GIDz}xQ#v!A>#6fnOS^8s zxxY!W>nXtj63?DXy$I6lJs+<4!+_!B*Y#swEtZ(jz+^ZaN)ciu(Z|jx8?WOpQLGHO z>&g-`i=8@0MZyFOom5DG62T10OsH-08%WxdZF0g`Fn%aF=U1%)n6xs&3>B}P?C0<2 zeu<99D9WE+-A$WGm8Hjw;n|v~x~^u~xDXvrjqYD`sL%&oxMMPame!6ql`5KKDH$w1 z5|g@ZNGUjmle(cK>3170{CLM>kzp?26gO?J;)b7_zh#)N=bC+q@JUP$*5PmAFhh!& zMe&T)$Ug6Ac3i&1x_9Z+DB=Im6p3;v)uh zp7go)CTAjVOaWS{?>IEu*JP*~19*P>?kdh2V!o_M)8nM-$1#(iF1O8uD>EiC^(iSg zx#wjbcY}AfUxU7?XX{!3=|AAA@BEGakb75x0%259AIT{muIQI)-I%;sqvWyBbEMcT zv2(IcB6r}5XfN(!M|9wQgCfslo9?g61;tOg6eqaIJSeh{@;B*y!uF)Kvx@}=d>KZU z>==Y9s916c+r`nsyqDN<{dUkLvMu|DCv2!PkiHrvt_uq~@+=3lta8LS>Qhw_yp28lIsV4c_dM?fB*t9+i0ulF zf)uYhhR9iM!W@&ZDWtNPOKIbZs5xPfzQcsF>3AsMB3a;d;!ha$P}qi=tN3Ld-r9!B zC*_YmG?hv&;4}*ky>F6%Ny|)?(g>UxEK+y#od&C8TQk zaZ`L9n05FyR_x1Q;ikX_NXhU*`|fS`J``)ZSkBhx$VT#GQNP(V65}=Lg`f#%6>Rem zEev=k={iISo2tX3&6oa%tCK9v#%!v1lsK=k*HMInUzoiv8wz3Iq3{I-aO#)!qCMk( zAK4Da78Pn7qMZ7e@q zvia?H&36ay(}=<|rHU9oo6hFoJGq6_=IxPP7q>d3is!HkqmP2e`g+RMUIO&OzxQqr zJx*0DnS&}qqY{-yhBs*!e=8%a8)}H7D%3URI%tAqzbtCakK9anEF2LkIMo6ElDlyscH#ewr2Usq?lx>1rw12GC@}7_HT?^GAyx!+t zm?SJ`gDyE&AuYtess*@$qr+T&;g6XQN^YEMP2`x8kgf`wXOlK=t0nG~bxuk)&U=gE zBdkjU3fWx1DKNH)0%_^KG1N5QuLsN&nfZh5%?`;-UY4bQZsEUexu=dAH*nHQM8lmS zu1mqG4o*G3{O%Mn|9aPnv_Km;APnZ0E$0j*Xuz_?oP}C7Ou3nH8l9_PaY@Y8Rrbjv zWfY3YquGbw;&=%aGvD%*DS=PqC(yo!AsB!3bw=Hr8bPfgTESQ5>nit;3zS)htM6bn zhY2|V7xWI}a;6+qkAA2`JNMwogecdV#KXA`>fEgT$%AcZ-4#X!YQrFcfy5YJjN*6j zC37t*bRLhr6g9#?8=ME3^X*r6kyK^Zhe!Rd*RQJ1cP=W7MY z+B+40$6<9kLw^Mbk%IBZAO>_DlMTc?G}whI+piQ z;6}HA1N$ES{th?p%%KY&RcxQFgb9p3co_BYo46mSpffY?8_v`cDXsa*pYt#wUx*by z>n_6|vj{M+tfKB;$TyLyBRcgZBI0mz+6KDB+G`=3FA7(&i+fo6?76^)DY3Rmh2smB zd-wC=(S6Uy3^?N@^J)J<(0tcT7=Gr7VQ5w6eFd$Utj{CWv<{7*veDN1%iMw2si(jG zpNU<(+-np3LdbE^rQifZ~OBzIV?=k zbeK{y(9d?D>XuQJpMThymHmPf81s4kBPg^$Rxb2katDJ8x8cwsbI6o~NyCEZ%$}Lb zl-lOfXPIL%Th)>XHtARW^H}CREMs^8*(GkNaZTzA_?A2< zu5p4|+guV~1dbAG90j?OJBX=tCofhboQBCc6iGtRM?n$U0`4bvcy!>^r`qZ|L#wrs z`Ijz?syxH9-^g@E2g8h$PPQ%D@n_i0=Z$N8-Ga!8EhZS{AeFj#wQg}gqwT`0FLXH% zF}?AB#F^~l{{|)y&Z2rXEEyB?uGwSU$X7x;$RE|9d%x5!BcVsL4t}E?{TO zAB|>?uT(pI*>0wD#+1QdEiY6Wp*`Qx2^o++FzsWf&*K*bA<qU`{)JE_5nuI9ARDH+9V{z7;N}y+!H}BZbQkgNxLeD}l%ECx2W{H@@ za;l!Z>_Bc#t$ALjPB&UHCA&~7&T1IaoSSGPB%8%fEEdCoI$E)0T+2)UDjL~Ynho#6 z*t9yWPGHlvtDi;hk)36oFTxPE;l9kF;iv^_A1NG@re;RNIQ^?4m06i6%c_?cZ~XoD zhE0=97W=9wfYu41P4mz&;cfexmTXaZ|83sCK7o{NT$^+;=1Yfe-DX^f1`m%t`% z?cK}Gv9OI|ImUwj3HHpU;b@~;o;Sr2xl;ZTu3va+8d^BwP+jR-tHHy0lfF7$JY0V; zdo(SYmx9qw=TTfZUzBm04rjq5YP&EnSlkQU*s!_W>y4WaYFMo)zI1w`?RG3BI@&P~+9_gi&k?nF@RjFCYy1Fe_0DbhI|{IsNKKutPt zf~iavAP@vGU-&HYsV+g2mEZW!!a%_v+gh7f2JgFc-1#;avVp^d-Shn3B+e^F1 zET{u=a>>&qSV7kvMmUx3e6l4Wrv9zlj)I~UVy1y@a6KEAHxLntM^*LVJY zRh3R$DxUB84NHGhyIP+t8GJU>7M;!TF_(<|C1M7A8O`IaYZ`86Kn(}#IF`L0N$%C; z3F-rMG=(gkBaOOh@tEkih@&>#qx_cKmV0KT`oplgsL8X68vn=Mdxtgkz4@XDDi(@> zpdwAM(Uo4LC;|e~duR&M37t>`q9R2Quu%hoNbeAO=tU3+Ekb}0s&qn;o{;41e19`@ z=brh^JTr6V-gD+Y_n-G!`(2;+^Om*u+KbKJD^=r9%qnfk%iqj|Nme-jvbE*GO3;+j z)YQ!!ZjYmG?KL&n0^+si*(|>xeD8pk&2Xx{aS(swFWnsHhun4}}a|AX0srRnS)zj z8Q&@~{&N4(tLXZ}1xV$!=B^2Bo`~EmJ?OSQs{g|E{3b|!IU@G-21+VXJ_M$2<7e~5 z8u;ce6kZ5wbHFh>?ud$Ao=2fT5NlA(7{?zc6MIWXd&`_lHh3Yamp8`SkN3T=6^-`L zfTc_9GbBqSy{kT6atzmHjKXDMLbOb+=`VA?+o}NBh>(u$Mh`=P$%C}{e4_c>QQgFh z(t}c#@!O}|F-*12y!htNOfrh5X-bzq2ZRRM#sD)*>hi4`C#05LSL7bB`@;w3Q+-0G z9V@+?N{!6FNd1_5{0euwW&?h^hEhUg@pky|1K}3cm^pY?-@(NGG8STZz`2TS{W$r^ zhMP^^l?{}i@j+*z1a&&Yh%W`960dNn0p()`v1W)FYaB4G*>*@Md0{-t*j3v9=$esm zL!+6f7XPkGKyV#yseA*zR8Dcz0J!-kFPtC=TEF#>kZtbM{e)D{fOQCO+3SY4N!)yu z@s*sVDspZ%@K_WC7uIG9t{8Bc%z5~3{R8W55xDVf28B#q&o>Xzetqx>s0>* zo2#v;k!Rnlt(jYW!=|7RQg-L8V1!x)8a>5o;K(G~>hZy`4{|N9^4u6~y+OA`$CEb3o0 z4mtGar}+rkzJPmrrb)sppo|Z#{l4B&`+Y12SVqrzu8%r_jho@uFi7;AQPBI(_3j?) zWM{FvNoNHWZZn#IUOX_vHu_#Gkv&^$xn^MREc2AuSZKtSRMXq<0&X&L4sGAQdkw9f z1TZE6j5p1?y-oSr_iVyuWq?i=BodJ|<=JPNbSGd9YNu>r$b&OET!$2zDn9l z0TK{B7M;GkpMZV%>CR>a20{9feR0F7P5KTg%ThjyIR3mfbrSZ>Dy;+!}sb`;jn*-7Z%FdGlPzbF7|fEM_a2 zaE40^u$iYKKWWq#SDMWb;0X!di>9tt;d9T=mBL272UADcfjV6t=yMsK=hK%l5q$T^ zWP?zY(cQkidQAX0?e3)|ean&*jgertn82gU%yL7<-Pnq*!XI2775KtyFWGoKVcj8r z3ht0kIg=xH#f++so?ML^)okC^&?xX%3f)~tV-uJ)UMVWjsK!`c%G?#xt6IvjPW=#R z&xQ^!gx*05Tx2#i|0@0Ye6Qw-=Y>%}alK7*aXrdetS85~zLw{o&We5#tfQqoY#U#e zSy~DSF~m>PT@DSo8j-MMo8ExNb$BEAuf%LYNpIfY&F;Q#bh6j^8I}}~C0UlZ=*=1} zhEmnfVG37eif&7xt1fWrAI*4lhXeH7 zFD%mAbOUxHteZ0<6_=6fuvu`3Q*JUvu8*pEnXJxlhLVRweq^{bV#kzzBO~+?`}4k% z@CBY93+8E3uWmIhtpfMa7uka+GI|oi_^dCQpDRt98SuP=Z>$M!*K$Azfh%zK^LTgW zzS!d5(rkMYXC&D6eBFPAKh)h-i%-6-uiLWI%rO<7z~*)^b6YTQGm%_7vFzs4RPRBs zy}qGpJ|_IQ#yLxpo}{R&YgZrWEClk=&(^L9A{@zHfS=?HJ}hq(JcL<5UP;r?9+lR)np7Mu z9$5q;WK=#J}LjD0X|0JgF;ij4%vnr@=`M+9lV=tvRPV&GRP|`~YSz|g-V#{} z-er!iT7nQfzl%Bc;R}lICQTS*lXMsV)cv{NWWuo-jD4HMt#c|4qL>^sQPurC{B3XSG>E}JaWIH?)weie3#DTU+@)IW(Ahq6yDFtI ze^mHB9=^NgXVdVqP8;*7_By*Yy5-S+{fRa1O1H7F;Sw_*XLKZ1Zbl(3 zJ{YNnu(t@OBE2w5V<8)xp%1NNgQY!5G>4U|?{t+!cQjlNrfG)_98BsPaRl2*up(~$tnjHR2k&24sS#zOAkC7u1}Zxwbsw(kk;zZ|yg$-P*0 zpBTu)z2(La!mM~af}mDqvIlogyAp4X|9+~w>?u>U?l79zQRx<`gDzMu>Ox@ss_RPa zNF=lDX4P8GVp7baNUX0pnlV*xqhcAC8mHbcj)GSJw`40fYpKLBx5fjt#2YwnlV36y z*M;s@nD-}mLF^ydN3vXMhQ;o89HWLs)O=FxtlqP7Y}yw85*>vY3Q1ewxssr|lie$! zKC9JjR=YwqTHj9@1b=mB2g7gC?*j|IvvKm5!U0F26eo>^>GOS;#98}zkv?7%BQ6OO zS(TcJ;U7mm6Wja&j0{wcJzOG5mMy$^R+n(tgj=F|Rd8Twfz9LyrnNa;FrFM=t*E{^2t7$8 z-?8DWO71p~;RCpmV$Q$W^a532p z7mwwUqi% zmO{6OZtF4OluRC)dZxHkS{k;r-{wwM4f?sQN@xb}l*-;F{tm6x7F<CSi{l#Ve{>#oEH<{x6V#_toX?Z`#xOGNcxy3$t@p{=$qCk;ykf%QjAEo2Qmsg*h3f3?dG+Xu7P zO^vb=mckwCpjHiduEe7rPTta=oO!+AgT3!v3&Y>oZYk1@fwD1T2&(()Ug-zuQktMv z?v4JVbhn_*>A^lMDm9+b-yHrfJbQoi(PU@4Xv_oQ^2Cvpjw|pcuR=C$8;}lpR z;hjbilLff4YFPO)@MhA-!+z{WOGXkguS>mwUJ&xIHbu%X0Xo>nMYB5g9!E32#VxfM z2{~Wel{C}3JA=)D?ME@Tko<VY;R$TEU~hFjgnz52FN86A`U~H2i9BvXG30L-XCF zgdQ<_@3SvWRv1jq?Vc4Jn(t7EVY|MMt8cqvKOy6p6WI9u|WH&FSwVM3&v6hM1;+oRrNJ&g`<^2w;Ecq;+{_Fb6G4a0d z&ci*+a#>$0>~V^&GyA@Mh|Q9eP?W5h{*_Cr$6fDw?p3x2Cm(P3DoVuDSO1>Ll3Z60G2F6Q6QLs4%rReme)Ox60D*F&?{sD$pu3JC)Xb(c}+mAz!hMY8m9XN^@g> z?K`qB!_<-<{Z(OH3ZDRNJjgAHhdL5IQ&GqjNw9!2q^2ljHi9iPIEzCrewv|bGR zaBujdx`o~b+OatyyR)6g+`@(WjC*V+FHErZ{i$R5U}3N z;SHhN9QtzD>xpTaT=Z*nfaR~`T#)lHO5!zQbG#8Ut}M>5U#gfvk_wRb9G7_9^OV?h;2>X3ZoG9kLWWPG1Q{`uKH#$MG zWBqdY=G8a%Jm^jdlYV{RR$@3GXyPgH+c|dOhOR#+=egrZj4`{KT2?ye{fZ5VnxLKd zrK`B;1K|=yj!k-+u=!}*R#zUPfwU2tl=CP1<%19>8sJIJaoH5bUO_^c2h{-V zX|X8$ZpGN=FEyYu2s%iBRrV0)b?IVA)hsgkl z4eBDzuEemaRy^w@oh2FP|NUYlJ4b5y`N2KmhS_F$w|gj&)$Yx6&a(&4zB+IGQ5YkB zo1D(I7_Mo$8?PJDx3;N>z+SP(hB1WQP~^6k5PK0Ry)-23g1;Mi&*KYC$;1_X!bm6n zn<)6)_dj?C<1c=+@|y_$qB(trZ}Po2`mZl4$0${M3@^~J0$a<;OxCKoaI9JIsltwe z>n2S7YYX5Z51hhp%C8Qe4c*CO)sP~l{c8R1Nj5e4hU zDBVvy_ENJ=VdIEdtYD`F8rt#e```UIFE4sMh05m(32%A5$AlQ0teRd?On&QWNc6%q zs|hGwmfqr~m5vuewYU6KeujFq@S1b^){HY!KQc41&<&ze3e7Hg5gsQ3uMoQr)?M$| z_9cyLH+KjA^aq_3yhd6$-z+z88*b$)@VZ-WJ`7Epp7rJC?X@D_Yt-2FOU+%;dE3H; zhs@BY|JLi*(N*XUEN}$*MA=J>P4<_p-LWz+EfNCVnGmx%!x#Q>R^7G+78JK@Fj#eD zXqU+4DCCeg5W`*Mb=Sd}S7z}U>~HyLMU17+`3%}c^N_u#G^(uP59f6LSL zz1>l(e#3*TF{P_P9C>u5li2u6wB-0G^J5M-E;UdqfpvcnlDlSu+xwm#3Xfc9hT&s( z4O#$a3!&}27*m=qweO)p^GR$WCpowIgmubv<97QPJ#ODf!94J1Y?QcGO!{z_Kv*tQ zWbiPYyz>>p^Fw?8rS5AF)Q3ajd>;k^!Dn1qkAzh=RcEUgbaPD2S>4geV&`bm(oG+@ z^$l31hwhFHRV_J`bo1CJKC_sC1ou4B#<*GanYfJKMl<-gxUGvePm@Ps>$-EmRl=UVzwrE+zP4dKfbnP7mz6A7?2uEC}zY{=nynNo{I@bP-B zl4$A~;m365-!r~SK_xrOjsi?mld5thxlKRxk4%Q7JjTKGUdk2uy8D!YK@Gqrf_|UJ zysSr3*|>3W5JdJ;#!|u))bw6 z*{TY}>>qu#0FO+S%_&YGeYyh!-GSe6)YTCPkks?6(ye?`Mt;(_ge6wGntXPPh(BqZ z2`=7ZRdRC=eOZ6BJgD?ZQOop!6T!{reOD5HMli(Vcz1Q_Q%$7&-V#|Gf49iKIKIZ} z&$jVM*3*{#6Kmhih^<-oaVxQM%%jzbD))~AS9q}CUWu1ntP5DMwPM;>aGF|5&b8+$ zM_CS5t0v~~W*g9S+1*I#bMLUh0clB$z|snV$$n!>b0)HTXm?A)<5h7dIoq)w<$ds> zOQ+9)>kh*0Q>qDW;dh(T_m2ZXQ!BZ@lC?b0tQIB#Hldc$#jovWXjb}i3gsWaqQ9E|jAme`93ZZX6I z)XuG*1;L+qjXg;1H`$ONxf9l&y)U6@Nh83rJkQR-`M~t{r${&F#(~sZq>&3yx#Gx| z`qDYv%Q<__JHyrz1+$~dZNMgvtZ41yko58Y*)P1{Ng-#ehbO(MaJ>R>jo_!nVlPvzf;10Z-^?X|K(g4*-MHs=N$$W zFm1a-0zQiLFDeY7A`FS_940Sv_KMI;utIOO0{@m6hX0V;XHgObUtyZyxV;GBMC-D|0mlyo2BW(_L%pSVnKKF{aeH z_4z8BQj_eXie%4trV`V0R%ax2!B4m3v=ez{v~Bmbwj%i^Abf!)kaWPo&tR^-p7ywf zJ1V@#17W!GI2eq>}r$LU4!WbBXz zUDxjKeqTdhod@t#)X<(p=Y1_Zj`fV?-WTEY>q4>GN^xhn;vCVj%jPN0*11c2OnZ+=Y#~8;TS8dU8^7s;4LVWY} zt3MSzZS#h;S9_eH9rFtd0vkn0tcNJ~l{b?Tux2!)>LE_Py~Z$yaWsSfFk`%Odxk!( zbr$U4tyse^mseY!8n3&XBE0r8R!A^GSo@qg=<`zD><>?mci3q$L2jTZTf!`VO8)jI zDSnSXBSEH=2K)QjIuAJVBO8{}rNQFB2>R;|1R6X~4$gQu5@Uu_+WQ5m`LQ>*q8;K^ zY(w6R!7Y8uwos4-N^Ch);9&0`h>T1zy03+@5ij`ok+oW^vh)1{&bi#Mz#U?W?Asif z|13Yc!bFfC{bE}d*{ry3RMoj4SKGC}`7Pb=S83k#`{4C;yZDRq3@s;t@_M+LqIG+? z6QMzzm!rrzDNkWtG~E!B7ow~i(>s%+E7i1W58G}kIY7e@hy^aiZexEPr8C^pUCx$4 za`JzuWVY##v}4)Wx1cW8wn<}YUr$D!P77%-g1JsA&6JMqSBJNfUtHaUVmnJylg4wp z@(x=xw7PT!4uV$JGo=39z<${Bi;r@yReP!xUe%YHe!x@ztWSXLry+Ag)zF!b4@AFd zx$2~pSE+#$*$R-IsbYe``ITQT$md><;H!rX8SetPqrE3ztAg>_lypO*e;2u==ThS| z?!ha|u9v21N}meiVE46bFGI}v3TAd}zm*trKnR-ncNauD|B**Dm5VR`BfYY* z`*JPEjy?~qZHSe17%+F-cYVf#YuAE$*MUu;P~!bA))6UVX&*kbVf#l4VJW|U{Irct z6XL&9B4Bn_x=t{`5K9M7O?sZ&mFJ(QAwGA9@(5smHEg1%VL4J`(;w&7c>CT~T!+f~ zG7SEWxj;45$jVWbg}K>~xxZ@Y$q@;7W?y2LxD@2*Tv3HgDsZA88CZ{xGx}ivtkg?YVM0RErtyt zPB!E}A8H~9z81tq)zJZlVy&hp0h2jqg)fI=y4K?N4~tqFpJ+5y>5p~P9IYoo@fJt% zI3kqPO(2j@P&4xx8OWL(p*B{_1QZ$4OVrv|Y;@F@n$L1bl=C&s-5L!W|Ig zWy+4`%STY9&2ghGT+z7Ir+&*%Z5ji|OQreKY~I(jE>|a~p=}$geLH*&RM-BLi7ykJ ztYhD7?XJNzx}{H!0uPUruqM(?tWPh%GN#a5Q-S^2H>jb42Uyf+UxvsQ-IUxJvbh^~ z;lZ!o{ch~H-}_6sxbNvL0wft<3^?fBpHOo$3E0)a;xpt%KAAK+mwzSr^WM*fY2=zG zMid2u)g13+#La9Hw*BzoPgTyZ88%ODxtBp&X0qY#q=6E7ayLu8P`h9U?*w zMPZ1xnVK%72a-{ZP%92&E>1ChHYe|u;(uK;y+zBfrh!plapD7%Go&m&cGG|F>R0%)~)0e7y#a^Ke9i9WgTl z&6t7Gmh_O?bStPl!Cf9ff*g2~w>%tYz>es@+lz%j0A~o?1|A~|qm`M zJI>4ue8UVhx1`fNaN7TSdX?Jr5U6~lyF7seiNit|h&T=ej-$uUr#4*$D&OrcANf!E zxpy@!>3088Pr>i{OoLaRaAoegYju+nO#*8R_{249OZfCPr@;BIF5Z4)Z zVdu$S{)hO^_zR~rP8ZNI!>SZ`4471boz;2cjHonJZx+1z6m4bzyw^IMO|2s^uW=^R z=<$~ePYR;=Su+ioj0K+M@Rl0A5tVs@p%G@S$f33r$kIB~Xw;c>;Z;G@J=RNxOm+gw zxxBqbtxr|c3aC<}pBSE!WUa`hb`!|bw%^%jc792f$2)JNtfSgrK$RYyZ+J?c)hmxW zK!8{G%$`x_*9+SPQHreFhD=Zas(fB*V`V*6xcV7*^J{Y4IZg;7sghm4qD0<8tSa>iUXs82Pt znF72UXwE~j5~`3 zX0^OW4q8oArwXY`qkD``S+Q0WQ8x-?nVtzY?ku}NRTTA%^^yrwhk$Z1Z?ti%nJPyS zRb})OlT-Gr6~)y30$Jwtsm5>N>@r1Bj*~c2=`n z7QOp>K>J4kdXXX=RKDTN6)#&BnX6HR4n>$ygf$=l+gvq3+*W_*x^Er?Jn*{xgrcK} z+ZvP>Mcme;v?$`X79jo?!uof||KAhXSqPLT$`}~6OGUt_@t9~^x_Y}AOW_$n33X$y z%z&XgRRIhgjV&;AXDMiU3YwjQmi!B?T%1}rmT5-m7`;U4xIyVqv2<0AhyWPq=mCan z?DL@SJMy1u&;bY8xQ9NJjwL#v19=UgP8A2JB^;w%>751uhM_coAybyZ@GpRFouWKJ!OGTH^ z7ov;-T_;6n%L?Es0Ng9H@H!La;zyQ(JSP8Tuy%*qH)i2Tk24h)U~|!iG7}u8X`MeE z>gOeN$tE=Y4L71UXJ0k`s!y93*bW|4d6dM3{oNL6R;=Kss#{?{h|4{X(x zdj2OwT@|BONw`qXB{ayhoH5x9 zxNeM@!tj4MureX7wK}n6@pNgmo8%qK(x{TQs%~PxWpPVlZWlU%(W5Pfg6HdyQ$Wg|`k1}}cK<0I0 zuPKA~cY&7wcDH8F;-|+cTqsjBb0C{MFFQy+a|;r4W3jcv7Hv3Zi)0`^(ciiYFEd z)qgvn%E2!n@bY{h@Mro!hHY7t3{@!^#!xb3+XpffS_3jP`}YFfFLXdw+Q84pxfJT| z(_wOGYa^Z$_GXvvx#e+9aYf)peQF-kIlr9ZjliM9fCr$QFEeqgUlqo!ftAz0THhBB z{uWYAB%|3cxK(g#)>qsD4JEo$l;~(E(VeBFK~G8JI?!Dw^$JJ>Oa-JdN%i-DbryI2 zt?s{ghOz($!kQGq*Azk;ip5z9Aw9)2dlcYV;u7H5i3jjJto;82|0>Tbm?JY<&CPgz zG77jrukXkMM<;Qe)l4mXUf|OnwDXharWrb`??2Pps|}$WXC{KV+b}?Z-_!yH{=fQ} zq#bUR#@0y+dVxESc!8Dzr9}^V=gQ|k4Dfn=HmOk&c1QId285~sH;|@x)=M>Aaq24^fvoLhKWF`hpJx_yeWxLG1 z!dBCIq%2)=rkl1QR#;haDAw)apV#j87r!w2id&QiXJRI(muN6UQnX0*n(ttSw0Jiy z495fRiLW)XuM{h_!9JHlULYoyl<_?^)yTHJk2qHt%^DwOT#9y7y#@|uD2{h?#c)`1 zPfXXywklR4!9E`V1I&^#p{J%6*>>;|=K-VHqUO9BO4-0S_KN9{_`yC1r9?O$)M( z^brSz(UABsRMNCW^%@#?hLd==i&GpYKn``XjZ{%?EK?lQRF7*ex-*nf@nX(ONBUEJ z#D&2+v|jZ{wIk<*m0!ruEm4j2)U+cX7JtNr!#ZMso(|-kw(<+a+|srHPbJRN$J6@- z0e~&`NOd9~_I|`g!DtfrFwD}lg6cJQ+!@T`+zh9HkN+o1>tsD;E5Tkq+knCR64g?V z)DPst{*So#Fq#xT47)U~xO$DWJA+f4o6i)-FOG@LI@xmBN}QLEr_T$*!V=YTk5mux z;lM}S2N+E{ABI<&R$kq~@eCxcf8fFfM@l;DxU87GV7bo=h{?0%o{i$xfsYgBuhaS9 zaO(dIaH@H3m2BBMSg}qOAp>^t&yUp$%bYOOQyo>5lt!NNl z$#KVL!<#A#W2!*R=vZ&NS|VZ1xa5?x6Ljy1U>G_~19YvC>-|XY?EbSvle1;C9aUlh z3dy+%ZR>3^C3FDP*?v3do*o7I?l0&sP2kv25a`z{IbB9;Sj`OBk5ZJT6y>v$-^J+@ z`$V8cIS59g!(=UF8@cEvd*}9_jhHZ$(SEP-2B6gmKqloS8~_wdfx1(mffj)P zbgFk@|Jl3=R~ao|?H>SIpU}PDHdOKefVwXNNkatV(P8y}L8mFuKPIOD*4hgIw8^-2 zy=}XM8i0DR0<57$uh3z~7H0s~SplFv)TRKGuZ{w3Gwxh(yHv^xKs{Lj)`+4gAXZCN z06H%)zyFNclnG$1iw2-w6zILbpkC>KLk_eoP}RShJe1~bZ;JLNrRnfj^Dd>C`&U!w zFRXV75KOXbI6Ca7r65r3B@j>zDf9(kuumw0gHy=h(qU}$vE_FJ>u$Z8 zzu=Nj?50WoGCQ^;c~G*!;(ms!Z>_B&dd0o#Ujn~UfC>~~5C{P7RZ)P>6d;Pim`7pM z1sK5tlPOk=|E&8brTa6b`wqpS4!{E{Pfz*hJlL=pS%_4WTLU>GIqvy=+c zQ!0F&QbK7;h24jM3Qzr2o`;kQ|0jURl)RL|zXZT7PT_W-a3d+)sT6L>-TH^Rt`zRE zzk*1i1OWj1?I_AkiV|A_C>tyQrEe|8+MQyJrC1{<*8YD7_%~}sG+-T43RvSUDZc9| z);<*LWs3D6#X5sx{r@EJufU;yJJ0^LWPK|sk%557+9wX}(R^tkHV}osnlzk+l;rg( z;b&4n4=Le?QNpLCurazU`LGO5hFdZEesxexI@ut6TEDR(j0_g}FBFc`wu(vO9``f) zQfiY27yB*xm%W#SmwaS**>>yG0%MLX2O7JAMgC1#W-Z-r{eKJbO!3#fjEfEZ|0tGJ z=z+**DB=Gd@i(;GAb|c0_z%{@|9G4!O0oVY@ego{hkp(q`^V!V`;UknCI3bk?Dv=MTT!3#};Nmjs%1K9W6Yr4djrck$+eiRHoer$ux6G8GloIVxO)fSJ?t$P3BdR8%ZRXQ=o9ZGfAozlXQ0 zkCVN=wAo-MFPNXB9!Berio7rYKg*l!RM-mn0klBcQ@^NHxwHxjdFik zF&36uj1+9virtyL*+l(H#q-tErHt9!JFL~avpL!!^872jJIN@of*zij_}GfUhDw>ckTlU3n}<=M<>8)_r#LT`(Fwwh$A!E3sP-}XMfRZN82iJGz2NFwM|5ZARcx^O{A1 z)(&;w+{-cvjNsCMyWOMc2lKkOl>O{FA3OtI5`$BbUlDURTkt6K1&htH!f;)(q^Zx> zj-Wx*C_+zbMBFSkSF85)xtMabw{Fgt+9giCT{wUFjn<&kexc`TN?}B+num_;MdV7# z_ki@$XEa*Z;R&*1Q6_e!bK+*}-ewyN23lssNiq1CgMTq&*(>xOouLPodavKi)m&Qm zsZr#OnF$YVOfr~Ak$kG)UW7g7;MB9BhC9FOlKdDDz}6SNul?O z^+n@9el=cOyw5ECL>AQ|o~(J(wHOmEVuZn<&ES-U7JN;QH9z zme!N+!gBHvLh0AO8_~mjb|p=`NbaMT+a#m7)Vi?jI$`{^i?m+wTsj21>z@^2T4p76T{S z{f)r)1Y|-+r6LLnp2vwiRybZJ69!|CCWFZ^y!*lQjOeW7)J1X^Y$q1MX}zWywSidI z-S)mfCTB_6mj)bkQ=73=8Atf{wLdt;UH`$JEeN#I3D+sn-&*(?g%~R-{$IiCKqa!Ig@Yrp1wB5hfCW z;KS?RahCmqhSY)$?#sJ@!eb+(x0igq^&hJD$PcR0)2$cm1o{6Cdux4exxVhg@D#FRV+|Ve=)@E&{am)86kZgKMjnvQ&+&De>R^9_548AABu;mC1TU9$jI9xT z^i$AQp6{5iNVBpuzg2f7F#2#Qx=vFmGCT<8YdQ7#{OfFP13OOoBFMlqUU92}$PYjF zI&uQSbf{GaZ|yBzMA8Ov^h7+6>Beu=c}4MPEdl`wAs|RTYeU_Hm?7C@%*V9j&B2fH?-BRc$@d!9yk7-|1^=` zNXIZX=i5N(AVehcS-K=J$CrgxeQV+~asKp4rG-#@y0i3DuIS^G6Wo=KG}6gBv~p(r z3f(!P+tkU=eT2E~ROnsD=Uf>l>*Qn9m4jU@HWIUrcnKk|qP}3KW^^aICy2Tmd7_7h zhj7B667<-YlckXOn&;uQ2=4=?l=GWQ4tE@{HuOZ)o>30XRySkY6#7;F>uG<@?k-;Y z!Rd7ay8Bld76Z>uSr#xCNM4^jtD^TaFyZUt0fD2UBb43~EmoGO`X50w0VVT&Uf#w0&>59f=YzzU=*u_bTz!$&_= z>u+>BFJwgIZq1|?o=lqbeCuzI{agTiiRN41P}zBbK<|zKy=!a${VJ@(f5|Nrh84}6 z7Jc(7LNdvbShmU-0@>w#B3p1v3X(n_;@H~gT!G62BL8O$EP1X zok1;Jja+nS*u`pQGs-?yv*QsbaDiqqvLK1)ZKE>a@4V-MHBOf@pVrFY1MXx;_s~X? z=OL+^(G5S>A&EHNK4u|!9qdXX$PZvmEyO=w_{B}F_kj+0lI54~y+1nS4!O@+w{El0 zCmj!HUVijQ@7%;LRo{itbfb1HE~CfP~#?b2G&l`Gy3*8=ugA|+3hp52H< zPu*o8USn7hJP_o#V5%0;^XPSma9w=5Y5ei5?9j@tm=jT#yyH6mDOO^`DZC}bD*Js$ zhN_&^k8Q}x3-r1yH3GO4&D`g{P#o=Sm``FaNyNC;sunBB8f_ow|UWwT6p6mI5baYHgB?ds1nwrSR z2b)A3m}3+EK2y#f;Tp;v#=}a*%CEB=!QL~+O zdz0L8qr4Llx|eywh!dk}sNL0VnvcxhGyd<^gD7~xslN3x~YDjy_{Tr2gu zSOsn8-w)~aw0L|<6L+XPu1Ah~{&^EGe{_hIKiQ%`Av@AhTlh_eC^r6(=tP`DT~uvb zo;xijN8$r}v)S-3xq${4cju1QI?wL#AHrdW*bhgmX!4gCWM~BRY`S|26W(Ah9!Zb% z<{#{7ddAag-ua zdt%N-Q~JYE3-P8wGY27XsayAH=(Gh(B?};Tb6KEVUO~G8iC%9~d%G`3MmmKhmR!^` z2t6Kn0Bi8R>BJMzSUCP@>6Hf`Y!tOt#dKL|%oxmpGtMEDrY{ShRX?ZC;B;Bs{Io59 z2bMiwF zp_|tJ-)1Yisoqp}tGrM7-N#(l^0euZejR#cm4$)nn3}oi_9hPxa@sN8+v@_+@Xh=W z+Sy4u&!^f^8k)(>MiN|aqWAsMwJVNf=uWh@_f^9bP*=ou{@9!oOJE&@=Klss;$K<| zBGx0Fdv!#~>esVArMVuZxg2eMHu?{OH1#qA zrNN=gA#SCkdu}fMclswDQrGA|7!om*wL1V${mM~)#U@EL@TCwZ7$LeKAE(ITef%41 zkI30GQ@J!_`Qg|%>gpXcEz4&~evfAlCLX8g=9V?F6iarkc)Vd4gBOS>)kx#dblrAr zt0{-RqxUfi<5^9y|MBTLr=r3ufs%n-htkxWWrl}hyPO^Hz)UZFiI^R$a49DnMtffr?A0=qw5Sq>G$B$k<6H*ekJ zIKtg~jy0{oNmGD&7T!wDx@+2c*YKAo_0Qe>siUJ5mB7`-9@Ko4+Bb!0zSq%I27WL>7CLu8 zZ8rM)K3K|@W2DmZ7l)azYh4ugT=^UIIM<-5wY$sZ)uOlMw{R&C;b%^QzI{~0UJRW{ z)hE-S9Nq|mxm|(ow>t^F4zpz30LsoeY;{m9Y%xbZZmq`CPTl-w%H|*g_ZJ(X%atKO}37=gUHM7w~py zkWMc^S6FS%sK7KeJT8)`yt%~nb0>cvucV!B^qgyv9gf3`Yl5>TyPaSFT*8T@I&S^5 zAICwaY!dS)>|8EHx=q6&KyNOR9eaqx!mAivfr|42%|H^)#SO0;ukPVZVL^oC4PWn* zE(O=COTge1O`63GNP14cOe|1=!Bzt_adtbGI?Dj2jMpk_V+7r&1og5H4%SY5j6bZ= z;aS7cmw9QxAV_-dK>mPx2b^aWnqSA&Sj|rA$M3{>ck!C762YuL)K=jQLZ@fZ+OL`H z1KHhsGoJgtpE%96PDI??V-!iuxpC2zjU4*h`tJvuh@K(rwI(~ou&S4K9lyEYc0>fO zi&34oXrtAdV==WsT&Gv#VBVMbAcE1;XA|T;6(+FXQd=g#T<00?j1cPAdv9QBn z2f?m_4UUHsyDiOInKvljQ!C6z>-Vd{(*kWVdvi_jr?!PJZ#n$5hP|s6;k?2bK>_i@ zC`Wqx?v@}pdQ>btccsaq1SnxE*6hs{#ADAADThC7<{d1+QYZGkOYlMeAzp7w6mbbH zN;85&;t?RLS`-rY*b4VpIO4-xv;{8R2SL>INYz`QrpK`&P@m>uno*P;uPVQ&4qvlQ zY_s1{!W$<&#`L1_=y9YWyn(8M&RL2sL6Zd&+$;%7h!1i3P!xvpJ|>7R=RuYG+1d2O zBSG29QK(;Ngp=8#Esb4)W1!6h)fD0imCnv4{e5EZjkDCoXR;thf^27i(K?`ZEQ>)* z1j)@lrh(xEwmJqtH zhUYaw5;Tfyg+0a1W1C@$T?@d1xM;JVZr-l3B2K(g^^Bs__yE@+QMBZZ*ZVjLAZ;cz zkaAuKZWM+l&Ti{75%G@&QPQSCgKosjz8g)Xtv{29GOLsf*9V=QO}YDRdz3ao8Xvdj z(!}KGiTAWLx%OU`FjCr-D1g*FEC`V{6&jibPywwAfiOi=coousnNgI{K1}sg0YqTZ zUvRZle2QAQC+YEr3Yh37YH*OhGi*y!F{?I-m_Y(UR?_{O*h$ z*S^7~p~ub0Gz~p2N2O`VDvT3o8hZ4QOw$l#nN*sFAT6cRG?bVvv8K65Mm$HkSv2k9 z30;;gdXrXixnd*X5Of$D;U{1JjIDUq3q$TSnEkV=%nyChpB{rek)Xu;nc8#z`!=5# zkJ;t;11&WW6CyovS-2a6Tg_OaIzS z9GrM3W&n<==LH+;A}P7W>2&PI&9m1i{pfMup1q&WCcn3;#vB|KW6UEcm;bccwk~}| zTnjjr=Vpc5NBY1jI8Ye^ zJFu!lE4bT(4M2&)9$h5{lf$R_IStuv&dj&Wmixel`MovgBe*Si)+ALqAYz$pL{Vk) z?xTrwq8Q}%qhYJSu;|x?U{jn`^(`RUFerjzSd=f7l{im#Cr$xpL{X!c6-6wp)-dy4 zmD6JF&sL#;YI{&3mPg!ho%9##5T{ie#B?scXny|=CQ-7KW0r4<(UGg|yq0i05T#hi zCJ7>;#P_0U53Wuyj$st{(kiI*2R}`wK6b_B$>hj$9y?k_8z#wvlVWLpZyH}Ua(I-4%|$2lex2U>_6 zd&>%)@Jx?Gr9vv*cOI-X><6t-wU=SWs0`fmL`2ne3drUoM#!+ z?HsP{wPFx9J+>8sZIQA}0G7hnFgYDKJ>nI=BkxZZpE%G+w7IP~S|vq|<0B33-)Ad? z@T8`|69_CAGDo`Yyf(HG_F854^iipesP#(ZLArLfq6trG5--*}j9c{|o<1=s8Qu1v zOP5Y+?eKcPEe6{FM)dCP9*1KOa0c~{ZdAmf=4@pc9_J8UO4y(s_8Xx@2gby)SyLdX z1E0bJBJ7c8tI6=RGo38NxMI+5@Dpq(oZ)Ro{VRx`5`jEwm`+vh9-AOOWj2O#>DZHZ z&$xS@=FdA@A%~|8gG>w+huo;&Um~BrZ=9`c!<#Ig=4<;ar>n<=M`uh#jd1Lot*FEK zx7V{3b9fT;R-0;a81aC{PEWf|vwaaP=5Qjv9ORZCV4C~O1;*-4Fb}eOP_T{8MK~Lg zuF%}jmRL}1+*ZwP-%xCxt7UQ^gK9Sn0+#{w^q>qscgK6LZ=1|HtCH*Yx3?%J5NHvC zJam{JD!xLu=V%lcC9kD2eqghL?yZ|?5z;815v(uK&k;{464bOq?_GiQdqlav0ES?a zEiN&FnJeS5uM61E8dM<~q^zI3;GeD3#1Sv%a(>K*H_wtZw&N5GGYh<^{n})y(|IoN$=$9OD*tdd&Lo zv2w0aPsGz(1%EAgd^=kihRtTPgHkqnr8X(9_Y&zCKGe8G*f&!bxNddRM=TToC}-%? z^$!U^y(U#<;q|)onpB;I*ThMWx@-hivhqg@ktLc}egWb&YR`DsL2ws9RYr0_{_NyJ zE*7%J*~+V4%{5*@@|t2DhBrh{kKOE{*Bm|d6+917V&t6Q#@6VZ7D0^k=+DbzJQqJg z`;LAGKiZ(1y`SDE@9&f8%;3Q2eYADpnq;CYY#j4ewY3?sIWIGv@=92((68@q-+vsM z+I5H*UQ?{faBANU^a{r}paD!_Ja@1a2%3Q&ZG{ytdGy#OSi%AKT8!VtY)_rk(q#K} zi|)jk{;mA9mBEFM#oK~d&qb(~@GIMS4>1#Kbn=O%NPhkF7o6tvq%djuW)z!YiLq2U zTjXk!{Pm|#Uw--NT@eaCyQWyt;qeJ;#;OTu?kWTKTkTHahv*@F0hBA;3ejjUfMSi& z>efg)FF1aP(SUOW6wKBM#)JkuE84~|LLSi#L62=&6g+b|hKm|_rpZ=-BSf}Ma#xNW z!yAUDi$1grejD4%TnaV>K}t6C(ioSuS>)mY9V zMRNtF_`*jl$|`?-wz>}o-D6*?T;aq5lEl%v1gofS>ef!T%1Ux;%xA{zH&q5tH3aKD z9Nj0pIl^q5iO~5sHryL{8JCKBO|b5RjZo_8PnXHhfer+1z!Xb77>f}cFj2_a=yAX$ zp6U{ahs=;FO)lfFL*ue7RO|8&jeoRI$ zAoN&_hC_NMdpdsC!9&V2tl=1hc`nj2Fe!gB=zjh57jy%eH|*E6mQ`Z|fB#Q|WJRJD zQY}yjN0!O|*P3dMiXF$P>0J}71TbD&OmID#=>3&8f2zohz8LC=XSgnK*y3f5_w8K792*MvKaiM|(vEfKA|LJ~qJG~Ey z23-?Wuz#Vtj@Jam=TBL*y1htM3g-3J=e%{HB0>E07}J~LCny&m;vJO`^-$z52$3GO zdW>!a;ZR~vMnn|3Z=ulasFR_~!>z}@|2Di#ez0Dw?>k{F9%bbsrP6*ZR^00T=wa!0 zKV*Fqn2pT(pHDc|QIu*Q20sh{ui81&m3n|)-=JvN;I<%2dW-mG7Vu4O-f;XZ&Ldp@MSz6dem$05QsvfgM5%)$%gqAI*5`I z$2yGi<>c(I&n9#JNUYAVj@$U14WwEFONt(|^f=OPZ~D_;mn&^0tkAtD8-^c+$LzTn zQX#qo#8P3_;OzbM_7>0KkN;qT!sI)~mRfy9<=!pk+<5b`H>?HGor{V*xjW9qFrNH_ z>5+z4T%-wVe#ZyD2Eox|6_4kb1_99{5Q9=zl>%D3jgEpPsH^=9F!ad4Gr-WZiaZ?* zL3Qe9fT3rJcm^1H#)k*7Wor&6fn+I4*kSW{F!X4{aWJe|)v9Uo2umST2_b6U*?e`S(=pH>8A%kE9Y<)Nn)9LaV?6 zoyPz>7q5A>ae8w$QQ`xT78)~EzPh?N7(|0XRz`3comOd?Rv`z&&DnH_U$KkMMQUCV z(z!UzQAkdv$JY~EgsA2XK|x@bwwKswMH`@4iwt$2%XB+2i@AT_L?-#&oJ|z?q|i*f zNqc5li$359Wx*QZQz(L9=~+y6=Ngt%gb}(_c_vCGiep^^M3oBs&qgIqUc+9;yo51f01WT`YjfKdtD;>X*5y=3uxi+K@Xy!Z3I4gHkX%}ijF(8+Hr!T#oY<%>Ir z|0Z~m>|Xr$s*#10Mr6M!6^c-~At;%Q!cr@E!6^5I$Y2QYp z?y(MXry|UFq%?3n?=>|UYIs(m8sYxwx~@yQ-dSbQq8=Q+1SN4#oT|eV)u`exH)Iua zySfEl+q##Tb9d-=ZZ)|Ot?PJ}V~UoZ9QMMGZwfXIC2LG=`gZ5S>&6u=?5Q- z*4^D}I=hY5LTmF^f`G^yp{&&c3#WOUj)(` z+q3ixL9fuW^xbviVkJR9bS*v+`-M%16InlmV3nRkJ>NO_$VZei`x9-r<+ukupjsscm!A6$qydkKEyEl@vLYC4hG_U(O?jSOH zF1EuQ5C23E3?=4MhyqJ$v?VYCOjN?h^4#ZZo@me^EPy*$N|h~H9KVLp=QFzDb;EYO zcFsH;#7CdXJc<1^k2NJJ>unu!S;?C+Zq=@hS~3(P0Ez zYp90V&Dm6PPl)*7%e^=TZ}?PM}csPSd5GQ@3 z5B>sMdLFjRvhj7~gUHAmd7RO8&2wo-Wp95Cf}=-oB5K5;7uVE?LkfpKsat%p@CKUG z#ae}JU1wAAjqcfq@Nt65y$2G#_XPO^zARyG$yBpkEn%$je2edb(8&3! z9<#>v1#$=RXv`jpgGkBys9f5scQyheuft>WY+}F9b2d6l>Y%_=5GWO}Iwv&DjKrUw_!rxAtI# znXQZD_DX<3SoDoN7$G-@jRMABvkKy&XOVe~%MAjQ{oD+aowErQ$1k8O7 zD_=^qv9Wzo-3L89|2=cSmVJtA)cWwN-M2RlFGT7U*=^>wB{2GquAfC%( zPgd6Y087AWYAi`X(3EIW6zEjtIUYQDo5=+RPXc=GI?zKv z`Rh99v%5W;r1HtilEs1t!BC<%-G=Z@)XK6?=NlhqpfSD;(U9jZxS;F}%OI=^ zATv+GMW3!<7$+KPn8uh)mg9rW-e=bnjal^FX361{&&v$12a%I=Rh`BFg7_#=9G|`l zP*PDfy2oT!m5GVMb&0LMXVI3fvPC**fFNi}Y{rA`%I}VHSth;qPG=%#9qt9nzSm5A zP4iYq?IMICdpz*HEuVSJ_DI!*ON79kO`|z>EDu0ARhwXkolT%Q3X=^8z_)E(qj%>7 zLPJTTxdUdRlu{rx;>m-M5VMIX(KQ*!=W6&pL45Qm&e7O1lyBN5IjofEI>(AisQF;z z_~0X}AVe4i8dwNvK{B?d;lttfflh_}_*RI(pwE6n5R^Lssdw<#xf z^JRjwVRo}BCvMX&RU;Qe?*dPQ-sxLXlG-mhWZ)Nxx~e6d|MrH;Nvf;21ZB9%H4(i~ zD{@WrUxy99S`+=(p~kP)ME`ZT^Xu>M1X=duJA9FHj5agvD9g2yVI#uXB*8CnK>QCq zj&3W0vgJ>0t6ps`O@-EMc%z>5pO%@wV=zNyX`Dp1y@%gqoi4lzdY&l?r|&qJT}q+X z1ND+8dRwMUH+*SI8k~3$2 zx4{L78)FB(WUsv~h@2ja#lB>7u0=O}U1VKsU4z@RiJ+g*oq#Em_)wlZnDOxFamGD( zW97kaq!tU#U`3K9sVzJ$2@<|zdzNE-Dg3dT=NNK;lKqi;Gd<3?*P(FQS<753hiZxg zIrvHzo!czPanB}%{`4KC0;*8Ln(OGrVmshyFnv{9!qN=fVn?UYJOu~`Z&)dy>0l?G z3#MTLpqdfBHF5`-f|9PV!jykjs0q&|vwlJojzy|=1K_NnHS_Ut@fsz!q;%I`l*&#< z0U$PJcT7?ldm8;GsOtXQato7nadIor=XrawuCc7(Y|`(q*TX@`7r^r{64>Z2B*R=0 zb0rAx0(hR?Cdau3L0lI^>z-wbu>5GKgdc1gdQ9+jng;X3PF}q)fHua^WXpIgHAEv- zS7ymx!lE_d<({DWd|;$F6X$5DNIL8#FTw?*ZwczrKXra|$lZ(Cd+@5Mn(PNNQTZ$g>T;e&Q#4N{T53h3qbP8u(>vW~gCR#KNwj`b}7rf1z zy;cjh2|c#@Vr}9SUrc!;Rm*QtVX*||{~v9T*n=iP+5eZpMUY+^%JiCLIBy9m_#X?Z zfOY_A_UVb{YfNV-s-!M_TBrHCM_d#eEN5%$;3Z{5r^4tO&x1`D$ zJgdUSa3BOx)1z!rsI%f*Qm#2$1(o~=mM=IyZDBn!G0ozu)XkoKWCEW#AyGJYlp0np z{2FdXbLf5)J03mF1d3Z}yeeqbBUlf?qOif-$?vU9A8gsnUO#4dhYPZr_`s|2htnW_ zdfaYz6We*OO`T5^ev)0Z8LNcA5bA+y2?pbFwuUd6I6juig_%>0W4)n zf_HV?x;?;Oh$b)ut1-NQh4hC;rQaVJO7PLUe`r-s4*wmtb3cx#II}CMVh$JHl=KK^ zU`1kHmB%hZL4fpV=MyQ{s+}`ksRv;T6Q;QgVy8zpkJA#zGJ=@sk;&&{B2FKTEyqne zG(!jR(4%?B`v~}ro{X+w?ebt8J*nCbA&lmLzPm}VC9t^---h;xyR%hxI1V+w*5e() zIu4_bvVF7QI;N)A9mN6-Rq2P47i>0W%UWcZ!-BP|@Lb?-2?8WYNCp50uh|L?0Qr`$ zxy`pjomh^EFW-ci+`?+6xi z7@_QQ^qswCV3ml=dA7W z+j$TwajrC;2)O?;xBZ$0dw(KKT#kwRCthax?re1FH67mkH3kBUr}arI67h5m~16ph)-b zdv?UD97IZwFm!#k_&viO%o`hfhszvd+9G;iB3Pr~=~(EohND;} zG7Bn8+!2)i51u#LEdD%2O1FQQlC+CbR=o(APs&$qGgoaVY#hW&kBIE`r46`j#L|^p zTXco0J^CO@dW7Ve#GRnh{c{n~BOuR3M2~1Z6A?j)_?|ks7t9v>MVUm=SG#qe8HrWS z*zAtkBfqKr8-z`djfDJwJj*)w*k1Mne#m2ERS1f^@9q#j#JJ(h{*XH9VpiDj^B`P$ z$h|#6xPMaMHh{!X70_9KdMS=q3&j3S@{yYN=C0654b;%sI zv{k`jPFZ|Ks$pT&S`2j^C%j-Y)@s32nQ!r!Ujyna+SE@_%=;PrNRPrC2jkQBv2FuA zxR6@opE6n*<`a8=5Hmea^NbEW7lS#Z;^z-iSZZq}#oDTy6jd%Ue=*|?$Fmj|rAV#n zQ)iDcDF?PKf{4$>Q=TZ!=`Axl`PJVKfd68;nf=JMfWH&IlCb<$wOv^0fJyK*@5HiKvDALi-z-_3qDPl11r@pky=?{nnt@WKnr z{1Y##e?bA7xbOR~1zVRA+lmS1-0%eeRk-LYRqvc?jCU}Td|5(I$h1qYL*tB*RNulT z0%zWZHpPU4jYE%*J*ROr)}Av(l%YBL0-tah8cBo%HSP$Cb=Q3^c!Hm5r)CEK^i5=L z4T7V`+%zmBrs%FJ3fLvw+fKD1%ti?+agR0Ia4dRFUNbH;=r*;*zZk?u&!lt+o8_eq z&M+K_80x!r@=#W&kWIgveReNr6Z9GmZpTPC^A#k3xUdIXg&vU$Sg7pr#4|h3=u@Le z-sY&NJiHpjPmkyApTAsbo@I-xvsXp1OO<5{A(a1xM7Ree%1X~mQ!>8q@kv`{NT9}K z7!P{(W_=ZGErR@!aBI=ygFeDy!?CP*z59MBoDzGcAgJOU_7~?Wedun`b`y!A_yl#m zpKg>QDA4Vl_A9~jW|dgc9xG^p_9q|$onOCHja)chs^jXx-%%9j9x)vY*c6L}#Vo48 z=N&;kZhs6KYD}wgu6P}^pAl5eelem=P!ap&>NbNN0uF{S>)@4LKaI8ZmpBnB@)Fpv zQIs$dd;5ngIFGK3=&g~g3ij@DW0%=zSoC<-+#EW{1p(4yF|T(f8LYk-)IUD)X0==d_aK6j(qqk|(YyFHi5>|$BFc%b z)m)-)HJS7D0X9~nb>jdBanhql7KI0s3M?cP-*5CN(a;b+65PZ28of*26BLr(@gV9E zydWNWWF}WUV{@M4(pZn*#di}WGIKOUs*AvY6~Cz!mR?LTK*I=pR`AzChR*x5NlkAy zo1-XEoKEmEnv#M3ok`PsiI6Dqh(}^+5od3^38JD$C7fcs zt%9Neoi*+2fj_wCf$p;)OnUUuKiTqAfgx^C;$YWO$D8b5eL5bC)Y%Kl*)mYwDNz>(QUw`*r@ zM%$vXfb_zcL6npjOCgHHnzM^#oj4GQ^{rwW7&JsyDOonB0Hn)boSih3MsrV4-1w#3 z;rFD(k006IO=<9o*Crn-BG&z$l82K{#e*TOHh3~9QW^-HT<&lA(!E36^fGF zLy#~gWyKr(**Yne)LT{xxm?Xvz4JDRlpakA%ta$i$>CQ;t8m>Dl;w`dRdJ4IR)_|c z*WfZkP<1=LCo$uy4T^`{6O`S4d5n~}Pv^gkPZ%JmmwnpqUhvAeFNF@rToKgMKJ0Ra zKhGLK6k$dpD3u*Q$@)~+c;%&gf_mDg4cSbgt|}{`yMsfPpx$->tgo9FyWNu#;eK?x zN6pQX$tgjh?GqPR!8Mw+@N!#JF+mXo^|(*j_{WN?SXIT!=mcRC=R4h)wQ(^K{_eBs za=+-={{%bq*<`t23b0jW3wJC%CKNwIJLNL?HN2GH;wI-M^Q1m#^d#|*dxA3ENA^}! z>-MSw@Kp0dkQNI373PQ?#7dkgy_^+@ppf>9pQ{P#VZZVMMNsovtZ~IzwR4^LWe0em z4~MoKDZ>=dAU1l;Xn@TIu&Ww)0^f?74b>zZ=t7pVXbXm!GBJHgk2ekQ^0ry2T7DCZ zr>Uv7w&FDw{C4l)d}HdIPsZ2%*KEL~k*1Pira@3Wd#5Q-j4|z{Y%^w*L!kd{vRjUP zDtOEzC5IjEahs&F8!7He6JhvPgY}3^;JAs6w;%LR3^oTnwl!!DpS<2*VzIR(?+Gem z50F*0T;ov2M|dgNAR>CiX@F?ZN3voI7?~nMtMHznxHPXM8`k69u-7Ij~+cfIag`}BNIpKD7$mg5&f97M}k7s zF{t5O6I)UHo}xPSQ#v+?lM=l-s*2}J*6Cf;-2unn@xxBFukrnG!IT7>KYouXBbL@} zF&`8Ko1~(4LiD3r5nZ**XaONon%K14+_C$N4URX`l&UgmzL}x)HqkZbr9Tt|JAfWf zj9R~VNL2rxqGERhGFR{~stm$CMe*)2MpVcZWjJq$pk#MUZ&fvlRyQ31wv#kYN{66` zcMN1FPhza3u3TOaDS2wR0w%;xQ3fWZy-j=L>WbHJW0>-q*}RHv>dWMxDY^|z0SyZ$ z0Fn~9 zYia7)z_Pc1iyBj#m%z9-JhTvfIGdb!H0D9=-ti|vXq4y|?d{AL6!2vPW!Z>jROH47 zQrhRVTiLg6_czUfDAE@Bfs`0K?S^(ImVt{Y*tq{gePbIplNv>tSk=yRnRZJ?lxgMz zL9P1TEw-0hvR6;tb?A}aqnYwL6(z5w!tqowuQs*k3d;9YsIb(L)g*eF1kneAa`-#2 zfm7j@sGByE%7`SerbP|q;KAnuL1FwIa86GOuMTA}8c|evL|Ecl&MNpu30Lpm8ir0_&=O2mb1x%eZUH1nDGs(ys_a`%4AEa1-fTUAR(*~ zxUa(xt3|{#qD19rH~&t&W;j~v1F4b(v>O)|$UE=A*@!uYf#lwgypXln@H|M^2$n?H zsqx5+1ruY=^dld26g|aAn8qZg)S}`tyqcb^R6=Y)QhTUh7aFZowaVHU+3OFaY9k!% zSu9SjA2e&=S>axy$3XYs_|?wBiX|@u3nWA$o8YNQ)x6%C4}w7H(a-utD&>A4RW9L3 z7mnaz1aCArN^CO%To4Z>`sO4?o?k!w1Hm!}d)r8=+cTRole92Vv1;AL9Zs_#vEfa?u!plZL~{teLHk5d=q%aU2JSS7LF|;~R&L zETUZDK`diKn0&62KKWe$9}Jf;1kg$4%3piXfT*DYDL$b8U=tO0&U@Ip;PP>p{i zvoJbB`457i=#ig|$aB^K5SjB74&CBo1^FOGdL(GrSNN%RA>U{!>r98{)*v`~Y-niy zbTNR3u60q7ohZKNfX!t15jq4;4J7|SQ852Nvvie^*RvoZdK7AB`EjZMYBZtb0eD-8-61Mn4pmUBY^iO>>gl0)+-UCr}2TH#{LLDrf};S90;lsi|@GO2DZg> zK+_{xriS^P=Xmt36aCNzrz$}?{V|BqJBIGnjMo|4_m~8c(&I;uA+?qvWurD>qRc8KBYf%vh5jEM|A2A~HH?rR*(!NQrOfN@3;?_f zxL1kGTUiR+>msbf1SS0+?Lr^**I;VG2{|+bh5Vf}rxumc$UT#J4QIDir+C@*><{=K zr~G5T6hcc-!G8}e{GVCGxDor4>l3h^i*0Q-n|Hj)xz>`G1}VbwmSL+|&(UCHSmPqc zs3o`qUvyW3;OKFyy^gGf@!M2wo_CRE``y_40^R5wP?j9JG*uwXejr;@u{}XEo~>PwjsI$|2JRjoY!!M$ zYSjD9Vx143z%Vz;KfsB zG(Aq`;La7V;k>V_8tFY;U6_<5`}PSy$&#ug{b~#H84Eg=HGngKscT?mb{bKbyr0wC zfuOqoxWhYuI`Kp+Nmokgt_>dBu=!Hv-HpMvplAGYZDFH}e4$CVRSg{8Pw4k^v9o>Z zY5EBMUfsIaYzgPnLA`S0_~|Dif+GLpDT=;lWMiiCL0eg#s|H0S%yV>Vvq1o*H^aGp0o7mw%mZA0Sf%TNKq^ad{De5PX zGg8$Cj`ev@#g2A(2q!6p|06izdl;fpV+?n9l?|>Q8Rv&n8zzpo_fNv0{-ts6q=pov zhS$^!9u5T|sL#LGe2#i1og&te=BngcHTwJRHfV)3Z?mvp-Z2y?f;g@e4nQFF?89Yqy%BtCK!i%n*21;pWxbL;k1d9e^9uX}2m?{O7zjLMq z+wKAw-N4#9EDqiuWQ-*UZ9f=Y`|L&H0!SV(8uY~2e_{w;l!4LUKyE_yn@R6W|{a(N4a*ld*T^?l@Uis|x?EkII$jx>d zYJy_*2f92JCEDb0lS|vW#>MR)YW`@K7uuBz3bw!nFv70ipA#GPk)X2uaipdM`Lobo z0E6Qga?8_Z@amB`)qZf7E&Rn`16%@O>l(mcW8I}^FKrjV+Isw^OP>w-0*Kq7%dyOk zUa^9&Mfq622Vq};QEt%FRq^b8CQHd3K2N@IPuxB5u(STvLLVUF)d3`yy zq=$AGu*njQ(5L%IN|8OHjEMd{XDAAVSN4mDOy)J4K~tplwrad`4&EMY21?ZDMVes> z&0xy+)MDA@y!M4ZMCRHhyv)&KM|LR#@QDYX?7`|!euf94!2_2=cmIxy10FST!{lV8 z>yHGLVdgv2DAi*ZTJMmB4%;J-80r;6=-31#_B^l!L6(?^1`^@kd2TXMM74h;A;55@u>S7_iPLG}7W z!T9wL;61C; zJq_$P?1bkiR_3>GtTR%=9<`3xjxK`C^-OknsM}e~FukN!xvM9Ru);tAUh}x8>>Z)wurW##e z_9I1w{wKDD8S0qNh0#2y*92PzMlo+xof(@+#&!mcQ3mNZm2hLxBaeH!lKUlw9kKEi zu=WE~P6Iy#mdFjPh%1rjliggKa5@iy#wwiSDAxxSrcx z1WD10;G#rkjt)atGr(KYoMA1xocl+Ll>`FjlOg2|!J}9$;N?4!RAGSQl*J?|nX?3( zyi68rhKILAW1f!5Wfcw@9%!2`p@kV^ATOx1;^4yHoW*Hf+{ULY3JLS53)k}$+fJT7RJ5*@@NeW4}|{~ypCX9 zf&(bKo{Nt0AXtImk!kGK?Y$)}h>{Yadp(r&s9I-MTVMbwKH5}VFmi$dcii-0uD-@2 zya=8a<$;qJz3y^hWSJWADAME0P`?hdi3mQ)=DjSwoP(g zW@!Jzl9Y+7lgi;ES9;wwii>TJaIO$6X7C~{kjv$&St*z$!4{y$%%0i;&UY&F96#=3 zcDtQ~FKc0zQ(t0tCkQCmR`mEC*|s8BMuBcy(PN&e8oA{?ddEW(8`r@EhvvjEA>G&= zXyS^kl&Tq|f515kbFzcYK#!Wf%#abN-wbpOIm_-)8E@dhCZfk}$u$urwo9~$=+Rtq zP4r)f8oyc-{nz2nufM|+WZ94J@I}h;>}}c+9fdNi20*Y#1=#^Xu+RnFwxUOm2Raf) zGHx3k15U6yMWEwd|BmHCF#Q>N8$*^GzFbDcIT9>V@r+)iM>3xQh8`V!1{g}j?WnQ4 zNcG(0;tsdq2`|{pCfbzwmRW&)Q+U_p420K7dW7s5{YZ~79S1XU89{TN4pl=tH6dFD zJ}8Vru>8Z5J8=4*U|EOWF)(<^w8~raVqFXgv2~A!VbWtK$EZDC*IiM2#?!)QInP^L z^5pJE!Ay<^aa zPE_44C&O==dviRrt57%^v?e_gwwG|Z+Rkg4B`&MR1!Xb4EmJJ8xAa+b!QeYUOOK`P zp{-Ru$Sh*e+3+ZI;YN9^0V6%~wvW+Plo`mBdU;khOb+mgweGesbV^juLdV|psnMe# zvJ0N9 z>byqSXQuB7R&m(t(k@!6%jDk?!GD5lN@(=Z1Bp?PZ}W>E|+T`8+BWS$jnLwdw+uMI~5iF=X; zw!o36&_k7&FnD@A?1fnEq^d-N@Wy)~bHP3MGXnKrqBFm`P#gfU+NwW}&jgZyeYG0N*EtKLU&}_AA4(p zz(`evcugbAzL-nS zF&`yD`0THQFEX8M_yUHHLdK$isg0M732Xt-jC@%t4Hr5IMWYhRp@~gGEIdLR>rJ?I z=$Yf5(>fY=Mq{>u_UI2&M)#r=;WGfi;u-J=>6C&K{1gZN65FK~gH)PtF-K%l1u|To znH5w^aD`K4a&qAU07a10jbvAFIQk{u49&irQWzXT_I3cAJz2T>qn5m`g{@g(58rJ1 z-R!e_Ih&vxVQ@S8R?Js$-@`pK+$;o1-;4D*!Lk(l9%t(bN|r6IzurjaQVYz!9fnDd z!wp=~ZIvPU7*LYvQzpSu56fnqay0VX|OjO|+d?CxcGJyyadb z)~--dE^mS*Bc2fkLa;!DFW$WpJa1MB&jorXhptF(@EIjC=~(M7!4eVUEyE%4C&o!J#b2;;X%vLzXI*Brap#^a*La7K3Yb-e{t zoXgTKJZNy2!JXjl?oM!b5AN>n5S-xdPH^|&?he7-2@>w?eeU_rJ^TOuS!wRn^s9*{#pVGMxc2#N{W_8jkxwGI1aYzrda8XoNs# zUG(FQ=h3j-kZB!s=9+ThfQI_GxCbq%<~=}fUcbhh*U!DbUo0Le7OP~JYKA54IO2=$ z}`9Re<(+w8VGxM^9zq>GqU51c@El)etj0>M^Sy}M8dz{K38mlrPS`5zbT;o zW%k6C+kEOfG*deTjj~HmsY$d`exBE8+h>nwPO9nLXL>aTUreP~CB}4(!e9in@v#3e zKGOoC@x$G-L<5E4T=FW1tJG4NAY4>h!YJi`M7rvyCseL`QuoKC8YTqo`<+v~U4;-9 zOUCNM;r3NP+IO%g&}cd&=%5d=e45_KfWcz-NT`l9lnxqk$S-pqwoZrl4)0-F7$=rv z?1D$HqQ5rQ!Q|I}FrGPfEENrY=w+wVsQ{fIv?UO5pfj$TD^wGWRw0o$Q$OE9vK`zK zuA}RfMN|oD0yM~3PN;mXqFTRvMX#GRVP;&iy zA|0Z7bKc1Ku ztCb#e4fRL@Btg5=-6DO<1**0CWj9|iWZ@YGXTUk-;hDcbW&t)fnHg0-XWf(M==yq({ zl|9YzuY4=T5a7HPF1c+RFyJnynR}PC?E2}2;@|mYkMhx|PY-rwW>b-i*OJfIIq77_ z3#sze_nl=FySGHMj;xUGFc!^O65to?!)a&j8mK{o z3Sg7f9_T$rZP@RX(~?VXxlxi=3A(*tem3@wCv;xZQjIAJ)*5ckfMWEolvzxT?(9FAiA(`LN=Cn6!5rR%sGWEwzzF^xqoBVezhR|v6D-Mw zOrZ_YA)0h8^Fn!o5%OBYDKg_VWSvm|3DpJX3oK1ZyauW0;u{LEDDDgcC`6x^TiP8Xng$(uQaFcd_st)iK}PK4 z7}AZqzuc;Usp5*rzDInf$R6ak13Y zO?Q%ET&J2H9&=NKar3zDyr~u1tb#N#jkO9G7yKkjP#*c>$LNjBy0LIVs%S zP&V}aei-eR=8DSG&wK8es{q)m*Ny!|xaX;jv|Ks@?jZ^kI7fIESe!3#K=I+>Sdv@i zlyz`Vdbiy?#li;!#HPW|eAA22ssmjG!G~(r6!cUHlqTdN>ZNlXqw98`GZ8?>xcuXK$u#oN71xkK~%eFNKc_7WgR z>y=CxNG5L_^qHe8G_=kz!B;#vH7h2VkejNedmXb#-4mZ(AoEWvyr7V7?%Pi` z5^&0#pki%fy+~Jk*P4B}xG%6W@#_$!)R&)t@+U@w_08xDC{O4Y`2nj7MXS_)WI;h& z!%J5$1IfIW%$trrIN0#9OKs1sDnUHkdf+j$$isI_Q^iy1M0mvtO84vb5c{W>s5-d( zFM*nTNK?UP=OvJs9jM@OmAGU`6R-sQ*7d?ukgn~o0*--T4_V<|qL2^GMEfYSNnr(W z96KTd38-q1LYldIWxLvA1F1?uRx7+`eMO)I`RnoQ)`CdEWHWo@akY@JjpRImM+Rj^ zg7C;CPZz7xIkB73?y*HIhA1On`{ZC{%)J94HG%|AtbFt6 zf9mrVBfKZ)IdQnH?kb}hv9XO#?LT&22CXw_>Wpo#uN0uF1d*=lM?v;*dO7#E7D;*z zF2iX^>hk%V5E_WNO}kz=eS_Y>SmmMtSFwtdfl$6${Ru>l|h~`V1 z=Rk&*3=QGKC44!$BZdrun^U+z43e4k!_KrEY>|R*E zwoMeKkQDwL5P7_qkypaH2Ru#qnm}a6L$W~nl%5TA@|5Tt$f;WZF zc>h~(7dlUxJm#Jp{je8@c7ThbY}>{-lGf6OURG7yJ>l$|jRH9-n8b0T22>P0#p2Gv;~4>WsTNx@*V+A zectK3I^p4KF?m&X;bK_8t~vGbjPN@-b4XVg$?}suTE-cg-Mf&)wx3oh0?+>P)m#0~ zo-9fSR?&hK##D1;=#S4j7#?LQ2ip8%E`;)HhG8U+@FmxdS_7ckL9R67ya@INz(0M7E z6d`Ai#XMxfvdlL)>-4!<^H3b>3mtb1ry%9X`6VDs#LA*4N@y0>mSI7|t`5i1hD?Kp zC6WbyM%PEns(a(~pVRxUHZ&XJAkub9p)s`I>FK37)cNb#m|M?>uA{VF%6-m@F?mJR zMn6)l_8LRYArCAi2@#Ua@g;=6af;wXv&*AXRzr{p^eBe;St{e?dO-hw_Ao*A$x2LuKz-$>% z{F)ePF}^VYW7X7+!W85(P$GVziYE)*zjK*4Kjo?|Tlus{wzm&QI|UO}DG+Fes;b0J zWpe`@@Kk90grdskE7Ot{Ej{7f%;#IX3Al#2Bs;Vrh^s}F>LvH?WR=4kYl5BFD zw#`*$hx%)|D6UJTWz0NM;n{^&&6{%to%|Lmn23^5D+Dy?-*3juY>Hh59muFeUR>50 zgtKS6M5QR%={ykmXbYUbDnsMj+HNgm;V>Bi*|-N}sdAKT9W zIF1t{h&4Z1+H9Q1Bo`g8D9l9mxECYSn2F&naABJP{I0X2^mRLRZ1oaG zXjHlxs(cc^Z6sv)?}sFxinMK;#9~8Lj47m~6Na0lDQ)oIwGXbtKYfQVs{7?Jn?I}9 zr|P@K;bcd*acDF6V&Q8x-Anqg`4{#Biv!h z$lCM00W(1`#ic)X7Wi`P0f?I|F);ikpZ&ZX-0#Hhc0~5!eDSV5LzH*UZFtH*wR9Nt zysa)^2kU{;+mB+8rcoehd_Vog$wvCdPW#*;qcG4)rIbQowK;xB&O_TlFdMZol|Ql$ zw;51&fHy2Xb>G;toC%{6Gj@M_?x@Aa>P1ujy5jRQU-%P$M#r3cf&;+%=c-oGLG{?=Nd_LKu~+78$a_0Q+g;w?*w1%I?;DJY<9X1SL<8Rm6~~CgdCPv zM*?^}6P!l+xp@nIhY+WV<0V)gXKF-xx)XCfg93Hzi8KPgMPaj-;a zNylrarzn%XpsR`ol_9pEHS$rmmci*Q1Tah#+rG6mUPdjKDVg?gF+(ZH-6p}8_350K zn~=0pcTZTQJn4TO&?QS@F~7gpimx`&HdgjA)f>Q}R#N9=Yj=_z)mL!K1!(L*Xniwf z$kg49OMZ^NrVw=7kh)>OKYy}ASO|I*-VyuJAsLDnk5>dIKi8Y<27Y*oqy2QpA8Jl3qvO z!W&!H!xPBEeb}rKW_$EbJx0kIbXwPOZ6lq}&@hK|#Kh!9ekp`Q5k5(`Uq0r{>s74< ztA_ZpxnaANG#SM?0S(B!7T0aJU2U9LG^T-TCBS|H<)Q8DPN)QF|6pW=hM`#qJG|Tl zLzR$;OM^;iAM>f|iKEV%oO3j=t#7KG1xE3Z!;OgbCAP@ax^;nyT@+c>dmsfaZ zfB+}&4CMF^II=>?DP0OSy#0z(diBeC@RUMafy1cs>@c(45Pq7cQu={Yi4^++jgy_70hQLPgSc_exJUSKUI3$Q7g$`Xpr{RaO zD(N)>{F!!k4H{CdQ=6#XSSbyU5Np}qMu_G%e$(X>Ue}y@niIE7#!F~X(t&`Jgwp+y z1O0SCH%E#x5_}%oJU1-{R13jx16(KdB@mkteO})OFPuRY6(4+?SHP#(8g#9i8TzHB z#pA$P7i!o9IO-df*2dutvGJ;|kABdn4_3X(Pk(MO0vo>^cSb_@=79JTQ<9-LFte{t z@J(FD9G__NPN3f-3m<3LeQPex#D}W$o1xQ0>&P4a6y#bVJL~C1C-bH3S(9vw^K++` z5mM~QAHFnMuq1w}UI%%_vuDWY`)Gpr8dw^NtBS|*vGAFbB1V_NMg;4+kdYU5Vb}xg zaH(m52cX!>q})rXRc4!2eW!z}@QZbj*H{OW`xBjx7neTcbw*z6?YK#iWSu@C8Gpw- z=<7(L8}ntSMX^55*3SUf5Y)NG&rm2fD9aA<*Wh*K z&(KS7eYYB-XFn7D&TB?@a|h+=exm*1{q-|(;k1rV#>UhG6WdFOnPSH2LgKe&$i^RY zC&v;3oG|B;68vc7l%aULd$n!)q`sduO3U;RhuqKH)Ad8A4x3as5rm#7lBF(oKR zUuNeyr0QVeKXT+Q*NWQ>`dm1O+H~>H_`ir2&Rsoa?6mlQyj>FU;A{BGD_XWoGWTAP z>8tjcjZTR6uN=>Q4_;a02_NW0oPZB5kW@hm8uK#BWuo+wJE)V~Zf#R=J~Bv3EWR`} zx<*`Xm!;2iD1Gja5yhLj@dBRk&K(qGlcAZ8;Yy13Gg*@*@dS&=cfUfbn1VnD#;kVx0b7xH z;i0Bc0#OpYBi0ejY1}9e^CA);0(Cl;gyJlDqB(e4tVBA;MjP3N)ID%j%BZO2JL2uh zWP>4ec+N^O`B`a#CDWZ2kdOZqi&Ml-)4;!B7{t4jc;}GV*BCY>@SUp2K}}}VkZ`a4 z$U()QSW~Mz!q^*N@Jf$Qta7;|&PA;G1}7~&1(z-6*9D9sV4fP^he={_a2|8k%!DQ_ zgg5uCy(%^wg*p}$Qmrk$IgR&JNJDFpQVIEe`0MU}br_(ZL)CRtT(VM7j&WfQW!usq z+=742VocFc8yK7E-IE*cj3Y6=|J9WXK3~7Yv<7deA72c7I+kqSWU>oVwL*US`7-ml z@TIV=CTNXe`QD``mmBA=pF@g+>_h+BaxH=LT^GGM9>lYv8x)1hA2czwZiyOg(QW%ADaC)|$bC^KnNT zcnak}9#fIb#2P*oEqnty<{NwvVbqq)WaE`}A|&u27(kNeh;2)s^VW>(ptG6n|8sa2 zcGwlPp}?x&TS5KxHjs8#y%oR!1z?Rt7O$+a1UFy_yYL^>jcLUkhu`l3d~pTz)XJ@J z3IR_J>MQgfzsj!;k>Xd#DE09b=+JlY2$WURvs8dF1UT{+gPp@1tN(G})dg^Si|``w zclU7+Q^XN&L)ScG-+jrDt19gOGDT^MB#0tTc8_Gd-@qP)YMoHH)e^nAWeah?LHkT` z9IKUqxB--eX8Vlr4qmolRQg9TgBBr)(3RII>pTc6AHo^~Y<0K-?i;1rY+%SnqjSHz?uO}%EngX^DJAP7^zv85N zZBub{{dZOmMcq$vp;dO681tC>gFKfZF@H*S8>sAk{-k+rO7CoWXc2mVVdG~EB<4?L zFN<7C5!1oOWo62fbS`FUBQNW7l~?5QY5A(tzpQ(xZzvayu1pVG5gy;`qXNC%f;5Xv zrA*z;u}x$R|J3%uxd9G&p)*jvs_=7A!z-|_vTK73PD(P%6ZR}3-V;Urn#!Yl7xnxI z+_dKja@TV+@A8QnOEV~AJ14Jl4x0-9+uid}I3f0$fi}S$#v_tDu-qeeiMd^ zjT_>AoE=E^_W0%?2G3#*xXJCs=9YM&bx0#Lj8hJ!k@STl%%@ILcNTjyyG|mtq4u97QS_6Wv?P_0E%cbG>ux$d)s6{$$B8EjCG2aK|>9?FweAvG&Nh>Dl z;K9fJL|(Xp8OWD(=HW82PKh0<^`QBZG)7#WcY%T>WMY~U4c6Q$EEV5&pKdc#s$MQn zd0k8ea=>{=g%_K3EEp? z42)tLI??QvSg+IaB^VY>U*s!Hqe913Q5wOVnw`M==ue*-QbJNgZ15vFi?3FT!$Q@$ z@vOeZ5^WtvXs;BWfMZ2dyy`hxv%!kFX(yqw+$`tKP;6cXq-G%O6j!9ue zB)vn-87pXPfgqx4aBwSZ+`;7%QTY9&OZ;32Q$FT?5O@F+-~uaw(F?m##sSR5H*mQL zD-d|NydlPPCBsfXzy^y*Hho}S7L3Z6CyZuji+vsum7g3pd!`aqG=CXdh_;6rljrS` z$fo3265Eeqv2@bzS9NN3-u%le$NLlZ2yI|H8et{@D3#>e3vh4an*~`fMdTF_t_Ca# zGRY@~<5;~$enr9S*9T}rMEze+n9~%ePn$)Y;qiBwoD(yD6-h0g;we`wCOGW6$$=X( z{9c4<3Jc7MKE`hdh^keqVbYlyyBz_#M z#h#V;U8@lPn7pV5KaByReX8EAPdOdw!u%%!w@KQ(H}XVa*164zOrMyxsEt2JDXe{~ zq5^(r-=N+JjveV&;32FPXD92wZH>og8n=0mN;ob z2I?0w-!AAuHJK0v#*vP?3zth!X(*dT!nuXfJ$l`YVr0@(FV&hk0-|WCUvdU*;>|~o zevfoE{fDmIUL>xYa4yEw2^?LD*sC?(&zv3mMuNvYsu;brox}94oO3YF^^#2MomVAd z1@}W+veQ0OxR|aMD_rOT_-H$w9)WHM>|Sl7wcX4f%$aqn*b?72L5Tom-k4D9K!v;c z2(f0Dya1>{vp|y=$-QDc%YH>MyyAAGiI!d4Mxi>F9}uy#n=4t%KK<5En|v|#6#e}u zwNCI~U_acz03m_pp-Pt9rXk>H)N?&|y<>Nx*vo8|baq`TY6ji zv3yiE8WL+Bi_z(u*BLnTX;H-{wZzZWf$c&*{w$C`r>CxEeku8*?}cP#^r*O94lefJ(p2f+co^2Ohh2%fnfF6mDToxZ z`^w&1nkZqh1iLPfdpY>+rJ-)i(|}U?p?r*~WyIZMx@l1M*^|yRPz@zoj@$Ya8BmOx zc}+Y?Z56{;dP+>DY9DinFr8KOE1zS&^5fS&+VH6-3Ekht*wFNXi-_&F=yx7R~i5G3_FSA$yVE=CV3}g8HMs0l|_awmul)L{rK;~mc?%3f8rqkfKfOA z0QmnYZ25OdOP0S%TE?pDIj?h|ywL&$N(<=5trAh$O;#PVsib-Te9a}fl_G@(gXYp! z_xDB48~my(bQ>%dFvw6B-2rikXPaY#7;s*kFlH_tyW%IOlDRzNz&l4z^`dMw?@&}z zuDp)B6Z(mrB|B!M@yD(R1?bkhr!=EBh8Q`KQ~A^^ zidSs+f{NK5DeSvc4F}}s6|{i%lQ>UiMlpynxa#yk7FmXAff{qdUCB3kLlfk+iBTQv z_g_4@(R4T+YC$3R1W=_Tth#~8S`Fm5uk%R^-oq|=+%{Jy_MK!uI@wzsiVp+}dU<5G zK34@Kx}#m)A7Z&>loXbiPBi`alWY63Yq1|v-3Ll)Ek4Q?-#l+E+lEP@K=-=E{%{#T zm3||w;l3T(I7Vc(<5KDvE@n-6xhGc7&$@Z~dfZ4%%y7Aj6VrRaCtl!uHRtn5FDHm} zWC}V!<8y!pe*PRK+tCB;F+sAS&_OR1<=tm$Iyqxdc@ciiU@!40fb#bdN-LdXhmR&)F$H-i?x@0Ebc z7cDvs$xu^G+g#ZMqMgX*GT>OeSNQFU++gSoh|=4{o3gjaB?MXnhR9Q7sDP5qp(wjF z5-_JfhjWqf{0Rg7gGF5Azn)FMFMSa9y{~rXv@R259_5$F^h@zxMGJaTqu>r#FSZdU z!5{G;U53y_IDYI%(xoF|$(f86agw~N)PDFvy39+D@#7%8uCK_|a%|hb3HWX$u!h2O zH$=`WSgN}XKOnz1)FPnwX+}p87F9aY=LJs|{njr#W(3&LR!*!4)@E*D)Y z^0Gv#rMZiz*;MUBcpow;GTRF#pKzty`ndX3YLCZ8@z5pCQ*Pzh;!|d*u2Hp_c1gL7DVh7gV3<`vpvE87GjQ|Y1M5= z0Dztv06_eg5Iehg+L$^2CAk;cXYqR+C?6UHK350QXc_?v;v)Rz{MkQr$_*fx4HrGx zm~~ovy8S}<0$``>Hco^(1_`I%{0OI4hRrqW=!a@)W4<>>S}MofW16hihAB;Ga3Mu2 zScai9Xcc+lv*=HxNhE-RzHs>%Dgzwy(-ESH$NNSNaiz?(KRnyNtVnUXP6Cm!EtNI2 zAoLcmhmB&Ip1#H1OG}N?eXei?qPMF(G*^8uWt(IlJ~6CetcS=4N_4salQ9G?sm|a)dwU<7jjGGNncO-uWz1KK5Y}<8A z7zNK5}PVMwt4B>czn=0S+e@sr#ZDDkMz)( zUB2(PLCT3u;SIOHZ8IG^%?R!2z4LNw`$mGrz+Jc#2Ja4RiWCm4S(Myx+c|aEf6M-^ zO8!RPkB1-YGTp_QVcDG?{AX6%^BRz6ZoI&s& zQ-)4wTP-#mgE4((den)6NHaq^E4iKxO92%&%@VC*V!ga+;b7RQs4-;&IF;%6WE|aM zOtp3yFr}Ihi&@Ib?lB+r_MN7JeP;GHkk>Je+7}b+Ltiz=rFC;sM8$h|Isrk7IVDok zPOr5G6k{9<0<+fAuw<`0FHz@C;w-O>V|z7pcj*r~G5y7F#%O)nA(r}~SBl_2c@tz~ z>e;3Jr`M-NKP>Yehla@&5r&LLe$C&?l-j|lT@F}Tz3IeaIa@P40~622N; zOF?qp0vwe>)R_!*W)!<_7d;5N=&y1&uwzEO7Y?#cUpo*nbSHdJPhH+A9H@^Ro(9_S zOE<<-98JNRvvc(JDa1|g@`qErlo4D~kPCX?`8j#KraNBtXuF+DU3U9-2F?G$y2atT zxZ=$Xod09~P@kpi;*w9mH!rgOE5gsIb9!*S9+l6%s{*O0qLIpzWsyg@(u&>jifOJV z0?%^od5%Q~eN0N(KXi5Z**9}HEAdw@w1X%$SH*oOYmLPg=(H0<8z{X=BJ%}da@p+n z&sjTPV{ea3|F;SCHEy#iS4yAY?18hu^;r4RB;NaLC-a9@Hjfvbj_P&}CR7nSL#@7E zM{rYU^;boYG~$AWFL{rsH{uxm?6Q@7tw8a&qxzA4oS}=(U4f`;QeBltby!KS_qWe+ zKY5xf)eXeEQ>#yp1P24XJvl%BcB;FrFjB_)-ODENlg>cd#GvSM3V>Qx91#ONvsYW@s_ZN2HZfM-&>av=PvWN|AF_+RXPdW>3HZy* z-5`-6iYb+g5M7{K`4KO89+}OTL1?bAY$FJ_HZrk326qqr2mlcrK}Y}qP#=QCMP(=k ziv~!AVHX;A9OMc{=wrJ=A%Tn%`vyLH=J~CV?*@7pUXFA`7zPEFL}|6PweJ5kmSoEbr= z7R}5+u6z)jxoV|OGy=Xg@~H6pV1miu{bTG(FY#AY*^itY`dVbRJU4vj^c2axt|(Yq1_l7ofNVEpP)Gl7L2_ez zdr(LUWUeV+S+6spyle2G9+xi0@upG?hRrrKF*VmG|1wFac6JdHjB&A>`}2@=z~c;z z@lD*~z1-~hTphneKx2(ODowkuQDc}`rdM2EOY!xx))t;}0r!lp6tF4KBp=MavD!Xw zNHy7bZgMK*C}Q0?xYQ_o;s3+uEC8MnOsY~?#+j{3H-5^my{H+y+ZhqcJNek%9xAoy zpuNWiHSUjsC~}g;y=K0M7qw<5tzo1@Fs^|x2AxS{+M|a(LASQ3uC0|t3eAcSl}#V& zlK*Vx)-hSFkLed)wthnRN533j^n51Jw)%uCK>ACVufn<>wA2je@v z2EEtK-KAIw#Z<}m-&9}=w}v6dQK4A1qB>=Yrz@r4o?DcBn4+fHNORccN*WJEKMp4R za<=!>dj?%SbjMv20tT+e1^&CQ#k+W#L?8w>1lcX;1*V zL#pFn2AELZQhqMexSa$-Sb62^=6~|*CC?m=GPt#qeR;A$(}q>mt{`@d#JoD6@EEzh zeLw+goYIO9{Ti_stgOkg!#0M}=Uj|5YPq-lLrp2IdMikK;^?UYA*Wa63xBvK{j%a& zcJX=nzAalHHff-E0)JeuekBTzgtd&ku7Hj&_-?$2STi5N(P~r2s190 z(OYU%^_#6rfyD)|gs1Ww5|*O=A=f_3LKAg9+`*J%^kBM>#tPtDqZ4_yUIHZ{OU!o1 zC^U3NbQHp75lVuJtV72Zb80tlyc}fYM2ct*`FHPI*nEY~pwpH;zTKy9Yb5BZ11!E1 z2F?OE+g7GGxe{9@pDJC}o|C}X`RFQ<6=lJ|F(5ENV+RAc2&2)I(C$MB0{yB7 zy-`5#f4>4iqYMC;+M6gk**iEh8aX)pHMswzj%R;*f%)s7Al^g$Hz}wM0IU0dsZH!b z^{@XI@@N!G*$ik9HOarG^WO*oU`HTOkalwUYG!NpuTSRx4M0b5(&3N;5&%Dd`?n+d zKLCLZF#n_8{`NV+I74HvALtZ>Yb$<$t35(?I_p6fm3Szft~UuK$ztpDWsbNZmRh|KIiP zpM?KhA^t;X(D^@4{%@u7PvU=SqW=)Hb^lHL|D%`wiSth>{|^pv59I$Q^NO-iATIiA R@rDO1f>_a^7o;Bm{|AKkqb~pe diff --git a/spreadsheet/macrofree/sap_checklist.en.xlsx b/spreadsheet/macrofree/sap_checklist.en.xlsx index ec19239a65291ac7533199c8f23cc037bc9d3706..17c6501b50c36904d33ff6dab4983dbdd9a73e2b 100644 GIT binary patch delta 32227 zcmY&6A`?i8~N_R;~_tHprhone%m*fHIZjkQIr5lm%?rv%6hIjpZ{r&OIFmq(C@I`ymX(v4`Vwc zB}Y4ZCuSo%M-!%RHr9c$`m)_DSiPMx2cBt#dPM=1Xmo-hFkRobbfiuj3@?LsWE$=4 zv|DXOyZY0ePR}y!=?zj?P`{*uH>#mYiPfqEFkLav-ZOsa2^XL}osOC4S|KRn4k}uH z4-EIxtiK(swU);sOD5vM_Y2hvIgdy%6kcMUSA6pk{wn)Z9t}sqPP(}L&?^rMkL<-p zD-|cQC@+>O6G!e&ySq=u5KYF-K)r8MW&YP+ZzZ=6X|~BNMRaWF9CJQjK9IgO#!6!0 z*IwwM*{^5<%t^O-#~o9RIR=N5Dz%hrW(7|A2U=2vpc7+P8y=&Z2tpGY7E$PtB$z{K zKIsJxU#}RkBf0e-ojoh+3e{Gr8Gb%u z#vr3rkwC079v=zD1oP?5iTZBH3d&KE7{Bc1ly}U#Mc9;+4)>P6+@rarjXnrT=JB>0 z$!cdMTQzJ+ebJC@*#tBi^E~ueQ$r;nnjOH8_MeQyDHD2{*YB~r9FiH1@Gg|Sxg@pS zz)cg~b*-hJD9fxpj{a8o5QF42+nRVOk?k^oEd^&!*=mUUiE{FuZcgT%X#2FdnkQ7fFJ==cLczb^1&Q1Pr;AiNfAW}h zeZ*fs!0o>nfWDb8J~tBVz&V)Rn^4!8Chu&}}(2Nb+$ zCl1F!dxGB!qrY}Wv#>Ovq&4L1J!NhOPsZrrb7qJs^5Va6Zxu%04SoPPx$655GYHN= zH?TtRt=_CzZ7DZ*{1@KLA+Y>NI_;@9@ow>MMqXXZwlm8XLhb_FX2=rl**DXmD;|Gk z=91?f6v99DGlZt3=f)W~gRr)gRR)yOlIV-rs}rvevg(4GiRREdJMZ>eWi9c;oy-v7 z^#0^ox_`bO??n_u2c-dF-7sg)m-@J!cJ!utYv8NL++q-bZ*zzLmY_f$?aV`^$CpixJBD zN2ZsC>w>$+MH%JV_vc`^jQf*BcTtkfgvuI27pvzi$KG=0<4gc}aYj?U*%fHU9XR_u zaCWwPHWtsfW8emVV199RyB4{;3ZqYSx5MZa{N(cy03PgP*M;sD24XSgGGEpR-6x{> zKS@MA`QVd%ko0*CxndXg$r@VE_)2;g@HUI}YtUOKl!;b81JN%p_e!1{&ZV~Iv_A0Y zo_9UOCP&{N$6IcJSNrKSoA32){3|skN@WYx1%=PEn>U}!70L`5byqb-l)(-;0ZyFs=M^@XdF-HFMvf_f9)Jk&w^YK}{E8tx?)9^Op{^I<|pW3H)5 zodZb?!5q(;lh+y7w~S@Zx4-QQ=Q_XWTcpaHu)|rocB_m5lc_;j$SBORC!qV<122}w zsk*e3CG6q)hRu};d&fz;ncC~(`#YF@xTgfE%%2hpe{6NScWN4#hGz>kZSLu9&zUn_ z)Mx6}s>6Vbsf#bKO6&L!FPM6juWd4i^<&2ci*Dx1(k4a*lKTM9b|(54 z*=D((GD|&RMRzTP+$@x{d4sv5zS&4)wCE2`7RV0JbV{wEdLFBy(zD)7eX*XkmZxtq zu>TzgT16D@87rrrUFSi^aW*mbt6lajBC{U>}FPj`*koti^htP4-+WPNMqWoL$zT6LI{ttu!$Ik!7V!k%7K}*Y*jWoKY~D5b2JA zS+mfH+L{s*!I!k^1Q&|s8i+KuaPRNVY(dU>9qNPsHpbBtd&$|sH%}C?yeKf zrh(f?5A{loufsef8E{+aX?BKulx*6jxKh|@@U!l1HBxAw7VnKwTE6=RCbQ9dX=^vR zEe=4QT__@hOv<@#`l#Wtpx+lCc7*fO_`^2&9BF6nHQ|Gx`EyW1=Ul`x(yL=7o3_bZ zU4F`S6w`0IU89!!<*Ki{?!EoUdovh6XItlXocFMe_Dt}QZNHqy?gd5~W02Z?;q*eh zza*rxPF!QOxNZk?!^9-4SC#6<7$)N2H?jaKU=O`Y%T>1n-aa|TJ~7Kb1?T8ct*b$bmm2W)?VK>QYE4q}cOsxyY(6rMW zjCc1?J7f;G2Zi#sbkx@qm&Hw~oK>3|bi{Pk0(DjkBhEd5E1WPB!Vo39yw~4joH<%sWV} zZTVhwQyx=vsT=rpKB+0?gjbMi#FZb|qMD&{NP?rh&`K&`P+}-C@OIhCGZ-*Y>P`b|5tT6itL#Nm0L3jA6H97v!9b< zz0Zz5`il#UEDW@b=bP=%JK5J?A4L!GiwvsaA~4$p;~fkk0t|F^yEOq2%mXDMv9KCcOR()9&)a z9L_!qY$%cY<=@3Eeqbbd*$%8@)qG6)n&bEhN77(OOY5j~q`@&qL(9Ns5~VXra#2G! zwpw;l^h;O2vr|8s7F$D!39~-XG4>LXVR_lKmtVc1YW32=)ZoQtnrPM6+35veUMeH# zy{nH0n?=U@E*v`@^NwGm1@ZHl;HoCl1AM32Q*!Cb+L{&!_mW+<{dJ-_iGe7A0r~dq zjTU!*91PbFY5ymkm_YwH$PY}A9QOCPK%-z=bl8Bsr|lCMFD|+E1u8&rw0NI8YFNeQ zcg4D0Gy{uq5QP)*6b+Iax>i$_G)~YMT6|#6`Da^`_ntR+K?;(9C%&+mPwj z8xqER)3oz>9O1G{J8KR}bTmRVg-Nq^%=tpSivBy59 z=t@$wMt~(@IQP00D*4xzV%ei8MgkqncFPy<9*UoafbHnx$-+|e^+{BPm~OM?YV!J9 zbc4MtoUfBp?}MZ3(otn4i9*d9*9{lzuVH_Df6iv{CG~BK%O^ z2!zL`4(|#RmAvSRF3~fdp8joSAGMfN39tplf}$L8cyr3?2}$b-k^hIg6KXtTP?yzG zWX>f5sXVh+u@71MS}cq1*(>P385uRMg9wKXUAuO?YJ>6| z*FtoLny;@bi`}N>j=9hE7(Lcaeg1Im&Z~sqo7&ibyx=>B?KvX+_&V0{0)Z;f3jf`% z>5e>;puT3E%vqCPA>o>XH+6Qn+Y_+C4Yt4PWO(V^pM!ZV&C)91IIYn=9)p+f0KX#{ zOtn?<@qIbM%hnLwV70IzQnkRdAtD^g7go^htT^y^R~soVT}$vn;pTOh|7aLWE-}ou3@~Z7BPCf$^bk`(8QDlG?96fpJZmyH_2*f{b5cvG6$fxE zK`-7|WC0b!Hi_Ur$R^pLxbpuv5=h#|)uD#fyZWG#1ZfpFnGXE&*{o ze;L*y;=nM30b4rWIo@$7k6RTx+YLZZUo3&A1e|FxAC1qyWX*G+ViYAUGrrb6CkiD1 z5BqTUIa5>12u2nMk)4=s*C7>__Wf~vLM!2~_JV(2r_(cE zAJAl8z=t` zbCqgpXop|S4TZzR=y%sR$}k|bxq!-zl?&H(E}%=2xP8Y{ndhvIps(!Lo~U0Ih}o(Z zY8IH%vcgZ{{BDPdKQY#Kn@c_gw+kb(!Rl)|gk;JpXY9o+SME+3xupJ90;q2gWaJr> zsfV>yXqrvvH6{a-I2E~%FpHE%y>_h|o}*m%dJaL;J)dQjiWRWL3mb$#%1r;f(L9bP zLl)VhT9KEdIE>}K(OY+6C!lO0mdLVJqYI<>FI18U^Z3u?j#-t8%V(fb(5lkBwk~3J zWl;2TZ=9H{te18op(z8SYJNnnU0i?8=2o`97iZan=NNXWe`qTjvLqprIC!)e5H7fo zUoj|B51a%=1SJERklIrF?{Ek25-&2+9}AW z$Xkr=Ixszdp6^tSj6*!sgHP)(z_>vhdYLn(N}(@o5AHa^yGj7g+YalNgk73w*<6r$ zb@|X%Cs2(rz$`Q*wZgwa3J8}LKUewOi1@ULEBz1c|7WwQ{b6BV-F;4%CWy(-3#7NS z=Lk_;P`1iIpR(*+@|D4_i#XK}Q-^+)?)q99UG2Ud2dcbag36<_G7AmS`*dy{spdCx z+lG_n3BG_#hSQ}r4Bxx2xVR%3pGy`{Y0M7)IJ}X8zO2V^DRq%-n+Olg&{@ytQvMO1 zuQnm|31sM6)$s0o_xFLY%D@KHt3Ij*-BX0~jvD}aYDSS1s)5;GEb*vp_m+C(uM0xAF49QHIP7dBU!{CDU-n+hJGPHFO0m4LZi1S4GJwGAGK3x7p^KZFL9dn}QP zI24ptTIFz7jBMViO*4g?yF(>1pf%$#DiYCaN(8exD4;XQA|2xUyfWLn^h{y+^#h2D zNb{@M{PV#{FoXL$iqd<|FbKsye4T;2FOq*6a0yMOA$j|j z_AN}YN{Gec8*Jsg0c7z#-u!V`f3cY{tFU5-s~JI0!)u`~vi>ZH(IMCkxHy=p)ZE1; zb*jgX=ldAB!}voEcIJ9gu=k7M#iWm&QQQt)Js9MP>Bg(ZAbJ)56b2DnKZVS+iDpy_ar#?dkw7gfw(r&m?VNjfrG zK84Da^C+?p0HNR)e7-fhy+9 zM(>CTwZf;=?ZZw-p}iZkjGQlg#n!9BCP#m9Q*#|MuKAtYWsuvrV}&AhhbLe;1(VwA zG|p=Jo42FVB5&A;l5wTzgEN~{!)aTg_3F$$3oom)qq;Ud@FK$;PC7J1z5`a}P}}`J z+nz7^SmXh~aSjG+F z?EQdxXTYDd>9MFfSnpr=ulNdxbcd3$B_c{RR0c*u(s&Mi4ify#B$p*=xEKrX^4`5_ zYY2-!)3S*IvCXIlwL@geotLS(KC1iOn!OX!wa&NG67up_s&OreTUIoT8}BriXQ7zX zVJzm=@AEXF=v*_pK;tbHLnj31$V#(q2N-|aS;xRF?#?Wj`^KwJn0->RHMFV>qodac zW-FLErTZdF`%^NP*9^WgGs?z?c$A0D+Yu+{-{filaKCprD+)Y{kxUKC=oC2Pn--S2 z)|)S)w0@v<6L-OO={F0h%&zmBDt>uZPG<%?F1MBCBp}?x zn(9LN7$tIi80RZ;E?=Ksi5g{`PBP)dmJ^MI_pPR=2J%sqM#{p<%(47dqnJ%2b0eV# zlF*-Uon$n}=S=lk4TbzMF^wn&dgG3a8geCaShExu=uI>KA9TmzhNZkv9_rQUH%dbv z*NkM>KXy7bdN~gEGm})+XBU5YGYhPtxi8jm0lja}j|Zrgk0S=T#{|Yhy~k&VONi85qW>3b1PRepRw2C90)p^TBuYk| zb=$P+<``C7@c7cMq5!5JzHp$Vc>F_Geq%=a)aoELuZRFl4%c8lh~m6@7q#Wc|6SZsfi~p| zx%dP^h$C}wJB=_jaGaz$G4CILR8@^tL{IJ2sti=kf4%!NH`|hsR^hC}q;QbOQQYG( zFl%-42ha@Vguw9f7sk>4GC7@rL~Mys42!4&^da2Gb7(||n1K(<3G7hPC~Y(0-`{~n z)qX|%?_QtlWMK@``E2&~ovic|iR2H*86^i@38aO6A{XaE%Z{Rfyiv1+&Bbv^>M)fr zc3EPm7TNC%*m*G>lwB&$kIldS641~OM+Ho`azpj>)Re*~ROiWP)jv`o;QviX>U$k_#`@buw6kc>gIk=lC+NRjGjXM>02h|atgj<_G z`t<5AW7TEouj%P(Q_NR=i%)j$-OnTj{*071O6wft2bC*2I_5lyH^E=0y#z`ER569h zhU@QcH4!Kwdho1ycj3o~)A|mZ0h2Ve5bAB#{&b7{XmJ`zZt_*ca~Pj=o(GAsd+SPp zGs!`R_+gTHIX*TW-Mh#>lbNx&6)G(P(MV`!3amnZa7KZ1I$Q~+l>w)$YB%exlD|!H9dyxz|RQ?1<4w z+o)w%)9?{Ssd9jz;jl~MH)x)sJ4%U1#pAMJbcjv|bg`;JZ-1;W8VwUQHh4%v?;r-p z?x2{&JycUfNl)j%Od@&jnmAb?^?8^l`y6RDsxkL_`jNBz%m;GxcA!kUOfx@XwS6Jd^2bn(ATBBZ25#! zj;+UU89D+I z)K!vdPV+=-mZg^4+I**9G{GcLMe(by8J zgxy|Yyz2Cb=2=YUYc>(g{ykE=byCj*?nok=2XWlQ-JJgtCm??u#^2bzQh0b6GEVJPprgM|R~hcmSa!=yLo_ zXsjGm&#iD(lXS0rU-Y_-a`wEW4PJIs9kAbw^D`_jPPVJC9`*&o|@-!2VTdUg`z5)m47a%XxNYiq5-w7_cr7qAAh0e$~AH_+L7zKePE6~_z<4z zq*ErZd_W}j!Kbj>I2dtB4sGMjA~C(iUlWMVpt%ncRdK)eXunLdMvn|A^caS4E&T}( zKb%m4SliiLiMGFR=7Z~R9woD(4-T1<0W~a0>}U;uv{m?SQ!y&aKYx6{&lhz<5h={M zVy`A-e8yXP(SLBqe-Q4qE`+o9^@&QX&GAoZg5I@8n9XCV9Ci@&^SP84Nrc9no9 zbs2$htcTqL-aso;I7of}je7@XPu0?$G=w-qqM^+6g_%F};Ax+Ur$FF=aBn9Gd z|GcMuPmGz|Yfy_K-Fp91oXY+m(N2$$A*5SPSfCW7_^p~-^vyJYrY(v(TmuWr0S%C?X$U4py_L(>LsIIyT4c&+-fu% zk9lcQt+++=T^*t-r?j*I@EEbqaxZwWQd(f|iL5cNYRPCgQ19fZP-z=C2WVUqJY!=f z#FuOWnCP-ZWB;q^$Aj91FL=huC<)EGMO!BqtHBja+HYN4oC|kz;&`Sl?58iH5=S6v z`bJZf&u^{0(v<_(jY?9wc&Ri>5+*0$ZyFu++} zFBlFyJ^VT=<-6Q%JddXH+Z2$C59~%H<>!{Os^qe)ET;X7<1Qv96wIL~N*er8qpd(c z`K=i=DH1+qYsvE;iV5|5VPOyq|JOAI%?s!9pP7icL)4O5mczK9wcZ$zkjHmcGnfPY zd2a72_HiXJ1nnlwRm_XX_&SI>JQwKjS1epZR*uZDsD>N)qZvue`y&*j^viV^#XRk} zoZ0BsqFJ+AhimH=Z7*@q{Nv3ke81|qxRs40q&O!x;A;1|cedzuUv~9(<)hK>MG`tK z2>ADj8U*%OPsMrPW;Khty#@WrOs^DKdYc%sLHb#LIPC&k$r$43D z+OX7IkZWGOfT|7{^QkDzMWbWQJL61c<|haP%bE^#TC+&T9l5_T`R%mKompPEx_&Qc z9v5T>j3<){`04d30GH6$iP+7|MFh%p$9)w^?@z%t6&yhWP2P{0Sl~ z&Jpevtd@*Seq&}S*2Rex0vw?htu9TSGQ#QSC1EF|qGalX?1r|G<(ARVOk84?j<5?% zKtDN`v!M}>^mw|Pd;!83h}?5hf{2Yo-ZzI=-jeni0Ho@_-HS!WMX^0Hg>&}%!A8-- z6Qq(xTe~02w;iZ2iK8E8(E3U`l2U`|uKt;d1}uyyaAtx9ctC6wx4?=hFlMMdEMnqP zSW8r0Ze-#D0nD1!@S$^(%f$By9K+?2s-#*n${ZggsOfSAV@)B@W zK=d3TEj8?x5}7`;v&U(KgBY?*t5BY-s4qXr)ddq~N-YC_W zXVAcOH<;UM| z*)i31Uflchv5H@9-mFcs>6*Cg2tw`W3Uk-e(>W<45^@(|O!#6K66uV!{qM`!{R4&f zx=t%sm0J@V%54X2-8f=fv+4zV!^2+5F6Xu15m*%mp>$`LZMg~0emENpk#cKvJ^RY2 zoSiC!mEr+AN=lg;(ia8Df6XFsb8JITPyfNPzPqNF`io28-=Y5|P@#q~d*kc}?NJ{P zMXOA6SuEfa35J(`V*819!NFZid60T2<5Z3|QEnk+u!q0t@zyf7so@bk+sFNAHH3sB z?|DwjC8U}9iYyRl8z+w8cJFEcjZpQa+p?K zox{bwe!!Mxck69G}4^W@oPaaFW1zOgSqcw}zT=gr%GLN6T64 zun5=u@lr?JV=PyedlB8lnnFq8ujTU`CPJ?UqwDbKwa=TKWP@$Rzm`wFsO<+v$JXm% z1B6-@@vk3;lC8`1*kZ3N)y;unG!UkW(RXb{}R17U#w=eEHB%oaWr{myycW=y&EmtHS!W)J?D>~IKo@3 z>*Nk1dSFSGixghtLi{e3UPfh8b=<-xf?HCMKFDH9Z zsx`g$(-3)FYJ3<=nDgi!Yo4_GHr>kvW~Q8y84f#{3b^(7R<;YJ2AB~D4Z-x6o=xP) zwZ+f6Z86P{0;s0x;=w|`_B|xIdN}0gYwCF!-Sb3~Y1SN8s$!I%<}lyT0V{uDjec5k z(n*On{bQWxf;G!_K}o--VCLEgZqaZj=a<00StR^VQp%Of$ou^$@;9ng5>PBIZ?pi{r*+z@x7T(YY}VYWyfYUjoFAbP zz2uu4T?!*V&&ucm1YLCrY0!m48E<8gVegm@p4jO{5HK@-xRq5Y&u*f#9(oUo?*`=Q zUblr-;A60{gMix~tA749VSedOwsTiSxKx zWCvz6k{-u(dTuElz^phpDSUeRH2`KokFu}GX7*9Slx#PU0&%jriQWF~-H~2M z&z;TQ!|;8T3e|a?u2kOYz*V|0B9=S|*$MT@XgBn?67|dAMb8`$?bKO1S}BV1Dc<`S z+Uin3AK@gcO%kRU@BQD5xrA)c!Za9Rkl0R+pJouDzBXj%%V|Lbj9-T3XUvD^o8mXv zA9DW=hD*N2;7x*X5Cy{!Ax=~B^9N^j(qekS>T!><2w@NH2$vNYwTb<*j~G{m44tZ? zC17GF5U2Joe4MnLJ@(zaVVasZk(;kYF9AU> z#wSB!fFR=>n4@&3ycn}+tU)3E`QD(*gxs(vk~zzsiTVgp<6~E(rY$a^6xCuxg-;*9 z{;E8RK{leyI*%M4!`CtHYSArN9QT0!U@C zz<#9lj$bKDnFRouxST*GyUZ*`i zGvMeCvmb>CM|{#fB3zS9!~HX_4tDo6Z9fx(TOTPHgumT@wcPo1>DfR#?|YfoiL)aA z4H_YML*HypoF?nz(?!GU^sxbqByeu~+BG$5W{bNt@I876ClU=q@56O;B4e(9${o!x zj&h-S?P7S-hcevG_|x339L_$gD;a&hT5z-_8KjIN+_lN83X#6|ri@ zmj=zUir1Qa)?6i-`;3y%oapwd!9sPNn*il=ZYG#)LRP2 z39*Nj?^6?&Bj>dB*|s;vtO;>NktL5qEkVi$mqwQsSqAQQIUuH6^bs0EXFcv z#N=mB@&3H04}X$?mkyZy_lD~eaMGOK@iC`bLAJkGFjjA)L7Gqn|+TM}CwA-^GVO zZI4g0F|?2wFP$bH-^^fqdK38!VS$fAG2tC$BzxMDune&z>5$mpGygSlrn|{F^M!O# z03KfwShqqd1kodEQ}D+mx!;=QRIB-J<+dOlzs+Q;xnsj5&+Oh}^&8^*__b6e#(WFS zVpaQc3=BxS4iKQq?;AcFK)RQw92Sj!!6jA4gv`D`#Rvj4PNKn&OEU%J=T8hY(wT5Q z4Wh|`&D*_ltsQ51mLmTs6~zXKNu40Aq$c`m?$0+(keYLySPV}?-)AD8St}D^S@k0i z9@n*ut1z7LxPO&?gnoGV9K^C|2CnRAYsHvv)MrqsuiQMkts9oU|0(vpV$Cv_*BUi( z{w}yx1!Y5at(-YbJcJa+dRLQQ+udQDcmB#4%TDZf_=>K6N#)w%0hBtxNkEG7axS1T zAA)MSl~qoEOe4^=ZRb+8#PB|hQe~C(v?E-nzn%DGWlLOUGR8b1-C=HD zFhu1h45CMK!$4&NeGbFW!m~LvQUo1l*v$Kip$oS;HU4cZklW@|t7N^*Yxi*$l6N}@+UVlm2UBPs74-hhV&$tecu z^by7FnfcS!8|BDTm@i*ayRb+yZ5mbvyvyPzG%JR zaqPf|Ue2zFeIabyWF#7>6_3+|j}<r|$cOZ3Eldo*?T$Af4T~K8T|P(CCcc15V3!+T`V4 zgwltLBnJdS;nW6xqqrwczh;2zJfoILv$rI$Qea^n@{$)Rf@%GDS9<(q zR=~wQ#O~X)X1U0XQASW|DoPw!w&&5{gsPb9&Cp@N zm*#)LPbgVpnO+qEo=s(hCL7s0{Sa|~DYpJ9Bo1XOst#k6`NRA3QcEaP7+VcpQD#u| z3+up4gKST65t&-Dd5f(v$$KJtSusgA1cfB38)$f>mVA|}HqGqPw^zJTbb8r0>Z`)`DY@2?iqWskk{ zW{kzfwfMTA- zZStoMylqxE|&xqUMK7zYO{J?0{DYF2`NK@pyssYTmhQ?gU}1P1X4CAZc-Ji|19 zP3!~+;4oc(qCSc#PAlFeIxbbf5ICNb`=Wc7eOee4uar|DQvGNR+D!~alP2WfYo!dE zPRP%=7}8b{2~7HjYNsi(91|8@a~|J#xeVexO3@=`oe+hKk7JLdgbk(Yo36@f#Dy~Z z9@a=Mi(OhdoYue1vgHXNPRE~C>*SRsITw$>aO z+cI~6g9V;5qcD?0nk+gXxmQryi;SS6m{N+x}&kx^&6@%eI5C<1sa-#^*>mlDk-q zQLYI^#%PR-*r-e^##W$Uk+>YT$dMprI#tI@nTg=Sh)gihQhtdN>uo6&=bGh87q5nV z7^*2odZuUX(Rf65X}rt_=vV62j8ED!yqi~BjS`4!d%qTz6-8ZDy-(=WeZ$0*jS29? zAk)0$)H{mZfMj>dC@+b01wBi~!E6fUf1yX(G)9W!n=}wx46f~_G%`o=a$HQ%_FYtD zSG8m}@-Zd6Gu2)X;4VKL+ij9|Vh60fv34cv9p#(jYKxpUF`J#NVEJ@$kS21vS+$g_ zaIYq{Icb)!<@}5{BwW5LwDV-F)=4%KuH5 z^Mq4pHmEpD`o>UeV{@*@TAMdXsgIBVw{Q1Hj|&+}2p_eud^!fc#LigjR;x4RuT)= zXu6nAwJtxX*Q(^x8x4O4#BRJXl@W`jQ>FRTX4h+{e<<>#2qqwl_db8WQQTC zHr5<)cgT^k^f7El^uPkNnqK%nDl8wo;i zlZ%>dhNM#Opj|36N&%5AoKKA8)q3Y}&F}g0t%ONCZNGYG*<-G&MMU~`Ndn2^M;Ii@ zNh;N;E1mC(=O7y}e!^A+zihuPAd&w3@{KwAj%K|G|NZi2T6?MXqj-JcKU!EmBdf6Z z6Q`|eWEOnl_9@3oLRB5RDyyjwBUYD_7#(qDZY49n!Vk!x=TV!y*UO(jF`h;zNWnmS zWf+3nHQ}=HrQr>B6oO)C)zh5PW-Zm^)MGd#Afne2|BGvdM2o4?@W&#~6~7|ENI|Ak zaw^0WE~lWXr`-vkBV}pEFga-dd@ggDmALf2x92J^LLA`~TW&Hdmd#L!Gyg}p*#4A2 zeV43^Wh8{S5Jjyt7yQoda5Zq1)G`Urao?{TzoT3h(|K0MRo61A_scbwklYxhdY!Qo zj&_{24YCm-_d1SY%PSX~idf^{wZU|?iL1ioX< z`A;0ADG52Pxy9q60%A4KaEj@l+3nZItfNx_aSZ3&C){5Y%ws%^k83%ManlP_-#FF`kUwMX;0i>NB{)SW~w0V@lP~jjiQyf6f;ODn57C@Xl;K zCd{SN4dky-#v@Q`QU+AL1AHR_zcrkkBfNK#UMUgGHA+KQ-~2xlarvt?ZOWF~Lo8%U zD0(D;DQnleMz%l~|HoZ6o|yr<2ECBcGHtctZ*9FTiN6!BY8L8 z>kko};aS+QOwOY&oNp4Nb)}(cSY^&S!e2zaaP?nH0gq#Y79DO+BKn`=aO?<*I2*qh zf1mE|yCF76hpgxHp&vJsJsrdvy7ULrvLRUE?*_#38(;~h_imp>gb1T+)kje-A1B!) zaNF9gj2q&rRfYduCZcCBIQE5#%AfHwe#b*KQ;0CAm45HTb))i`km=-h+33G>kTqko zWI)(s^$*o`OX1iapZkxbFR<{gIYWlxK96-e=BpJ|JFSU&cWkqP3rq`obJNR0bdj7W z@XG7K{fCB=v2wrSUBEI1OAMN)uZ&zbrFU^F@K;LZH5bB!)CXuqgzIX_*{s}Z5d^%! zD7ME`?=MpntwHi3$=s+p?i=V?5)7l$Uchn7!#EF}g!upJ)b$P6Q04Aqth`iScKr05 z`_9Q!(-1^~ND$Vm6e;~RB_sNa?e9y=8PgVo+rq|(}u(7n5< zdF#Y9)O8S(auR6RYIbz8#<1yEE_1rHU}Sdu&L~{-v$Zn3Vqhx^%E#leqDE`A8jBV+ z>lgd-FPOxGlti@2J4ssBUvK;3LQBK^N1Nu@DOp_Y}U7_t> z+XT|Yf%<5~$)0EArGDq*03}4 zHm)%@tX|S5c_r-eqXemEyA3wSdm?@3VQLjTHw}yWD_$P-jlTBF8V8PUIfBgui0*C? zxk2c&d<19YFBSqC=a51ZBeVRQSB}E(7KT=bw$sY=ML&5${*zR+7 z@RTA3Z~kQkD=K+i@#YdK&ym;TMZ=;7wOfYp##Sa%gW;4)xmfZ^shJZSUNLXr5LTfV zbc)o%!(0mAaVat4d%VsaJN;BA?M00Mc}p-Y)Pcm2_VFGr;d=gr)#z`xSOvKjQ14!O z-g{}fCW`lRZ$$#3dq}u}klcBgt?cY6`EB}u%Wd$KJjBQBvz;${7>S+h=^CF3l*1GM zv_?2_BrLjv;fF6N7>&iWIwBoag9&*%hz}D~=0%xBB`aRDcSw(dj&IcoQF`OQPkH2% z<|Roeca?~6_#~AmwWd9!WbFh@m&mqxrN>fU_EX|5Z}ZD)9g+bYVTcOztmDu$oR6*GFE?(89CY z8lQg83EWA6j{O9+Z=)h+oyE-7nFO5^$=`%Cg2h!IJqwy=#=D1pwU{34xvEcHe0NsAdr+wXJ8p$sIWC2%gN zzQr!Bz@%+tQmy~B_L-uT4WzDCm*D&N$ErIb;QmARk~P{mRrF8zq)fVL?aGQ~xH6wG%AZe}PZ>#nM6=5+`L zZnmW&U-B3JEH8U_sw}9mZc2xF*3*iiBSI}=lh&ZGv&M`GRHh8rBUtQ*W3g#cq}hn5 zeYEl*Mzuc#%V_;aNCn4E-+NDFT#Q^OjMGUPT8>nM%r$Xz>T?fcC9&RBMgO>y@yk#0 zQTB#pMWX&4TtyChQSk{2(me;s?f`=H1p|#RTSNCkWZaK~yxHOood2O z#zoSv_g1ey^qkxL`IfsenSw)vCpcTUNY($abCowlTO5? znU*aQxkdL-%qJoEJ-FZJ*M4M&Xk1KRk78f*ezU{x=Flj}e@OnnWLg$wYF7f*;kN^W z$#3V2A8JcAbU<=p(llEETW1`D7^C@5ZFUV#NZycr(owA9rw=xLW!)x%6VXPO>UKhan*qef(QY?s}ukU?Ch5Z)|%QNN+xH?OdDF4w??WO%$HXt8uge6)8hu1rC;gPo&FFz~GgJ~(__N(sCr5!FK{&D!T zn27F6+EV^qk5T!@#RsD}AMXPP-@qwa&HY*1T z0G)s41C6uI@?5X6kMevGs~Q{%>`}NIbMt>)wkNfqrkeb&!Q)(v({IuWYT_&(91xk^#|&G+H|D^fSmqG zASBms%ef|QUE`RfwE3(?uT0f{p^C1NupS}%Bks)N6|$KI4D=;NDXOq=EXr$&hSpJP zU0Hm_a&Fdrwx#iO9`{BNQJI7U9DC>&70mKbUizXPzsk%_c-<_v@(wrP9nI+zA*1<= zY`|eGgk|ur2GTp?I7W!#T1aLd?D0Y!`L;XYoTfu2`Q@)W;7TPW{x$TcU=LzH_`_dw zORzh8_)a1->U71{sj+w^`YHE11=hYr%CEl;;-k1;p2JplrZgNEUz_9c&+7>=)2Thy zeYwwS{AG#r~vckNfjVX&#% zc)^iJl=*!m$C?y!i3Gk>tcM}-n-Dz45b_Hjd!`rmZ(l)?hd0l{xt<9+OpqVnc~ehZ zrutWGg}IMHTKb=NcO)`mLQ`!t1eGtV7R)sB2^Md4`J9_pdxz*o4IZ7c?P7QVK zpShbrQ>bx7QcMq!rIHje$R6{PB?!+>FGx!zERcuZ^)TG_hY}lm$cTwg|10)Xx5y@) zjg`(wBtwG~(3Em>Oy;}dTOPDYlS<~5+LdZFJ9Nk?+sOS=@V;qViHq22m>hX?D&U&+ zhXKXbEJG&`0MPz$@%okzvDD_qVw$wqvDG@IdGNM+&9=wg;9U%k_`BRxP|IftZPxo$ zF29sQp$6M<9a~4Q6)Wm1wB4}FE0>ON)vS8@sMeqHbQr5h--N$Zn8L)rs)|kDrXrXn z#zVH+$@r%OULpGr>C(8pH49SWbxESi;y}{@ImyO^k@zO0cA5O7eCHW$QRk}4E0i@@;JyM`UKCR z#;L&>rj$k7Kkjp6YsGXDvmui%D&-W&0yyNmKvZypGavkW9=MY@oIL~@$vAQgq=EP; z?=*YT!4|CB0>F)0C?ixWl zB&9<{5CoBsE|CT)=|;MdZn(2S1^Ip7Ip00!UjNwcRqs5{TWig*_L}-q_T>|o1VR3V z43yN3EM4LS@Q;YyEvR;O%Jin%Acbygk$`4NUiZccpVmn zQ6AQX6r;|m7@hN3`T`_P%50MiXz)E&MA&$&Dt>Fo0p+G~1zeruo6{#eXfMTYF;jJb`zFU5%Q;Q-)@Qy^5z~`(T^W#CL9i5HL*vZI2fHW&lN2wystw{T;ik);V#GNuv1 zozQu*^Gjs_WI^sH19%vczxI1u?!T<>={EI$FP?-;?-sdsSWQ)65c8-q5S}X)v%iMn zG!Sm~&8T=TRI<*f7aFs_9_=&zt_-@=TUI$RkH8Gau6*mHb>b{0O1Nfn4-Z2ut(lP? zHls>T4xdoUH`rNB9{6|k1PaG6Kn?&Z! z^p9K6zASyw%v+3>u4h(j!9UgNl8_UtMxI8HXhoviJiD|gO|bIC13m161kSi};uKJe z8;0bDy;EkNKa@voWUX!L+bj=4n$meyB&P{ED2PE|j(dnbr`QL#QJhqtV z3aPUEMFCuYMQloz^N^MNmQ7@xxC^UCo5jS9Vow=R8L9I2kQ6~*Qd}wTknOV%TnHpt zc{koHbPp|yda>#2Br(I26N6%iJ@^69GrCwRmF|L>%V!KE)JIL9@EMuyT@WfBZGY-Z z&swFyAMi7HiS(oqpmw4+Su7v5K+QLQ&M$XxbJZXaLn^vC2A?GmgVK2=cVD5f;RmN< zu;9cSBhMw@noz8V?C!G7s}IKrf=qCNZKvlxzS7Z=qckfwNYt6qE&2+^(MF5P58gJB z@8A1KKGs;YZqI|i9P`&a0Q%OCQ?S|21l4m-`C^v2Ne8820ai_8aQ}W13Hvbn?B;Iq zN!yqoj`K#?fn0E4AV?95uR)owi6-bdsxJ!q)2&iM{k!;{6nCX&9*01itK>bv!1(<` z0ilk)bh6Z)Uzt+z8XnL_a zR68M8(*_q2o}Jc=Hg+D^CW>fqtu+;i(YDZU+j^2%hlMV|RyK~ah{#7Q(B(>y+4vB$ zS>ZW*djWzcGOb(!(g77Yj8KGuoc!B?f}0<#e@~JKcV@|7X+EDaTiSk%^n9mpbfPx|E5Xb7!()7_d&ZC6hN;a(D zO{SCQStf}(K{*k#`&uY(CtD`fklhxdRY!h-9=HbH*E^x@U}JL>odgiKIw+UlcK_fc zbV5rD)JKnNywgyiqCtS{Mxybk0sI4o_u%vsS^1TsTRs%g(t5zf&%HBw184V{(AzR3 zkWiyisY@y4+Lcw7J2^bDn{la@$;hFQ^@ujbg)})vkmeIrF)7)U$wxRRkCFY6FtNyw zFmT|=;T=7ADpWirBzeqzx#F~*e`}90&ma8Ra%`bTt}dENDK+{d!rIhLAcI{&KN!3tu6fbA@3g)^j8XroK_=7x0e?n5FW*X!m|QNgRC%;hxOwED zwKg265?F!u@pj**x{15@-_$}ycgFbm(?GGIDg~BSN zPQK5fJ)eMuDKwrOq-v*Mog0Uo0ubyA=W)KtKA2hPCsvK`g6lk&DYViD$_ z1B(@8FDlHZ1-D2LIzB78$8g|0j?cSc;+09VaF036Qua=oJVHX!9#IlOcOQp@T?O!{ z!X)3~rv2&+Ufz$f_^*2M`VFVe3KB>sJhIIS*&oK_SKKTU*A<7#XHx8HrR}6+WWIF0 zs@%bo|5-6q*jOQJy|Na&=L=spQM|l1RI_GJswR?ZgnavWjgin)MxdA_D0Cs2dN>O2 zBtGpVwCUlQ6Z&G3i%DL_;C{{2_jk}hWiDi>wh>1$md)FG&;8c$ASsgo3u3JB)r@K^sTdTF zo7yBn&rpxZiHkc6>R)=-WGRH>qy?J&HkeBo0fz?ye{oh1mIJ&b5Kq9CP9wg`eUoyn z;JXO3*MNR41-|)`+3VTyl((@N)t#0pCi%7{39dHW)6IPqk}Q4{uuYl4Ba9AW4G-}s zr@>zp21thSEg!tK4XvO&Y;}&@xj`Ad@&4^>NKDsjN6P4VRg2>(d6gH~@G_R9t?tWf zGwiQ8q@-B_#dKe0VgUu??8TzOt!NsuRf*%i+uWsC`W?g^cLK_%2axR( z*qLnn$m8r%INoV~aSvR}v1ge`c*eSt1m{<4;Lao(m0y_s){E>kL`YE2UHe#HRoODv zqPo&2F-YoWl6gJ43>ib2zFApNnn*M@N|xN_t_&s z7QPZfI!?b-5xZ&5`l@8zqJ@ho#jdoFZ*1sPlP}Y8J!t0#>;mlbu&l!rC(b148!x^3 zCAPm?3<1UaPX!w0!SxQpl&#QLzJuT>?>J1$_>;Ue+5!W%jjS?0$@$!R30GUDhfcp{}0l2j%6GxJ9607R+o z{I53Wd5UST`gywD$kH0JwP=g_0S^#}fPx}JjbEi#yrkYJaAK4^&zP!W1Ewt!YUju| z;XL(tO3lRKO=eR9#j6~-2sZ(0`1AJj&6!HgxJamxL3J95e!*4o{>_86ZoIPjI5Y$F z-j99Niv=d(xN3&eE2B@Nf@xtpvxS3i1u$#TDAeJZdkImCt{~)#0%(ohx;-@AKgr_1 z2r@`_p$y$`DqcS-A7vSM$#F6;`~Eb&id3>4&o6`8TRqN(3C5^2V7?%>Ui$$oilf$D ze4$eNTX_T4F*mJ@e4pD=e-?y#xjizKr}+3LxLXwUiQSDI@5xo=wYPZ{i}$EXR=c0M z-?5FfXcugOe$#o!e2)H)(#Jc#9OC2 zpuR8-8;-$`Z>H-7`lD_oO7-F8Qb~-={zrauDn_9ccUnF+Xn*3t0DLvt<><&(x8{ci zB!&(5S43fDWjBx)-cq8PK#_A8>aZ;4nRpClB&DzPAE$qlk#jE^e;sBo`b~QHw#VRf zz802JMs}=Fe=S^=_pm*F)aYH2rZsi*lozkQQBps`73R*AQ01jvaY@WMJtZy0&6L5q z&?HW}H0mIEfE$1}hpU@Hbd!{u6z1uKp~jjqe3AzUwUabc1?wED>z5b76F5UHEa zcQ?y;;jbF};HLlkK7|hU6EPKD#p1R3EIfqtT$_3w1Qg~sk+MuQtBl($cq_%Botik% zt0icqwZ6*0@x~jt$XTL=L7Bs?k)`W@B;k~L3B1qcRqZ9=7*(bBYiuulyhbP+WMy#l zT_NPPM^r1_4MOAl1@BDzqBUhnUo@OD`S4@a)wd(lj=Mf{M`WBO5@h?SG{njkAK;}C z3oWUTc811^jPY{1>$8s(o73cb=?4Kj6ronFxL+osV-L7@jtrM z;8y|b$;aZQtScC-U0vC6(Bg0BfP=4l0$CQCu zVFa&#^*+5T53xMO{d_E>#cv|(N{8w;$jAY}Qx!JsNmHsJ0fQWF+Wx)q0}}PK60*_q z)HZwb7JKWTVvR5@Z&Zw?<$n;_=G=dT*UraFdw<2b;4>}dVc62EMdobH6vh|t6S!3n z#&Iwzc7BA@w^|}Pa^n`xIB$Exy|XqNer81Gw9>`82^DcrObhQUorxZ0u;zr#e{+u? z893x&`p(K&2VsyF%FAvHGU)OH8Mr@S-|sTB+P87v^4LDz%*cMjW@?CU;v(1UI(suA zDTfEP1xh4kx7Y;+RR-hD*>+QNejWD!z4$PV|7cd^F!)4F5xTrz1I2iwE#c5y)-o-M z&2h#!Ip9ksi}B^6V;oHaWV!w)-YSEcN4y$p0!h1rpO#=Tj`O5{cW z9`~@N9zlekQrv*6o4o3m`(C`Fe84(IOUj)VvAw7ZxAtDdeqbG%zo;9EML!3faeQ=}gOaa9!4DawmA! z@RgNu;F&8QqYy0>qALag{kACq!SgLz9jr_>Zm*a(_6#ap$z!8R1c29|ujkF&2f&Dy zB!$yXB~wbWC0u51r6jyp;aaKkTm#a+s8~+CSb#z;&T0;FmWC`pFNLfBpk`lyI^nSw zoO?)&hri~l*N0QnabybRMZ)& zA~D5B=Tw=pNAupUrUtx2T(KLfafWqK8>KV|9LQ=Mg+&^9@5@-49VLIFE~*ACr!N(9 zVY#+@5eI>F8b12>PU4jsyN>HD>h{|w-nWbFcc``mKJqGya8*$|z-3h3%yL6G*nYe& z6(2p)mqDBs{V5(Jcbq&&%*;=*iOIb4<6gGgmO=Wl>_F^P=EovO8kVap2bzDoJ% zB$APN*r?KN%gE_Pd=`UK#V^K?{BohSndBJED*Jk5_VCXh590_MXBsH+o;?+j?dgsl z+4kt^5Ep?HwINqjja$sEN#9PaXoLjJ84L&?rW?SB zTVe9f}db#7L?cBzbDfTO%SrW-#?G&nTQ zmN!7e7e_VO=~yQ9FQ57Qs63vQ(9l~f9t$>C*k+i>cQJ?S_-V8<1C7v# zt%}X-3=xO$%v0D4v0mT)@f>NKksW!E1uG7w`mR^Wu-BxCFDF_ zQF!k>X-K70@6eRk|MHX9^EMGIt_3_8B9(ufKDyIrohInxZ#T21& z`zWo1sc&(W8ne3Z5}AQk0u$Nm*?i6TTU`C5C@4`TWp+31d1bRL*iA?%#kKEo-93aQ z(J~p2PEuWu9~yiWQxA(3pC2JOm@8Zo6q2~De?q0NeZ!!W@6MNk5eveo#=M=o07>fZc13O7Beb7@rG{ zSEN%#RdG+aNfKekWWVK&eFn3*&3(iAy+ZK(kY3{6AaiMFDr*KT`kJK!*a7ymu6yUR zd5W)bl6e}%fshCNUeH!#DzHkUeljtbwuAM=3wgt$^#gvW$}UYnhE80f)MAH2kz;Xn z03PLVQRw~Ew`pL6--15tz-{3i&F!XE-Dp{u>MCg85hiuh>9+ak&nTIp+HJ@3!BCks zcZNUJ7(NvjCMfcoI4ZqFp|_L8RAekMqIOohp)$IO{o?CNW=JRCAtWa!`yk0~4hyue zhTpeX!z{6qbuh|jGO@&~vvW8oc@=ynn!sp$mKYf)UHMtBD*i+yHDR-IPrt;_w4(Y2ClWaJvfz}~ zTSHXTifJ9FTW`f`O78Z`hz0k}vm5hBmIfV#+B3H8rI z!H&5t&%0sP`FtfZ1IohF)Gf0|a0oxkQj!G`Mi6i1znGTEE%$NInj$`G&Y?fJdxilI zGmWa{n*OTVhFUU4bNrPE>?UjFRsx;6VyMm{ zLR9GqLcn2R$YZA5c?uuxff{!3GX`u(0OUR(K`aiTA15sPI!fDt;aj|JM9qRzX+brKa^jggL_bb#U6{-BnWQo;$nUkCdfwpxr zk4^_P>Oqe&GFztQXO&rlCz%SxTJ#M@Bo21Z58!I`kkKs=SxdN@KOpHO6UC2jMMm{W zCY7m|I4!QN6mUCh)K}Fq)n;J%GW2u@YS}?niwU1-wH0#(?gmA+pT26J=5jqqGpT?& zMRk2!F6~IB)~Y@sJ@TSLZ}TG&kmF3)La$5ku{?M6Wp7a^sz^T}OEC_q|MopU(O_xF z;_b@-eCh*w$Jg{DzGd=!Q{P%(cV6})8O`x0YeeWyqw1nxtYqm%p9JKeh@ej2Jej&@ zXyn>3wy%o+(|i}*6DGHeZ?Vyzt)F`z>D?r)TE3o$W>XogcD-mG1>mh}#hGWE$y$Q_ z@s0rG4h(kmdpx1io5%6ed(0GynKeEY6aF0hqpqIRVe+k{oQK|tqzF4LX4&L2E;TFd zpB+5n2a`9SBEe!JLA<|fP^{w_sU2s8i!@KAH@o+%!l>YrL4}|(m(wo|b-ye#9jZO0 zee}A%4*C#iIH>C?Ru(twk5V+>$eHOjDH&jL8SzNBDT3!!a5MF;DtHn+j6O87-8`?) zl0rKH=TTN(z2AH`W4E(0uv}u;AA=NQGkaukdT`Pd$9g9)VSIrc26H_=_deSCuwalQ z_#pA8#2M#k{IuZv4%Vf)um`LCUsOeob@xitsN~^+-Kh20WHYOiCvf7bFnvfBx|uPF zDBQtiO{lkE4J|uZ-^5E(4!9K5?)(D36dA%G#=TM*;o-znLpBsUtRWl%=WVUpnHKle zu-|c)ESoeZ8$4Uow0vR7bU!;+bFBWo$qAh;8O;0t*E z>{~5JzOSluO4m(9_Mb((rHaf|6!q%f3ftSmN|g7(3w>#Ih`AIH*H7I@H1JIL5`nsb z?eEPSz{vswtt8`xK}_w*TKeI^uSxnAy_h@*?*j;r)$_q{;AW#_On83|sSz6B_?C6b zQh5ta8(J;Q^brbsR;?^x^Pubo<_tS2jEz1WikUbWxXzJ$Y5rE|M{%UY>7hYrwgtoq z2Z^)zb)d4J*XvHI3F({(&&LHMAjA;IzN^?J-8=pJ|7xkwB`+ksP06^+-~lqB&28+b$w^ z;gSrDbDPUil+~!^tL5NMpRZN3lz}fi;>GU^ST|7l?sS8qWy>*R$uIA ziS~GhXg4TWvXtgv{4$dRgINDkWdx98Z&c$_N5@z#XCr0$o>__#V`=*APW?m6hMSwq z<1n z((-(`EyYUy`bgH(I|fG)@!t(#(`YHp=V0WY^~}4QTkDfUoLxSM=@B9T)%KED4f>_&^kXW9AY*gSRj$Ab) z_duH2folaTT>A3Cgs;#%?P~k?@Vhij^2kdzjGHh}rf=$PpT*Q?VWKGOkcn!;%1Ppu z_Wq_aLnmeeQt5?I*#xPqC}NHT-~(@V@1!hJZwX zn3DHReU9K|iO|p!dDpJqKt>|tXyu-@_%%;oV&2FZ+(s1O^@?7zm|)~^hw0wH{_E`S z0NIrgL?;U(M={SA@Z*7V>5q>K3s-HioMraJI>|~$(IE?N8c8db$Emr31;A5(|9M+H z8ewIzdSA}LPxBIchVXTyo ztV%n}eD8WA%%6D^(o|En3J7{>h9culG;e7LFG- z%|R=k6Hc6*v5d)`VxGVR9IK;b@)wD+_qy)mYIhWE-a^(ej^4zGW>ds@&B9LyLWR-U z=ulMWwdU23mnh${mqwud@(xg?EsK>A5w;g9Rj_@SQ`r%@ExgJoXyK%drNnOptjrWy zU?{`B3;AeDETFhkSFSw2UfkmGFppvRN3PJi7BFEQX{2eaKM1Z6IkWDi?*mK6lC4Sj5AsCM#rWMFf{K^rzM0c?7&p_5~On zDtifEA>nIsbimqg(gnO^6st;fu72qxTDtw)b-Y=`TtL^^hPcjGtgs@5htw_lKKmLP zZyf@*!2@y{9;V0?5q}d=IvtbaFPII6Wx`MP=P5tB+)_N!JZjQLLG$w#8sPxc>685FXSiOD!@akOyD-CV*9f5_5&0qh6K>r1f1X$ zOXAl^mqu_tT7X-GrMqhO#&Nb=Q!qpCH03tq&63>sxv1q*Ub2`s7Bk3(X z|2PDXs$n){XW443x0R8wQJ#ssRWRRZz0#!1SM0m2A$|V96zDZ%cZ^-@b0;2K?(!%S zGc-9aGLv~g7T{KcE2T;`BU?uC*ttk$#H8*X2Z6|XYk>iUzN&0Uyo$W?v(<0~e0-bA ztnHzsiB2}ltazx3st}5p^aa}*N+Pb=DO8o7Ro1-dRb1*+{w5H3K%Zaq=8xc+NTLM( zk7gQBIx!kYK>cSoZ;i3=t#9K8eI#|oBB=LcT@Y!@N)zux;$-Y6tE6tHqz?TqjuKZI zTR0CNh#z!%N8k zLmYGE9{p@GtZ>43rL}m@qPO3-BO`e#_T&J-%PtjZvuWVH);uE@HL>&G?K#m755?+s9v zN`doh`MkGjp47!7?7c)^<2*I74_kK?f1aMEwqmlrU@;ku<_XWmq&9B*h~$Y?{_TY; zFo0h;Xb&NAZ`TQ{S^R4X1bY{oE$d`^u3Igj`sG?Ja3Z?brv`X^2K#6}zYtyh%=hAs z0c2?A^R40jovHHHbx;OD9Kbbw++~6+H$Zjx5nniHFCa0V zm-o((KjoU}#pFo8yUq~h#m{>`OR@f=JRjqyRKY+0p}e0)cP^Co)9Kb9<>diR-hNGl zQr8)V3ck5e2jt87o%1>yLXe=7(^Dv)Yes>HJ2%Q-a{p7Y!2c(?|EX92;>^iCdH*Ti ze=GO&Y<#VRt#w+YZeI~UhqCC%K>L*YxtZe7n0U~*w4f{;0$67wmQ4PHKcg^wCV3y%^D~2t>y#^SOGf)cL^-E;g)uu4VNRWfJs6^NgcXIDyiCb^<2`>2uns%Y5Kb(7(Tu1JGI%w(7sBd4Qwh@E=VXx17AF+&hmVY_ z$`+^2yM`vn|4`%%f6&BVRsX+4!}Q;xG5vQ20{&R2|KC{Xih&OPTLXc}{}B4u2AccZ zK)}DSQ2SpN`d0?JR7q5DFa7>P-dq~Ai~(q!?{)fS88|r1Zg#)DO^+xVbT!mAo>no? zqnD!TRtxfev_buH5@LX`=pGkd@Vn^RdFXRLYm0T@8vJ>1;}?yHaFsg~Fw9Zg^I~!5 zs-n*rgJE_f{39M5>GuKw4=Rja7UIbIVjQ>3_K{!wa^w~v>X)WKT~TOM9K->sbyZd^ zOLxOBT!;K&mOfzhJroon9D43J4|^g!>V!kD46bmm8+-Lb_L~<-i{>W+ChNIYWJ-dKZ&&|-68sf`df*k$%dKL-d6)-lt9T-*P5z4VsNi~f z(BpL;3jL;xvH#`vt1GDB-H1T>R=*UcFbR#x`qza$y$%vDJXp2yGZbFwm#d)9uk>3o z@K4c`P=dd0_3_JH8mnK?Dk5O=P;HVhOW(?q5E2{zo#g*aFaYL(3&|jdOJ#9^7r97i zvh*@-ljju9^^8lS%kl9`$$zP1OX1or=a)!J+_w~DE(4`{_WDaF!ryH z2FsVKoUr*D7o@D80m+YTu?mx_|E0423&COjECq{VTzF!_{)af$d9ptt&t%=v9o}2dCKwJ$a^h}dVu=Z8SBA382PdHY z8tT-O$Y3GyC#C_DsZmJ9FISrqx9uopyUZ2=w&&%G6c@nK&Ne;AcZJV+`J9dm>xOer zqU{yQI#b}hPG@~ZaM|C2U%eygXa@q$6EEbt*P1)XQ99!;FFb$k!eIHA9>*EyuhRv~ zmvpa!g0Lmb0$CA2Qdojh5AYXeNHf^|-(!Y={9j^P{85i7ZcFn^%Yaxo`NMz!!qwpV z`b)`Wlh@cr#Iv%Hp0CtEBV2DSd&Bqiw^M=2@VaJuuzaZu_$wBIum!-1OS->NK|n#Y zbZ(+Q7P{UFDgRN%KR|&LE)Dc=F#(_r60d{$gUJs~lexWY=296%B(K251lq3&iUedE zagD7Igw=Vn|5vTxqvKx_BjmcG781apNPvt3E3PQxnnTiDwf$945I<)7+d@|$Ls}ud zFO_i>G5{JD!r{_FAcp?|CR_=(KF0aLE6TW*sd^GAuL(Yn1K@Wc{G*vtq~12;;uZsp z&fIHR0aCuS{nVv}&gp{XOS)GFfA>c2}kY=#^r82H#2FsTQ`k!F}GnIW$qUkSX z0FdR!KT=ihHPinc2iIG3|H@QlbJvssmM@hNf5k!&wg6ahN%uFZ^EDCZkAJ1AKbU{F zg1xUO;~HcL$V&tLTTB2XO0I+YjR{OuEaJ8nS4{uUO!eb$w%6j|T5DPAUzy4`0qytw zR|GgGv&@4Pm&(Ap=C5G+lI~Sd|IAd^TOs93Wn2XXK%x_@xU>+6;jgLlKf~mQh8I7F z{ablZnty=0>c}H|RYZ4A^X-s&yn7vjkhb!lI>k2hAlX|T z>7D>jM9Tf*n2;Fi{0@}BZ!Aa*P2jgRyt$SUyuG8e8deRrqn(C|=^qEPeb&I%g2CC+ z_KO5VT7!}^+_lwd?D5LVry989YHFO^qsMmEPc^EYPZm}u*14^m?ysFu&MN{Qjzxgo z@%+wdLemj=NcFDeMDl4|Q)sRw4H8QX0G@!mwf}h~rl!(mV>6+tMAyyUCC5<_bK-Pf zaRLFTWItUD{S*ouE>)}o?k9RtpHfD-7v9~)Td6htIT?!A*5pB;Iq_a&cWKuiDRgS_ zli}W3`^J0jh7s-{VI(d6lo{Zd?de(Fe1}$bDt=CN7kY8$*OS?;o|Mu1n#a3!z~O)- z_g+zF@|5X>NB97jS#rbP1Txpj(AcRq!OxQzohli3^F6^B1u09)&)i5`T*XD4F~eSR4237wnPW#cu@$1RF9$=U~$oq0wn_}m9; zg~?hQl#+R7DU$~k+1ZLQii$@uK+4Y3Elua-zL%IbtXzjpr*oTqvxZzfD`y*l9<#UI z#}(V%PQOi@kw@2@DtCCKb#BT^ZdHW1?{c`~w^wg}@*k=>3py;Uwo69pOqM*6C_Ic< zXXxL@T8-Iv-#wVwyI&XMVVR$fd8$9ITK_{?-CV*luefumw_%HAXhLga3z*nJm<#H` zYO`~BS*AMHp}mAzYqC3Jd4rVmxCfXIS}B~fa&Sr5(b=$bijv^YjGVCiSjyxPxu;6m z5kkA^u?%E*z*5!BV1Ai$)I75|$?@0@I-4a|uBjCk_iuYcbDR=poD>#_lovKfW3>f5kP? zT#rX*YfUE&Z71!k6G_!>8aRl8M+u~RNXIcJ8)G|ZJp_A}uN)=!+ozZ7+BfE=Hl0*9 z8W!6dHEGU@YT%n0@FekeKGiMO>Y5S)4jJ_U`YV-MIEX z?L&to=v$EYX%{BAAl*Ly7MTmoUR1@rXuo+;W#qMRQ6=|M;#XCMH#_W~cbP{ndNboe zO0}5C)e(1Y+-Q7!;|3b|X7k_wUfi6I%m| zy#(LujS)HGgK|;#6RgYgjlAcJby24DeZ)~0bmNAmjlP*JEe+&TO7tcaI`rim*D>Yp z+Pnkbv`z|r;|9{@rEa{qnG+oO!WZX4P^#}EDEC*9Rla18Atcg&U@75&gS2j4Ct(~K OdE1ZpPFWa4)c*mI$b^>w delta 29177 zcmY&fbx>3b+qaMs5JZrcZcw^Yy1U^bxuh(xH0L5E-5}i!OM}FMBE57s5=)0POMdJ1 z{pXuu=FD&&m?wWvo{6F-)zMFI)s>z;BYgDe5ym51Nl(2v+zQ~&vy6r^3F|TH*H0cj z!bd$Uoh{VC&YxU4Eu6tt9G;F2!Er-&Ki|C!GV8u_g4ZVSVDyGIo~he0O^%MI$MS`h zo(I-<_b=$VP%ttCQ}S}(9DHF9w(1n{bnp56lgQUiJ@Z0&R;5j@KJq2!Mb0-hX(@D9 z`;4_WSx#~Q8?l)$I^9U^YmI-6!5bUTl=nYG$`ug48uxE?dL%EI^AwF#G?$q^h3&J} z{Yb!%)Ohq2)zbE(iS{?(Tzq<}bNGU~7^p!Giq@sWjP?pwfK*SE3{Qh%-cBo?6-GYu zfb}-NI%svQlR-@QsQahIDWRTM@&sMJLc7Cu_-my`aeW|5zYdA5PBQ1T@bE=O>Z!|^ zrM)b3zK32HcMi)>gwSCPW$?}Vt#H#t&QOfW-J}1n!n*Uv9nb$$qBZw@Etb=xN5ltD z9=$;+(bIv`!x?PvYHMZX=F0isXTa1lW&_CRRkaF;I2)%r?zM?Hp5^!&yrVy#r-F1DP7qP$=}S<*N(yVLy}xj; zyL0paQnq~77w+s}H#c}5H+Me)W7EU&)?2Y<*n-H0y#i7CfnQq+;N;Bdfwv$sJSllu zu4Mo2H^gdlz~+4Scxx zuGw31bXz;vaY*{W2k}U+nmFJ}hnuAo^I!d#?d?}-ADHmVD$Ty}t84C1SWnuAire0L zscf~eh!wyS9r!vl5~#TCWbZ@lf?5dR55E0!NJak}82iX}NBHoZIJvNz9N&Y9J8&ZB zZiN6b9CJ`P>UMC{-DTd6QAM(ub%jpdUm2(a7hb3C$tg2%pRKZN1^)8PYqNFxV|Oio zanb#Y^qUjUmgyTgAvI*x4Wi}B`L?oUJIaE6FB8#Pv}XWq#4mT~+T|k9=3=wwg-l+Cl+L6#QyopN{K_W)m;6PdJ{ z&wjNCr0=%fqFK6Qr0@(bd&?MgMirgoKFfTnM>8^&;f-Ve0@2qehWb`N!^xSHN zt|LWzIxC!1PWxfZ>0`^k+_|TgKw{0Jfk)fQ?ty7)N25nO%I*niYKPSTC5jRAO%huB zDcZd`e;3@8;0cXr2lAtJ;MTDfY3DHYej|hJXz4i7E{5LEM$ychv!j6(T6XK%T!h{= zptd=_R-D8m`c&8kQ`@U5;&B zO5V+Bo6R$lPOrA%{3RwJy$Wc%YigxAuLM)pw+ei%>8wh=AYkP5a zIvp%*il*mx+;4LA*jJ223=sPE>y*l5()IV#y5j66@53q4O9^1)#}+N#8M&_*+QH!W ztO#`c}hrLu{D} zGU%c;laQU2_H*jMM9mD|(8X>9igyylxii z3pdFJcBAi+>t6*OOv$Zte>$CLU)yeeS4(>;M|P3wTX`cIUio!hYRLtDgMRT{-u2hM z-%U<(yp|tTkfse?C)PeVWzy)XXiLe(v8a)@KAP#;S=}v@LeG`n4y;w7H!I zQ%&NfH9nB9h~K(r?o$fX&5#Q(zu6lym0iCKqwBdzA5$6Q6x7PMosicOM-Nt2@wy zSX@%2q?7|9%g~i2&WQu-CWHNzetS2P31dX<7lcgX;=nKeI={BXO}z92f5t=py~0}w z(*h+@<+QFZ@h+-)Q*p9*RRd7*)U4ZA0bZD+g543pTWHoa8Q&qnuWV{C*x&?^tj+e+ zugQ+r8D33kj$#`482De_jMmoX#3Z3r*;=JFsu=>Qo3m=i&doLXpu>9(et%=fHPIn= zaoHZQ&BmU90V1{box)bS0C&9S>#7M~xPkt^Y|1m3w&p)li9)=&u(KS^&pMI>O`v>D z!sp^N2~G+dD}8zQT0$jDD?4V#;oQ(iBzpfwVh4DAn*TO9>pqxkfi=_QxXMN#*VUYf z#cBk+pjbFtoZPgw%zk2Nj1h$K;e{;;F}>m0w9JY(@98+N|9HC_dP+>q4T9f-@y@Az zi6lKZj-5EdmzB|@2U0iS0j@1#Qx=7-aUO$TGs0hIc5$q9aNnnH;mNXez@qfZlB`%_ zkcf%H&c3qZ+-p{UPkr_Y{ULV*x>cPLG7`9L@gL{dy6Qcc0L@n)eyG7u59F?V1F_bP zx0yYTW{5sf#AtycFXFi;FRFOh8+PZkv?}{1epS+F1%61-)o>I3 z%stXqwN6`(^&@Cpa5QA4qo%``n}2S9!KHu7i=#Vn1qz%Zzpdk87&sGg;9p6;oCK;u zbuu;y!$_JIhE{)g#xAvbQIYUd^&Uks`_*&T4qbElSX{oGxFPhaJBYkgam`ti*7RPEPkC}5r;R?sPt|*NJ~vb$v+rH{3HJ5H zs7KHdC-{ARNMnLfdrB9P{l5%65+9@hd79{YoY7sYf2Zw9bBc~9o|g!Idl%=BaMV|@ zp&~WXpX6&vL20Y1BOAn{RB6%4_TKu)2yd)eq|jORLkO$Qw*?mc+j8IEqFoD~RhzAs zCof5aIA-Qf;9SCeq4vmzC1Hz3q#|ZE_PUGfJ5A8E&RZ6We?_dRf3mILSI=`=0s3a5 z=`wc?(0OM6w|tZzy)ihqb8n*?ys-^on|7Ji-h0O7a+#?~8&<_52JJ@6P?`4;!&JKI za(&P1Z4(qa25ZA0O2&!kC$NckUbQwRNPl3)xsLe^no zlYD*i={N@}6Pd3rLQH8v2RQC1=cwDS^lmq0KnlTHW12cdy?zfwF#N=;F)oHHr)A7; zwxSENuZ|~DEtr7jvTz*n;=E*j84E;J=C*#3ap(zqVSFk<2TczPNC4(bUwxHK`&w}@ zH+u0BlR8Xbyiv3`-!obkKUGbZUXj_~MM9h18j{IpZ0}v-QPQOjiEI2J3X1(e4l-(3 zfR`=J)Z3}77grj({&rX9#EdS@ck~}5Jvcpcg2lPk^o9UYl#uc7I~4GI-}pW`b^{g? z+odNY0D}AqS&1E`H8J<9C(Mbv(j^bY^9j&}N@~eFQt%Hbi`%9K@+j?hy>`md@9fvo zdgjGJ)zL_%-~M`o$cI_HVZqUW;jhJ$cg|~-k9gU&P~iukBqv80jk9Qd{}vaQ-=@_C z_N!L#WI3JNa^NH&)|*mpWy{Y%bWhb*b-{u9!LayyZ*FKO0IruNtS|dB>q@ z{5>rG1!|2a2?v{>eB?lN*!e9Fr7qJ3faj=zEp!FbCg2&Kp-q4gH*5a`{%~jDpPwfv zugR&a9?U(!5tTf03SRGjDF}ID^v#7xIN55f+-TYW^~Y}sqzGIJ4%k9q8Qs5mGlNkf zJS^q9N$YKb&nyRs`SY<=^O6>qeddt@(zy+Z5L)SA&)#Aw1{k)+Pr^DF z;RWqgYv}9c^`=wdcA6pM17F19Af(s>eE3R+uV;Su<$PJu4Wom*C$#cEQ%p*TNr815 zdcNY)oQ8kT&@8omd1kFU+G-$(Ja;tbBnVv|9FH)Vb_*GG`|H(wnWmjIr@TorEj?=K z(VPDaFfa9ywH^YGhn&hmpP*0XdeSG?V3oN9&4n^;d*rH^Yn}}YZ#gSkQPW?GE)j%FtI>nD?#oqOQn`%V5q?TlcPpF3}C#y>n z8<(VBtFPHTP#xY{#a?m~Ko>-}CV$g@Sa?&zLz5Ik2-n36xGc@Uc4-<7Z6B&``nEaS zZ@4_l4AZ{7UA^m54+Fc$tn}_(HBz6=nY?M0)~uqO8%qQ=369pF=`m{f^`t-1KHUbq z1rzj=d4pUVM5LlJH!@+ zj?L*Vn!;;WLjU$u#jkM;Tjs4^Uz{V58}e92eZD!J3U z$GD6Q%ae#Jxc{Z0TAIuB&WLPxS<;Qln zXz1@fyAr0qbfD9ie9obs_N>2+=3S86(+Rf_Xy3ux6zT%eoah1??2v#1FNL&Y#coI| z`_Yp^g+K7@lVUnfrv&7G+u1Ym=KJYQyi_w~(fzF%leOs+?Lo&52c*Z2nQL8;RlHPwr-O zq@C$+cx<@2h!XjChR=eE1@)Gn33JzFQ9EB-h~N;48mON=>t6)Mzhs3RzEzb!;;9Bb zmiT2&^Jyc4`uu6cGqphTo)MCqZOr(W@n2{i%Ma5cEZNYfesVQdN?x ziD#a9Tm=C|3@nU8m~wLV^_(!__3J!T3}K+-7~hi2|GAam*|@3!>6n_?)+mZm!R_cf zXE3fhQ{mok%&kvQbyUn-Q@fA%@_F(4oVQN^ro=py6_rxFujx+1b6j7Xbh+0Gypmqw z4o*lf#R!405kcZ#Jinm9(bR=4IyG69tE-?Xbj3ARUTA6=kPfMs86C{MurE)uc(7^y zVADV6(0fQKThZPySB4N=xHI&xUZ}ve>}vx_8N@>YM&(mu1A_g*LGKW@9s2Brk?kG; zSa2l^FZ>hzHItoKZMi9&T@r?{PnwLcTt23rtRA#HWuz!*e_h@F2u1Z5>d;_an#r;g z6EnnT4k71gX%@gDAw-3_W8k)w|ExrHqkllSmnoi)SOstq<+{IRT;Uq(Abl8YQs6l1 zfv0bKbKyks3!jTl4g7>?0hZsQcA^~a@@s~j`ERV^INC-gT0LQlOC7wm(yI41%_}5= zFym#mdF(e>GBV0d`)RsdFzzz{a)E~juPxjsv?lDO&Y<=sC2@%X!a19{LDe+L+$&8G zhR);uug*>>_Q+mccEelmCgr1&AUWkdA}YSUHhn4`Dmq}NzAmr@;8=Q;@d>iE+wzZ% zHPNK|4=Nw(-dEMpp{{~5Ry4V$A=RJ|R&17`KME=&DIFXXfCLG;u@QiTX!O~9@wa|D zd==Eb57bFBPzOC%!1!aDm7PMKIv%0CcK>1V<$Uvh;16l6 zu2@U;lhU~=(Hfj;iYp`p(`x$>^d{WN-+I2?7kQJ6P!O3;l|WJaSLY5Fq*xA(e<{Bf zO2`_j9{%9rz#3bcpYr=ok`#n6k9K*%tfj~5g#%o8z#SQw(!2`37kztj@B+|JI&o>PBQd_&?OanalruAk(F3?jRyOAzOS|IecfwPiOdRnLa#pHrQ7g(bKy- z<;c9<%uH!=K#bUTtynrwCb3i94I;^6g$HJ)&W$7^;;>?L|E=V6X>48Ov(WJ(dC(3| zN;YGv*3nY-_8gnh&kte|l;3n>OE>6oBVfSp;c<4g9)%OW?3O8N?ywcUjPhuRn#x=yPl7bKzJ~1~-buIomaijm zCT0z`abjBOprIuL@LncZyLS*^3rcp}ig=0N^LTlToF7`W;;A$!OgZ;lGVeSsCg*q97DZ3->{bPch->70)r)27tJ^vh@F_%E~>+V(Jz|Qlt zAV5fu1zi~6t}`=bnZdQ2DliWF+AYnjAz}?%2y{7tW#iDh@+A)HY=DN0jc8L{1HW^j z7gXcj27Dr7hUq6{4K`%VMwvLr;?6bMqv$06*5O^=3Y+^Waf2xN-9K*0Zx#?+uw(Bo zx^;j%Ylo+re+&=q&rCPFB)gA){zrv_Y!?{#ly;N;X!q?>%^=UO&777K3*{!YQxm1**WNu8*Vyu)kVVFNs#8yd+z3 zFG9j9T~Fs<1d=f(imEUi*Q^Qd#}O}ZSLuyNTLHCSb zQ=-z3f5s6;RV6$_phM;%`x7C?tERx-uCKkf)JY3S4) z{VcjlXU(=2a7JSA%Nm-13xZMZap%M;bT7Hs+x<{r5Y&syLbU9Vl}B~{jth6sN`olro~}uPUVZO`BC5Ka39wULvGsa0 zf5~VD7&!6UyNiNJT$cJS;)j~BElilc)ne8vv3yZT-5cSTOvQngPWBsaQy)!p!*hk3?Zf^J&z&d} zTNz?Eoahz$^Zsu{0Rd<66La$v3?tyTX}agQA11zARzhHGiYDwci8(n@vJiyb+kv~?_i&OMR#&nZ~d-1jnr>-BHJk^##nhjva zR+uu+h^smIYXYSO7D=6S6hV>iw|gABUIjm8w%d3;*SEemsv#W3%18wdt{G;|Cvv8m z>&kx$y#CyB`qf#$=Xy*~j}pU&%QcG{FVUL$;K^^od- zKu4|25`qNKbbih+*)kAPFi{0r9@=gMf)3f%f_7Es8+|QpoZf!q#|_F%eY!A!4#_IW zC>2r{!}yz)OE2Q_goIKTyo$;|I?iQ6fZ$r*d+y>-9d#=&gTslzA*N0??2dX#eD`N5 znNmG2u7Xxu=dM0=9OZ9`69R-m!vnwsY{nti5pJ!E zC8^e>WY&N4Wd4AUi6rM(UjD1q%q=Wb=$ZsHF0Mdl<(jI~^S>y9zMOphIFjjY=E-vk z)`b#E)0rCbQ%E(_R)z1Zm^}ct#w90>vh8YK=|N?(CL_5jS>>Q0lT<-b-l&0lAwB~R zUs#)oWBgYLwSmL>lD`jA-Zl6#HB+8a#sx8Z;By1{6-l>xr)d=lZ}z3}tMQy2Ur$M3^n?qO_d!Q zY2WJ9JOFQ~lFO&m(y=X+eK3!vn%mIGF z=S5zotlWc`i!lM`63v%)d!3#uOdk}p+Z+Kxf0KzO%esf*iMxh+Y`!1AB)sw=Z&%5* zwv4@KQMtpbu?^olybL2plgD_ob?PV&iM2XO)*CajGp(e}0Lif&4~SQgqfK=KPh6-> zytbnv?Txg+9~I+CCKkB(xT+QKXqrs2pYCswyj%jLSdNb|W5z6hsX%Jg9MzM*p2pmP zNK-_K*R{*JE=FDiG3$8{-$2Kn{8%4;b$-2^Ke{KKanImqBUrgw{8rtx^Z+mIa|SE) zkIhDi^cZ#($%7N8bY8jC3Re51iEZ&`w@C`5ISNjwFKJ*G?k4H@`u#fchX0bVVx)7G z%Ln%Bnabq_Wz-OanTte;I)vRJ(cKwAyly4?L4Ofy)Q4G^BJ=RD^@YjA8=f=M`C+aK zCU&II3cR=RcwKW@rT2iW|FQ9#+>DxWRppb3WAt(e2C)qExa8VFzUbwZEO!||y9>vH*in660|cU)D6VqQ2!@=6Yk zt>YYgE~D|LHR2#b>YkU?A@T^X@DC%4c2+sCH2r+Pu{ z>pIcU0hYIa<%Jl-2xC=@#?})L(I6^TR0-i^n>oX7S`ODcO6oc z(}OR6h!v5Uf2}$K_nGgk9sFFDY3kwgjyn`AW5ORtv})Wyv)@0sQ%ba9>LTKh!c4Lh zl7TqXG*y&LiC62AeEs$hXHOzCzYhXLrL<2L8iFlS8($0!<@TL+zy0)C=9i~Kuqt}l zqyL#A&y+=?xC5&?6#pD$3K|m^7>#0;oqxIBRX1pCLePtivcgKt$smz2Pl)k=>uWID z(2mfe`n!(cP#$#kLt8)Ktb`>%JcxDK!2q!=7+K-`TZc&&^;nK-UCHrBknI zON=`QemK*khX^&e4V;twGQK%~jDX>1 zz+P$=rwDhBreY)gM_|V7LmGWpQZp#FWnah%-464w%qI*^ob0&^W=bWO40mMfZDEJo z+4fKGk<_%OY-w8DZY0yi9k1&=cf@c9&Z5180kvD*R&MTc z@ZO{(7*z?_)yE>l7NLC=GHm2}A&&xxZSrdH`1kCLQE&g^+0@y%RLfmMtf;ZdQI9^L zmoF$(VSR*ytSRdtI7)71v681Lnuai*+BK-S-kqm=-7@&1Gw`l; zY@Z+92xO4Jiy^LGUc2X}o;*LwWT;0I$(S6@Ifmwbf z#<4L}{+f_PWJ_)}1Z|4t%ZZ2HHq2JSy`AN~cCKXk%F)C}OkvYaC+TI- z(NxS_NDN+m;ht!lG#x*SkWpWLMV|kx+zNSsbE^c+V55dpJ0{K>0`fr3d zFVc&nsiw#Ap_DQANBs&X%Q!4T?s}xKHTRJzSD+J$5_V5;;Z-T;B~2AHdR|-d<8*GW zmZ0mL=W5x>IYpH7DdKqI&^P7bbBn6{CRBC?l(Zlh5oD(!VDKxv%U$!mg98<6PhPV3 zKQjU6~4 z3n#bV*&iSwPFm)G+w<}cu9e>w)xa+&hoM)=n&~_nW_U7nE)cn@FB3Fr#$CdoUHDMh znYSQF2Nc857#oaTSUj&3#i+j(u4ZmyeR#_1!^g;#QlFxw6CQHU9=#W;Z*~@$t(ToN zaNLq5Yx6oXka*}2@)~V|3C&#~X;;881o2*C(NYnhA6El@L zRZ4H-(=;6|iZdfOZBH2U!L853{RiYrp{-t-M?2=A+p>Dg1#31&6~i>7g{WXDgL*?t zooCeqen+3gVJ7}~%h#!J%e}Kqhh`uB?wFpI+Zqe_dqI*G^(bIbi?wLohD-gr6!vvC zDueY71zgP|$^Oa2%D(KfTU?cLwYXENMJetbY?(hPh6GE#k6Czt*G-c@K7Jj{%UU*8 z%ea2$OwboGPHT5OO*(;=VZ*;smzY#yxJe@p zlRI;hSfdeWG(a^m_9{Q5$#UuCBvk6}3?;-Hq_>nZ3AG~=J_zBFqbla*KMAw+P3AW7 zS`p)uW};U%f?m3u4-3ZV-L#gyt!itU+kZ0Sfij!he zR>7IND;KC4Dh(YL3l9^}9J_XbNjR8VI3@UDLdcCwB0-i=o2ZqgZM&fC!ng zdAXy~99~2jGq+ZDkjHLF=QJ772ZN=Zf%qqSeL#Ik7zfvApdh9>^>^5X3OqSyE;O!izW{)dIJE3Hc^&o2Z zt!{N;m?TAl5iItF>iSrJIx--xG3kOJxrLLNZ3-1Hiaz_MnZ2L}7t_|XAzdrm^11f- z^l91if@GXZ3xiQ2k&be#wkQHJ#g}!tCV{%?Ra3^bA|Y*(>*e4^i3_6+{*R8Y2ejN7 zu^At2?P{6pSs&JwgLcn$cCTyHeBJms*D02P+$YQ*O+%iE_qTp_Cjit1u=^LMFl=Dp z1fv?%>{y`mHe2A-ZWJ}@yJc2lX@!y!yZcWG^U0} zHc9mkbfkN=Mh7!YQ~u<8qK;NYe#0Fk{fx+f4Tg1Z6^GQdSij;Yr0JC`xno$;%gH;F zwNDr)qS(v;wwdl}>h43Eqq=WQM@Wl?p#2h`RTyq!tzDI97Ig+I$`erWz?q-gPn~x; z&<%8Fp3U7v=`WY3*@6u_43jy&xQlHkw&#D8#sAdz-Jt96^7NS+@p4DEVk|L9Dzuk1(4Lo1YVI~JQs6UsmQIhA_!fI(({wz1 zk`w+~U^i2k$9l#mE4$d_kuJS@7+-cVV&~eboL!);cTB5j>8YMu4r>|B_uOJ}Gq(Y( zm+M})w1OQb6E_9sgj27B7*G5_5jt%|=N=!X;!yW)M}7f&k_PN_u4=U9=Wv+(GiHq- zi?rxSKd{lWD44te|N5V||Lq){ic%`3eH08T8*3(1|^GgD^6`y8=iicnkj;Mjb| z380!@-_0UK)~q#ATI0?C ziSt$|sF9I*PE_+{NB}=Vq|cb2OrUg#L2TimaS^SW4pJE@?#cILCC= z+34apU!>77ym-BJd_6tB`xwC{8V^xwxUWKfj^_6*ahh_+*xrV@7FJd>av#l&Pb*Rw zwtMg2SL*KS3Ko0>tVU)KLJPi#A*=xz>QtX;P#vj2SaxeOtFo|4P=bE)7ve1X#o3Vw znU*)Rd=K>@V2!_EGgOvhJn5s*TmpTcX#m1~5Z|UKKrj3{j~$-eWD^_s+S^$- zWGOKCkzZAR>KnRF%HP3LYk+B)(hr5MCsysCsW7A(2@u`w}y^{t2xUePIfAoXp)lI~^s+Z^VzAJWhTr(|fOmhdrm%J0#>mk4tO!5df)p8YrcDQ28&#Y_pUqYK3&^K)qG|`h~qm z<=74@-T)^`!=y;73_8;`3{CtiU6u^M%^YjRl&-V!vrJpxpooX)^nwJE{;xYP7p2^e z`zRm_Q7Ud4BR8!w61GD`c1yNo&Hn-gcMK2^@u@95ZY;Z1G^@{1kkj~Ps!(p!Xj+w} z$sKzxtLiuyz+2rGKppAQZdjHYp3#}8x_af)W+m-dc&M$B_z7A~aA65-o)hXS!i^6> zsoj3iMt$EIrcfzjF7dCM!YsJAPIbdz!5)L$+~q}%IkcvO6~{TYNtQniwNQlHKRBi1 z9r^-KLw6m~X=)CXXC*fcoE(G#dZEeAsEv$4iO!#kjRk8T&}&%AB+D-8#9YPZZ`Gms zai?WsP>Yoz?1KY45CH(EJB~HF((@3V=a*mmSxucao5?Fhegs~BINpMIyNc@N7&rw@w-{#y$AgqX&EIHIQyLwQ%0 zr0Z3TRfbvl*D|oTj^yDt|6$^Jw1za;%dQgQXCB&PW=YqkJx%uUJjY{_KNoHd4TIyA z_qP|R3R{uqrwia!y&8^4E+VtFDM=Ytc!OQ7f0V)f8~6I_u(Db`US=kir(_*`pF`F; zLKJ)H)d1wo2*R0kP73}_mV!fGE3FT`uS{BH`2I6CHm|$OekvFD7HZf-OxE`Mq zTO215+|7V4GNQFc-_IP6eTE#IRvhD}7U)_DJVbYQP$_b*B$+3+o3O2Wdh}n$x#z2M zW1;kCE9)ri&dqOtv7?GQnSGur&*ky9EkID;5|m~5JxXeb>3^_WpJF{ZVM|;dY%1DZjL->&1lH7y`#i%cC1eem)fS zqUc!cfmEE-tb#^iA~xpk`o6blGO*gPzJ;yHjddA$oKEkp{<=&!?A0>D*n|l+h4X3T z;DPfAyR<1Tb*PoIn1W-@HePS4VEO=ZXK^gzu;o9` zt7oZHeQno-02>ib(@O+10e?l{$W4)&oWQ^yam7rN?VaJTU>u#%EyR>4-tIAjggC@t zk?H=UqBE2tJmA_FCfml4DXc1a1wB4~2I`V5;5f_dSHCbym>pJqkblEFwot+L3w@VfWw`%mPil z+C@0rXygLx#{i!mw}N}6u2Pa;-ir%eh(YNNc)U|oY@>{ZUMIq=NZW;=BK$aKQ^!L% z<9F$n9jdPTlYe=uRubr;W*<^?i^1JHpz@om3=X^H&`Nu+vqD;y4^1&xzS!Ngd;Yoq z5TPI&e~@GCZ5_G-%V1Z^A-@Mf99wPh@Av@07Y^c>U@;XOw7S2D-MnJX`D0%_zf%N$ zw@Zq4sORwpMkelbFR^LHRu$Kitx@ag=c5lC9)>50dAWKFWbV7wA|V=Hyw{1(?2ytH z3yQq>_gZJceNV!IdM|u%Sr4_J)3*;S2Cs@9i-Y3LH^Fj zU_!Uv=#>fElHw2XWGCSRk9e2GYEA7h-0NG)LtvA?jVajo2OX{)C=SYfO1IpOliGmE zm%EOvCvLQZxw6h=M(ul?A?@$booLo&X9)V=;RdC@Ad0p?m+n;+;N%VR{$HUD)8>R7 zsMB7Hj3|LfGesGUApD7OhkZzfs0b|i?&lK&IB)R0+S%)j6yGegX`oo<<0Qt~8t;vh z&^_>fReo1zI29e;t24o#b_Hmx_o9WGj1W#lwFwigKpU~z(G*r)ZrF@Cwj6K{e;ea) z{Kqj4R5eNucd8Ii(Hyl;2dTbE$q_FX?O?(nfH5YPaRlKw0#(2Ct^KGMn+iz8C{a`XU4FSvLT0!;i z>y*m|?(MQ$?S4Zfs@nNI0&u~8m|-7K*(241%0;ECuRJ}WSi}%3KHs<}b@G?J^PVGS ziPW_YhIcQSDIh7+qkJj}@P1>Rt==~*gh#lQ6CsLLfwmp?l4PdXj75{9?_8fv;gl(A z*M(qpxBd@*$?Q0f57qN|MMu=#8$Q(JUW^{yYg!BX`vFTO+$+9BoHO8-hjS^hhNh-& z+-AgwT;Ginw=j{AW&6t0wk)|mMl|LfVXe@$AIsiZ#5d*?d$VuKzQZ(^$U2Cq!_OF} z&hlncj>_kE)$WXI9+oB9vF7_r;j6jVAOZmC$RFxQf6VD|392wHGJ`fEjT~$f-p)T* zaEeDa8HjS1nyK<}U{hU5ysmX(QXP~U)}j76JQ%`Rie?=@Je9Fw-*zAE^&NFCS1u}; zN9A-&=A`b=8zf{YzbPGsYv5f)M`4{T?-+WqQ4L<@98^{n1q+{_dd3yqPCng@r3U_< zG}*%3`lO?-&O~C0KxaX66XXWiQCLd!KdTh!ba#w-XL2s{h1a7pLid-ax#I>XN+(aj z8qP|xE1Ji{<|#Hu;o{lkbviBy*OXpGj`wDv^fEHFnPB0X780HG+uGa<& z%PVuPo6w-B{{y%@3 zSNW%SOPs4{1C(WL`9|sDdRe!JvFbTHxRDEpN*=+vqfq01Dn9$2VsVaW&~C(a@cR2B zZO4Pf0S^tUiW9V=+hWBc4_vJTot=zH+$VO{X?-#69Naq!dhi=WySh}J7$M6K_dw6i z&@9&Hp_!>TKH)#qv@1#%ZSprbknDmVrIxJMBGQt1f%cy30UNiCu&RQUqC}tLo1|Wc z^E00|y2N6=p#IPH8#@sKD(L>ZVIsK3tDe!!Pq>G=XeggG3)io+nK$8}PG3&q)w6K_ z+y=%2 zO)pOYKD_R&7Rn!Ilg;C(~`c zk%cBBJ1ei`)SbviuQjHkj&$?zatSEnk?Q#$I3qTZpA|R|w1Yw}r1K79OP=8D zJ;$p=kx5<=Ki8)IKx=eyW^E=`1)PN{R z3mfZejQL;60w5x6U>o+e09RGuzBRXMldx8F#Wl zvrv>%chZaPq;sk$fQ)tZpPKMCMb9#S*6eEZa2U0=+ftQ`Qo_FhLM-bN(o#|q(=hg=bc{DX)!{zzUnDM_;D>*7mvtrX+7ttPzOJwnX3F|H*|c)(dgPAb?&hJ|Upsr?K{p!?D4rayv<_X5 z9N+ykdv#VB#9+2_f%?c3cXe^vRkf;aw?p3-m{ljf3@i36VGgl8wCCwgr7Ex7M?0`m zE9^vk7&r_0+{l`==*Lv~yh(K<)kom$)TC2kTtUzv@9A3#;D0Y{|SlLkA z(9sgnu@QC2h#+NylF*|qlGNOa2PSJcde~(?H1!%*o$B1n*G%g8gFNKy$p$XvfO^)) z?00#!2!uW7CS!P$%;eND_)>kJQ2(l9EqL_asd?xbthfrB=;T$&g^rz9Q=Lx#eRG*5 zs@{Ka&;c7|eg%AH_rVPzrnoO)pI@c3WB$AhKFl#S7`e{N%FHeGVmBG&+c`Yh++xBK ze>m%qTRm4x*vsbdfGaIrRD8z)76UF1oq&#yet6nc(x}F65b?EUYjapaw(W<6fYZl_ zf8N)3cMjKCuG*A3*3{*q4!BpIPWApd;J(Q+-L-h&o$PIqRlCljobrdyjY6a&s`#{J zzGUE4T301kmFs-%UJKEzo;BVc?kCh4ivn9~t0t1ZqH9R-+cSB8M34g*8+aHp8h18- zw)#(`A6&*>lyI-%opa0)q>I1M_`bXjaX@yMM3}2gmNmq0ub#iebOA&0cpUOunuOjf zOMaXU+8AyFdz>inzr2CN5>|KP>D-TxuGAnu5YyX)p>j+GIEpomo3TERsnTI9!HX? zW`tO)->*#EN%}pGWz1q%C3%AB6nVKvV>mZy{~e*nB-yq|++sGBGhW*_hZm;T zL^r8b0v**OoK^o}0M>_IaHWY~utiZ}6|y!DPMz?#SBw_DdY5D$A=&lJs;8ygvr{V* zVC4?UOht0O2&?CoGdkE`S`%A-G%Z1Z|0$z2alRrY)&G3v){?(!bUjz+2zmw{PPjrr<}InwEkw$ zF{k8%$iXjD%}eZZ)2~m*tb2jw8cG}%e`?g%f|>GS^>xOoH9<|)AYmmf*$^lqY%x+4 zJ~+Wc`lBQk~ph;nlgB^l|y00GuGdnW(`{nJ<@IR_!RQbii|e!ps8y zHJGxu5?+X#sHz`lpI6U-iF2XtT-PV7mp(&oqt;y@&wDN@)UpmZHBT+Hygty=yOqRV zjuJ#G*Ad(YwKp1`^$HZ)HB50p7H&<7vlHAes^enZ5cz9UPFhTFcC%(qds%KwI1Cep zbi($nvxS!m=bb}CH>(~dL8>auNd=OQgC4zS6>KC1W^8l$oX9c`J8}DkBYtEJclJw*Uod)b?<*h(Zz3r5=qeuZI34g??tyT zYD9_e#hOV2CI_`|2Mo3Hs+kS1Cl1FvhJ|doa9wPA#aN5Nrhz|sRIyEJuv26-8&B~r_gf>%3BvS2yTUtzDgc$K$#&J0=vn21gXeS>W`^)rq}Qcgxg00!ge z-Um+sDj%`bi&B~U%#b8$jxSFm`{jxh^9K&B*UNBwrk}TZg>EMVan@g_C;Hq{0+)s0DHYG??G-wC*^^7%XtF9R~u95*S#6K zI5tFq)qUgbVwMZ`+`Pq(!9={h%3Jg1MqXYDf<@Qnr82N_!g*!3TLZDSJStX7gc<95 zaI-lfEF21|FLJ$KxkxE!H2ZJ&aR>@|e zwAdU~ublobn^QYXvI;Ud;3NoaYC#Tta(#co*Yc-u*%ixC9-S7xD?dBj=~$TjVTYTR zi{NK6CTc7Knw&!CK0aUiZAz4G&OZEP9jEyUB^z&K^7De8f?+4FSXTS{=DjMaQYowy zg#L>&;pKq9<#{?}7OcK?stejRWgl$&qcy%N@$VIW8T;g@6PxX}T43|)z)K}FADN}k z&yd=5Vz6gH;<>e!fHQS~zQ9_v?GSe*T~o2(E8N%G6z~(?t3Md~aC9Z}axIiCR^!Lb z=4s1~mclXm9!*Ht^a|^8cMSJxA;Qas9$y?8vP#kcMIxhB83{~SGz^9<7!Np<`s1o!8lVt9JnNR!h0Ht~I z9(O<83yJxklgTe6&c4wNh-$9HY7*v|6gLW*5Ks~DBWRHGw$f{)X)M|D^-;8%F!$_N zxXDiB)t$d&w$;Eo+I6wiDsRqqqD5ld(NZF?P<{b*NNgacS`eb^Xq&f7?rcPypi{Y3 zS2s2gxzv}eeq)^%`eC20>wDeufCx8H)x07nm#x&;-Pbp z`9a^q^;%=)1h>=Qntd6)UNdz=JN6Bu1LX785G7%KDi`Z&@g*6pCCUxIkJ1q{u9ti= z*dbpQm4}>*44#j_S}cD(nrNxeW~j+{5GfLRWk|6>s6tXAK50);?rA5`mKUUN%AGh8 zc1yx(ptiljMyPawgwZyLo~|>(E3X7#H@>SG`06h? zm=z?2--|N8C)o|bXa>p-e?`Hqa$>l~;!BxRsJTv(T*&U|eyxy?gt^Y>o3>=OR6m`U z7dm1dR4-qgpLU!H2Od)0hyX#n!SF$B)7J?}su#W??u6;m&;Q`P)mtuIR3*vWsr!P! zcca3T*X|`ppTAAR;$v3ZuYTzT?tR+rz_pOIYw`fVrj4@|IyThf_{8|q=2lh4)dTCT z<$AXgd7Ax_K|Lp$QSpV4v31@yVbqWEkAsXx1aBtW=joDxoQi1W56g9nxNYe!lra>$ z2$m%6jyrfC%+7^qUUnhLUSH#hbGw=!lAtYO+~neRkwxDR{M2$>5tX{#58ge=h=B057e&-|K9y&Y%fSQ!sEnF z;&kUhy-+6m>R2I=qmT}Qf@AmSq9Vk&Hj-;H$7>ToAy1}f8vAFC2+ z4bPG^D67mV4iyuMO;!!dJzHmqHx3Ui*uSNQtdZEd;-ZOF)Z7wE)7*m-?K#mljr+%K zn;sHp`94viojVHTQgY5TVMScZfhq%$p01sarPo~x+SFJtvlgqGxNKs*-d1%HvK_O_ z+a`t)=jEXlKKwT8*0L+$b}y}WzcR*1f{qPZPliRPH>b{{m<6@lvQTDaP71%g5~K#{ zrFX7;Q6$4+=nKD>yzYUafs#A5CeqT)lU*RA<2F8G{I+;vf2}&~)eRyk+8MGE6|R~G z`8UJYyu2UWmnvhFC7Enawtt|MIm+truDLtA*L*&&kFUTPz$AKC9wq#XQdI3BCJa>0 zJ-PeqZ{A8^GlTJ@{&cJqaPTyt9pBK_%;GJSdM;G&hYbI!gAXy7yb18S*D~k8HhCSb zm1L3`Z_FE$C0HIG)yLgwu&F8NFIy5m7pR`Yl@nsIvA^wAbbt7laHGyBb&s*M%CWgpB0q|~?K7PzCN#9+yVEmm%siMX-p)JX)sk8Dge{&@9Sk=0c~Wwx#E4|mGr zKM*vesOQ`PVqST4{R-41P)G0WdGdMX{PUcPnBq<(>(BfJ)P7??vti%emBYoqfqQN} z`gto#Xw`KcSL>LaGS0=Dw3J!*qQ7VW{FRqvJ71V9KF*+;V}n=43f|P~*iVXHi$tE! zibuNSBs^R#0kL@ z<&m~@KHqO2rDw1VxaEl5o;UULQlK~9wGvdrkx}^~UcenS$6}}2V^(UWN(%UrN?n~( zSLGl}-5$(Vk9nt)Xk>ArDDVI%cC)&V!b9`p6a zD^~A8qFfR(A~MIxd#VlZG0QR&kOVGh#vC@-sHQ@#Ec!*Bkx3RJw&3c01HB|@|H3* z2)%9R0z>4pjogt^?Nx{*# zlI`#0**|Ip6t|4ZS9{DjLagFU`qGsBlg#23QBjC9kOEc6=H-& z^#^9|4bkQEqQ9OoB)g@FEj@ z?j7od5oE6>Mpu+{fA`PY4(akv+c)cWsIdNo7D39!;CI6aeif2etb`a3dGhf+-Apy0 zU$w(|SAM4d9mj6J6ZjEPnZA-msWG2!^lprYga%N?vMLKDpkQTzU}c(z?Y-8WvgrkG zUyv^oRm&tEY`#6g`VRByr0}P#^q%=oiND^l>N&gw*!F+*;x)t>`fjfDh2-BZb5I^| zsmy4h9r208&gi>Pm=#>~(r#L25PVOV{x+5SJ8Vf=Ip2L-3cvD%a!3NUq>)^x{<{Xb zTuUy;XIAccwu*!E98G9XdacyPkiPr90r=2T@lpe%s3?}+c0ADYAfo6k3AR#qSjeBe zMmVVidBEn7z+oEmQANHPKUa&(TBtsdBV=d1_8E4rnI_eTagQ(UJI#vPc= zZd#PYc9^+a$1;kB%bP9V@>`)=oK5;L<-jOXDh|Qi``L?CB;sTuXyIp`L|zk1)DAq~ zsE@)OZ{;ytSqP?u5I->#iT3d+G0vE-VX0#=c+eQ{Vdmc5r&}MtzGz_4ODTM<+^vx7}QWu-A+!t1R@)R}_tj!dHm0V&VJQ)p{ z_*hCLTVKfs!|qUx63AWBqNg^@1Zc_R*6EWihhT~Gd52ub{aXq5f|=@N*7uY7jad@mF%HGGdC!rpMt5_I4*E9a z2p0!1ji%q@QhQ49^{;0&2pCqBo*oMK`&jDshh})1C4~sxy2v$PYrya>QC12-8cQr zSK!)MH%1izc45Bqh$Zc#L1lr*cOy&d2n!NlN?3WTniHx+mC#aP_4Ij(`8${1-H%Y)Y-NCZk4EoBLS>|y2fwZ>Rr>*tt3VC+zpf1MW5`w zRGGmAG!4!v_Gq+A|MY9%eNy&A@jTrORgP_r2mzOsu2e09JKFtxeK(4F*Yr)#1vG34C%5sw4${%-L%~OYtCILsQ%G+%Bd5tmqLo} zyoa?6sz1?PCe_O~!AT<&ey@XeMmEdVp0(YqSXKSiM=lm;O>mP6u)cJb9>dT(fKJsYY;Or| zLe>uTcUOVmLnQOYw3u8$>fL2tJF~_zX=%TGzM-dbNfU&;BW+`?3%jnW3SR#$3RV1} zV<>FIw+pOyNyp7lZJ~uolZJA|>+{r`s?s?pEDJk;DUCH?RImHN*f&You3YE)M$wB) z8p=ujh^NLh=v$72eB&&Gw3^e?VZ5^+#cU0m30$|g%m#76$NF;Fi!$U^jF=}Oh@o4WP0uTfoI=MzwYYA9>k&44*CNaxDAc6zP%u-ZOVP&n1ps8s0eM`o@*_+4Hp7Q5lRxBXFn#ikFjd31->$X{ z7hY4-Vu#42dzax-fYNC-3>>%`v%s+$1`Y)%omSJpf~%Qu!PNlJs|FSYD4y2K#Dwdm zvmTqv#H0YF(`sAjhrux%t8JlEOf&q~YQU*n|IgEAOc17q}azAnm%s@U~;X?h=M;rm>fRSFZ9be11}a*&jcFG?ZI?usd~g+=lmhoeu+|aPW@L z3M!#-HL%gdc|4jpw~dJX1RzMqM-ah71V5kXuidA?vfD;FW(w}_Hs>w6 zJ?4<3{U*d)@CiWIj(_8Li&f(tLq%am_7lKI`o=2_+q9p4o= zfq+!6^b%6m;eE5nz2%2lEryT=Qd!P;14k7GYff8RvAP<;L!9QYq^o~;20V2*6A`*+0D~<;MEJk)ZvQwF z5qwSO5$uLol+?Q#9T;xJ7eMr8%n2RxWLSunO2a|RM|%c5fAo(MAPVS|@bObKL-Ke> z0NMYzh4Renuu;Q4c@c5~wMXsqmr4Lsi}JDL(aBPOEf^-BrsVbyv9M2cN4pc}wiHZ0 z9-Z0bc26HOEMr1nZQ+L#5XkdO<6wM8y$Y`YoymyzyOqPUG0Be**wd=G>%shm>%W?$IwJ{h2mbXd!_-9aSVUt}U3xnW)iN^!J}3 z=JuCLAWMj;0cd|g8_F3%pz>Klh`>$(1BJcE2391x2sFOaRePQqS|BHt4VO<70>D!_ zX|}&k?M&4FA?RLx^{2Y{rQ77?GVGASM$H3W5_iTDYAeiA z9NbXV*whc#dRa;$#DX!%6S%cX&ZTx-40*2OO=e?XNmB5E6Rce7?Pj#-mV(B?b+|uk z-aLUY8@khxHHR#yFo~jdoYlmIsP@mX9)EL2vSe~GpJ3Vy~ ztiaJ!)wV0KtG5%tMC_`HF#*b4JTNW+O!&S+v`MZ;*_d#~*&{guaP8O`1y_3DBe_%a zlBf~BcDVDDjfKW_)p0R{0RhKj9*hXS2;UCpw0}vrnvKN~AWkqa6!;pvsfzMTdjbU6 zDIFvby7MoW8x!#{jZe33lFFBbP&IR z+{M4Z2)c%dkuMA*0RHv?w4p$dOngh(!oYRd?P{LuU&js0<#1rAeZ+Ur6qtI3xbf)N zQNq@a#vI%CKVbxxei#flN8s=s4Wj>?*-p?9NLvGpwqw?&f+WES?ofX!eTqM)-;QYq zs~p(8gi$*VqZWYQ5`&`x#%(IzF9K=A0)T6sR)Ve_PE{C2c7Nu!5W0qd(coWTq#6L$ zH!$@KHke?vA;i6Xu<7g~Yei{B>UV(oP$zRF>H=LGNr8@$3qO_nn+mqfL5F(uoS<4f zIs@iv@7q4{@7!!YUmA}hb@&-EMRv|X*!g7>VLD;gSD4xiCzs%m=CO9>9YenYql^{pp*WKO(0)%Uy)klO~!U$$K@mqVwuOHNW z1hNt#kf|5-9BI%g{jR4a00=-x<^bMgmEc%>c=!38$Bzh#4V91$D^}jXV&+Fz`=VW=6yc8sRCdex6{(YSA9_ir_An8PjLOm)ZdR zL%X!pTeV{+KGV3z=hC_@)c zN*U~#W9p%$eAGiQkUyUR8I=EZwqW)!j63)0hjIk95Yl-DoE=q=$djOx#ms`w1bQ27L9cqt!OvL#|A57?isWTVQT=Pl$}c|FJtX11bsH7>v3|8^SA$lb9|&iNWGe!MmlngGj)NJ zL8Mjk3JxTe$`}`SRlynu;;?1Mr!_lkzP+)&X5K^7N|HTbZy_j5h10)46V?mhxPbqa zw`*7xzd7Ai4}QU{Rk>zcM@R8BpnB_*^XTv{`!vv%oJS1F?MWtq@DD*cNLmIaCzmaX zORmMNdJF39Z5ex%_A@8TU(&)eynPYnI| zy-aW>3g`Q~r{O<-3=NGHxYVtBEEHz1yOn4;|NhnZs@h@qx03dOmdpy0ihJb2?);Xn z@}SL9dzDqP$HsUC+i2&n>ZyTwG>$D?Nd4II%J*!$-&x=FT4TCY#69Wa_q=&^hILXZ z7c{K>g9o-YQcbRj)J|Ls=WM5``QxKUFG@)DGJq7ddk!a$IJj%efJ@k|cYML?r(Ko@ zb7y|>ejNLB`l^Xo=gfgXDo4WCRb5^WkDcu)y@K5p2&LCsldb;Go{)jtqcgrd?z0^M z-$oD8ynF9Yza9~HopXtwWBh~Ld{<)UlAZ}}lBdnLsr<=DQzdQFXGnKco%8Jc>2lB>yr3bxD==(K73MO; z&i@fV*|S>3&cZW#CpXApTxzLgf3-XI(*&a)(zuQHR`}fB?;lYIhIe{5yCy45iuZdR zcJ^~y!uQe-|> z5~9wlU9*h&ZWhzx{j%DjTzxJ1JIA}}YF%KjLNK#_*WSs+SK4M&yTfj4BzrS|W5fRd z=$=ImweDD6Y7%vAoE+*S`J756A8WGuGlv+`^)t=+K-ANZecFVE-zI-Mc)rBXrmA`^ zTjgMA%7n(GD{8=g5At);VQ@2hEh_O9%7KWMj*cZZiM?}Gx%VgjA(B1&qJ(y}&x}bp z{1oCH2k|;+6OBJp_vid^wPu31mJLSd>6vs!v=9F9S%16T%>h*I%Z8R5pqzP59@W!C zl=IMs4MM8?a4*3A741zq z$b={-&qq{!KBGKy9tnws6A20X=wk41pL3z^Q5=yJa07CYi#sd0)z_S-;>)Kx{1TP8&pUy~r>SE0&u#5HV aqoyP2;K5);kt0h#jbe#nM2&d{RsJ8raE@63 diff --git a/spreadsheet/macrofree/sap_checklist.es.xlsx b/spreadsheet/macrofree/sap_checklist.es.xlsx index 0af70462ad70841875a8a85e367df42101209c7d..4069564ad0b9eb98496bc0c0a84ea0c44bfde02a 100644 GIT binary patch delta 33484 zcmY&<18}6<^LA`)Y}*@e%#F3Nv9aysjcwbujg7U*#bU15D*X;kTQNc^*E$T;O{$JRa*xP=*P!kARwPU-i&O& zD>&HNIWm2>bueahv$hI~)06IJMjz~vI`YgY)+q_BMyBNth3xg;(ULfCHoOVhlWMWG z)$Fhl=^f5=Jio}cqcccjM$*l!+o}a8B2cd3Lvum9_{2aq5Wz=%J{vpLyM|lB6yJu$DEgL!R2rGZCl}dNMPw z=F$Mw@2Xb7jA)npmqWS{+vs?5wT5E-Jm1;yNPD^fcv9SY^PiYj+_1#vWkfpouS{W7 zf;vItcWd8S;a!JME?%0c&YqX}I{i&~&YrWmJ9s`}uL#WgQLA}Cs!^x_jDw^I|a}BkshEy zP9e=Pu6$bP%4Fv^D7QkPNFn8=tm0LE%#>5{9CMIe7jk~o39xo*pG^4{5QG2_{s zKVjTtLXkpW;UUKPl5@AN(ol^vF(3(4?2M(!_*Y;|j9JLA@LEc>6Y!dJqyEy0E390CLGnTzrVpx4?KcKngq=;X3CeZLoTYb-nCoN#52jFpTsBmIlFqQ4!WOTl(I}&eVlzf6E1*CL|Ge+ z-WkO4f&FgP`D2bENHxy%+qb7r=WVe9eQXpechCs#3BAlOxP~YSLD%oRwJnuf;(8q~ z(QhRoN_INLvdyLiy{ zbHtNx#C5JmA!v*IEWrgscJtWhZ`jqY=AH@PEgD7KEMRN_7=975kjr_Lw_cQKV>5X} zPPUj&rJwy@KllA`vnicKWM6#17l<5^F)oA(LxRG2=Q3pf>UAj*Rk8vk+-Ieq=A1_P zptw935_YED@3CBaGlhQTh41iYKMQb8K>qI4+hMTMGRyDAw@XDm+nsyAjrWXhypl4< z@7Dj7H}f8`LEf!i?!gG0GycJjLP#8BnWsGuc$L=iZnm&T@=ZX~KDQ|op^wg@!FQU7 zvDmA;&bdM5M`_7Ok8lL|4-aY<^;*~)HZ~e=V@Pc|fVP!OI{!mj6|zp8NQE&^uwE?+ zm$J{b@JBrsP-L+-+~#OsasVMM=`KI$|ABzbIPU=sp;8X zsxC{Os@E0d8~(2$&;d{DS?=Enw5Kb&`HQ4-h{7mVW@4_tiIgwTXLrM0@}y zz!k}4q~8Pv$IRpLkN%EJ!&U@1@?+F2WovCn{};|_Fxm@VBI=TpIv$Cj4) zWJbp1xSHiz7<_-&?8&xdKoenEjGmqQfLz!fq?Hrtn5?eNO{B@15M5>bx{A53M$DSH zY>TDpEZh4{4*sv#?2hpL;Hv=K6)THk&w@>C#(UFtO+b%wLNf$B*l~ZcwUR!)iVNL$ zv%Lti5(O~9NbESPAZPL%Gx^!x?d>^k8;FT#VeH;eJ;plbZQ59VE^eOt?TNd8^T&GLtrpLjCj&~17 zEs{NDfniv>S<1{?O-KENVONBP-SQ+`o^+9$X%^VNQwLYGQh$xT8J<$7>FLD{4ydq_ zwv-K$qH})*Y@YO^?qV15++_&_ktmyOEwN2rz{ed3f?u#nsJtraK}L;0j^GzEUp?LW6d71-XV?4~xbA^NkE;&VL^Cw&mZN7+Ez< z7bESgz9~0oVoZYMvJvDTsse_QRiXjuhf1O|6RJ|)iG+@Lg_Fy@yphSDP4`GpQqm3xGO?%_m8d|9gEtL;IG(0|*%P1WOzQv9V)(zU2B^S-(%jSs7Id$-v+0~2_OSt3UK2eT zi1%q|V--w!Zzq#_LefjxzE6z@dLBDd5n~ zuvC_adWDBeG+fo;u)hWMbOV*ML1(xma5-AMGq9a}G8r_?E7_PPBH`z}PjATXeJ@zj zPsLGTDx94lJ~*aR+iI9DfY}noXd}a7NpZN7U8u1`$$zD>gA!B35r(tt;&(DEw>R+9AkD>o^>Am1 z+)=rHN-{WN6{o2+%eEb8MO5SIZbhU53=?a#%}Xp31Cmom^@425DNTTfKXGj?YkH&UQ?iL}R3o+D4ZxbTr=A9EkMCdvterelZz&KO4Vw zvE!9!HW)*S{+=<+a1_a}uFza&#mG!oVHZcU(ch!{M0xlFs`@LiIOp+j(9h7K%=Kgb z7IeESvN zP8e|El(pPT|0T+~2%VkTNRQ~d%86!W22hMxVHk|*%7~(|zqZjZe zXA>RrwZIsh`kux~sCv!YRh+f1qq1L%`2;{sXC4%qtHZDr)B%Ry@p#ST*!}nvb=4B( zCjz$BJC$c3m+qCIHsj!ao!E)DF|Xf*caEiZwj@{P-t>J;CTY(uY&|zVXLXt_0y*KQ zCM<4R1KO(nS?JQ-Ze!=s%)MYW7q_mC!@_bqMvS_g{j zd4jf&p)^K!Nz7`bUZblwudsb>lrO|xPW=>9)rmhIGO`M-H|p#a7Fe`JS;3tG#>-Hp zF5o2`$bzs+AU{9t0cisBCkszn%()jiMBq@(y$V>PZ@qK)bFdDHA7{gfj-B!X|E6A? zl8gE7ouJ#j&>>FOFLl7JJ z5l{~v92d-3*$ePSO8)@eVK$bF)Gfy9t616?g$Z8MA=t`sfqXuMV_ReE2CG|K>;(I4 zTr8EZ<(Inm+l6fcZh*W&)qmZ8*SMJ=@Y5BmsU+{Q7R^yPo9|Jp5)329P$1k`-hbVZh(Q>-dssHtdW@Se}sDPf_TEmNsWwExEr3QQ- z=>EMRY=xZ9mvP>ts~`%7@Z%YeU#1Grk1?ksakU%0czn#-t#n$F@<7M-nAbkMAS5Vm z#KPLbQms?Jz-H7`*dOAa&v1Icz4+C|DxIyz>(#UH%kDGcdyjaV*i#Sv+k46a6JN(c zUpWW!BwvMP+h?Kq{q4O?b;GXR1Yu4Z0l{}!Bn44s0U zl~7b>v)t0#%Vt6mCNk4iaQn^?6S#2H<-r!oRy(g``T61i-&SamAy- zjY?LL6&PL^Zjh_T@#PDxC@^QMdNTRt4_Yq6L46DT0sWB2K&_^U+s>w8UwDj9U6G!}O zZy^qR$og$gNI;{1e#pPlAoZb-MY4=sYYk42J8~i%#$;u9*LnUHR;%k(8xb}jr)}qa z;QT%a3+zfI!sba^n#iobH(=M%{53g6<1S50NMDH0oQ+Y1N~>k906avBdB!LblTTh- zrBxLRnoyN}KrfV?wLAZ~d~he@sj8{8B5G{8J%|Y;2N(cAD3WsQlo;uRWbwbL9yzEnd2xtK1|={ z0oNH!-TC(ldToY~JHr|pt>Yay^j!;o%~5SJhdoE%P<|PgP*=mFb2Px^_sxOZaD~5?DPK)hJzqNRS#@f zY0G&b(y!HZP~K&<09uawP>r%=*Gu|tl>;rQcb9g;o#L9hm>|x$I34iL72P^dI%9p? zYP7nI`jmfDxjg*JI=l{)oa(0-D<`;`yR&l#SgJ7RjV*FyD+&6FhB)>@orkdy{;UR5 zP9W#(rzl3Gn;y>OQ35gN8FZ=~`eBr-P^blXb!E`w$yzl$Tzpd)BH!${-|cGN`=8?8 zoQtu%Z zWUF{V$49@ z#dCGWH1RYAyHBm64Hs=%L41%L3y6d%I^Wt;@vYtL{8z9-^VFcFRE$P>esx+MlUj`% znVq0Ol7+SxRD&&Iq_{reHAr#4Kl4!Mtw(E>8npJt%R|=A%JL^w4miuR1+bTD{end@ z26}lmdGm7Tu&|EpSXAc#&MZsr49{2Goy87_Hu#g)7~iSGd1&HoR$cx8DF#Tuw&N+x z9u9hcB*tyKQU5GcCQjTrjhl?-`Zr`Ig$H1hOk;j-KEYDU`aaeB_~p6NY@|=<%X6vG z0XEn3J&ThFPo(5PAH`KFBEp8GRH{6<&2D?b(zL@ZL1ICS)Illm7yN}h(Zx5Pit)W? zKd_+LAQh)c^|r3u^Yo>J?DuT%H3spkC4R02W$F*Gk}ZxWgmbxW4W~U``=b(}v?5|R zfhy)trl1rmEFK70>&llZXa-ot`PfmRm5wKW7V8o9_pE);EE5tQ=R)Pl)o{=2M$kst zp^Acv=u7)o8iArWSzXN@7!x51%)9b$_83crGEWq(Z}<@D1YPaR5(Ff%q#JUtgL-9q z(p^r>;n_HBUYk%vkT>vE@6?%@YJSHo&XXe*Q{L#c$if8<>ah4^JxXm=MMPcv?=3q6YCK=LFbi9qZHI{cJM*=j7D(d=Q)>!7ZSSDPm2Z!ljn%)-S3& zpZcaF%k4riO&eSNi)A8PmH4VNGe7@tf2px_HX!KzfL|1JwwnmC4eWl+5Yw*=M>Zb7 zH$Gdl_Pd%Y#i!qBK6~-MR$&kQOzd<2f_aquF}UX%rO#gbfEFbo=o=R(nEUw1Tt0OA zpx=k-{#tJOyE10Tjcfy#j2d19VX=Xxbe%l))>d4~c)G(}X^VrN)CGp#$V=^hGrqc{ zf28-~E126r_=_tXf|U(dRV$JzkkJ3i$`y}kt$8FDw(f?~&zoM^9bu{5ryNvx*I#g3 zjGB(cV)%R)>*AmZQ$9Xt|0{^im?Hs0_QK%%LAkAmS>17@G@-tVr4(y@$?y*_4^-7W zNv6N<7q9z`Nk+-`D87jAD(p88O&D)Z9G5+n!OmBoSc@_xr1V?=|NO7cLU|_QMm9nB z?2IJ_ZyTf`YR^d0oRa)_S4`8IAMOX`fd*ip=sl@^+G27#24|G9`J4;meXN@O=Ft9OV~$k zHcv&PT$9$app)~ln}WbnW)Y`=&oYA1D?ruGv`ybK1U`WEkp-cD^9tinI;Iseug7g> z`^tWA*|lfsvZJ}TuNK|Kp(1V!|KfR{(+rWp(8#pYi*X09=lB}CO%&OK&$8g@8^1F%Cjw|$ohK&` zzJTO6l8PmT4^{gE&C0i%#xAlULn zk)bu%(CEg^m##9Jiu2*X>)x`%&8_`qMrBbZa262M9=dhM@C^GZ3vBd%saOp}Pw7RZ zbbK0Avf0Jp&0YMlu;D;FnuO;0GFixqP$8d8t}mS|6(!mor_f9{ZnQqjjRu=5-KMs_ zN0SqfsaJY1(s5&)=OSJ7M3Cxi{iz*3;@-u2n?W1ak;AquX06V!+$Tx!Mf&8`PI%#k zg*LM^nkN(OGq`?FGN7X6gp0~=t^>1SLXxzNwZg|!KDK%+0B2@66{?c^PMMjB9rzdH z7pe;i!sfd;Y+(K=R=1h*r1xl_;TZ1khtzl;9i zIhXyPX(>jYifM$3E23WQQWH03SSkwRBx10`@_m8zgwr9=0@O&=^|zqHzFY}pKQ2X@ zgV8*3^2^o;9?g0grrN#}Aq63sUf73<5K*=#(}A0Lk)6>|fl@}L-)RXzwoPL`4&BFw zQdv|}hiAy|B~j&)2ORS$!cc7*J<4(df8O4g70uo_F3Zdp=gkkvgd zoG_9yDblDAby;q8@M1d7wrvp(Q~$E6Z7u%rfOA}lMoyGr0R8dL2;X@kd%O6J$u0HD z!}`E3pN#OQqLe4ohI;<4HXpjprz{GDFlGvJ)N{FZUq1XpOsc5yh>hvXt}483)fT`a z1#C=&<2c4kbuGbt>K2}CC z=(|(44D;8dw02XpNaGZD(t54OMqXWpyw+eCJal~eM8p-7KL_lMetDLpL}<$2wl*eo zqRxM177(Wwt?6_s4y5R2*DK!=OSG)7q17>_H&1n91}m(5rcG-?Jw@UZXtrj$g?0S? zm3I@!@+GAi-C=eKAeLn9QsKjQ1reb>!~UxUkRU|m6LdgP9!p^3@`Pgs%TTp!5=A4m zII156v?iAJkJK5cNnf=W4(?LQhcAjxGseE`-Ot6=>kBi`FB;uu|MqVv`Fk!Xn>+|@%i$=W=b$_ zBYjr{i<8!?VFVLGck>bJn(v=$j z@-1R4xW%M)rizS?C`XNU7-!XUoLKQ)YxNc7sQ%FsAbG-P zk8s`m$gobA6dU0e?CR-J=1NS;oyT7t)Lq7UE~>hHB%J{+)q^E=l{x|&&1nxMQsZfz zL`m~+SbAkttTg|aqI2l?Q?h_5->vN(gE&sw2hQQ*q}iiDSxHjjLxiSy;N*pUzd>%l zknePg{~F!AP#wX-@?Z7D7HMeI4&|~WVTS$TK)4805t>c4ePUiHnEW8Z6-bE~^iRNU z51KL9W5}yv2q``#e|OW{OUX#x*+o@P1Gk^Wx>`#_%mt9HRijE@RJ4^P7@obuNrN!tR!GGI%LZB)oTh>k4o#Vp zRw$`%}_-ndwdZa-GS7%5=2R2?tf|Jbxj8ji)%)fN{yncP=ES|*YTVI8fk z>!fItcQn1t?9S4L@?n?YQlXp7q968q;Y}k&{q!Sebl9JGKCgfb{bC%05&a8*FoBcq z97Tk6BES3=k_f|6#zPe_O$-i%w!y6*c(IHj^8bgyB3rnFFiwd0)j-@2b{BL8I~=(; z;KyAJ6k{T&nTHdXU6u@}=tuaI(fCR#uCu4$3qUY`LF4I64^(S*bcUfZV)&yFJ8VHW z&WX|ZGd-~y=PA?nd=$$~uFx|a4@plmgGreA&J?Q%F+V=dGWSEgO)MOpAtTM0gl`R& z6r~z4wl9r8YHVX<1f=jp|E2mM?BN`TxYQP8pcbdpn!YSqo&9*K#L|w7pDcfSP1Lkx z{2?emdttUl~8T>{VsM}gtCMD$Qe;7d@vVO1V=RQL1vY=|h;ugH zfp&}^E%J`xuuVX9AIMW8=8ws&H%JD^-ygj-j%#5P0wD9?v`ZNCq=J#8AW}Sk?@*8@ zP+3C&J~?m*^r33U*8w8b%TQdJ33aYtB17sVzft6066p)FLA{b^O1uyy;yYb%i1Nd& zo}Wo@P*=Z6D1m#O`$mC3?J;tNjZwkTWYn0kvIiL6nYGAfUwJ(J@fQrQ)fF&q+};Sh5c>HKz$j5g&MIOU`o{ zT{CK3uQi3^DN&KH?|K?80A?4TP?2P|OMa?vuyoDdNjp+s%CG0`0lc2~{~1p@4{F6Z zW>%l1#sg52e)9f)bTA>@{aS@)$GP_KILr+z5f1??nLKx&K(86x-F$Uxx7O?Mb=miy zk}u_knj`mt-s;D6fmuq!_TDN!sf&xkffSjiQUl@WlpU--faww(`~x~nV9UM1WQ(OG&HW0~Q$W&`e-#|*%Tu;hNt0{R{_P6rECJ9LM z=K7+DF`DE$=_*Q(T#?a)Voq@A_Jq-dk4w6E8ch&c)O#eS>6DKZqL!%WScl_wtBdXc z7^%Z%L?jalrSfkP$fX3L2|U4;aqQVhHdulPRFJ~DcNKGvN%r8s3{Dj1R zg_Vz@19c?dC*M}FOi;-6*=!0%EI&1r^N?K?BTQ7KqO1GV0q6i3Gb>)L{?tBWy=afB zoDqRAQQf8i$h?*jt+1Q5`Po`mStwm}Xj?Z2TevPG?BXue)DI*6WDUSq)F2@oOYP$w zAsFb|;4{2wsMdfqj-9Q3|9t97jg2oCy>Tr_lT*A16*7=Olk?XI2!_9@C9L+88TOUq zIuom`+FkJgZefXm%CVg*Y|Xc|jUXsA#c!r`z2~-uOx8TGDFaa~)Y3a5FXRZJDRpzv z=J9PZL_wF5gN%p%{21>CHjl_qKF|z;=WdduT{c~ zaH){=+iO5a>opSFj#)w|71Mb=P>U(AKuP`A{FKz_LSdBAvcxqBtLnNi9I7&@z=gvu zoh(U}QUnz>8v1{o!%=F=Qq!&LtSGABs|hzl(lj`Dvz|T9#e|}VF{?cDL0RXdyIyP1 z>2v*(XI)!m9A9q~3Ti(sBp2~sAFN`$2?z7_5fGcM^+uP~0vrEEx4;=%S=aESyh}L~ zmHhU*J4$4?On=DPZ2vq|4hYY*1 z?2P(rfaEk=j-G%AB(Y>J{7zx#BV65~c8oI$<%s2z+&!SCNV^*lql|9sShX{hk6*ql)z^h;Vo*fGo9 z^70um!hn7sbQQ)Tf7l(de0O(n>oR_%21~FzIziNL*WG=uY z4|ckv5DOQ3SS@*I>1mXeHmXz|C=Nn{SUd05BMaa#Osp1J*FVv~7}}iP)dwo`{hJ|P z$|OktXF_9^-~63JUBp(`wIH$sMX z**geGKe`fkz58X5zsSz09o;B;l*PBkpD_HkkW%o+(B&m8#5d-Z4Zl(uX@A zejOXc>d1pD=R|jT?R2FKnA-O9ww~V4=Kp5UK)wan^mU@>uA3sUmLo|IRVt8ONyyXE zq-+LQ5IwfoJp51>a)fmHat& zC2unI5gxA%IE`6J2_=9a>^tHx2+mt=C_iiT+N#*8!$JQ&aX`2)f*!4HhF6tREQHnoDs`fk5UcMffwA0;^>PKpT^Ivv!uyI2{{ROeQOljL&Xgt!as0ag2e~`BLvqt- z{&x&666KCDF^;ZlE7UjsSZBnHX?>=u=0VEezqF1P0A7;RnaN@(X9dlg3w&_`OlDKm zB@+7pYGOhi4|1gM8T4ct3Yn{NE2U?4YoN!ujk^Dg50tWoFPz||CYTmPhc#G=67+*u z`>MtZb9@;_Pm?O&sp8?5)v_U~&$}r1STaLYCzV~b$6R7ty;E45Cj=l*L(Y7|5;V&IVGHS|v zG0w!|i2r16YjoK~P83yOhbWyeeZ9V;iZ&!~kfqNe&~({>{_P`AJ&)!mUL2kUQ8P5hP}KtF8-I=s%Qf0E@% zHm#efojWEotuq)H55hQ$dKjd{lrm|&6~2-XQJ@vXr`Zyt@u2hs9aeSSu8L_LDQ zfXo--DZ>OJ#I(ssdc39j;JO2Z+qpmQ=cypa4F5CCo;!|DN9WSo|0Ig|Gf z+Vpy}+yj;=Wg}gkhfn8=yRYh?By8+rH`psJ`siAvi>ogD)L8|wKP-cPOrJnuFLD?q z`$~~#vz5R$X=MRT|FKdb;g~|3&I6rs1 zo2-}idzrdssB%@*^o=&Nm(8K@rVKB^lUJ(+jA=4cO>9}qD*V22%A|>%am0{LG$nu) zs{u5;Wb<(f5aebW?0>{{)nix+w3g&4LMlUORb&h_)Y9KmZOln%7wxRHnlvO=={Knl z2nFg_X$3goJs?CzJBuH{TEgT^ZvIA2!*ZwC!;CgT-u2sQ!GOkJ&m34L&wTVF5GAku zUV3}L9r)ZVK0_~=`BQ#(Zc)|tQgH|P$YuXv$B$ZlbbF4EPHIk|LGkog!&LKBy$lzc z_x6JYiUxj(>?ZAHlqQI`baht+fMhi(G(cD?Xo)Xbx>8*I({EZEJk-p}K>5Dm-oCgP zam83mXEi05SqFU-8qoTK`tE4E z{bu9h*w=s9jIVEUu$lXq0aVwI#SFF8%|>ti?w)ReKQ;OLp2bb~BsZpsBCCuI9$vjk zi=^(+->C)N`$~;4vEBM~O(LWw$sLmu-S}POcYI9-B041-jYyOo7JAiuuLJ*6#k`_+ zV4*3qFK4&LMIiwKSiN9_gFY3>y!U>BL+Ay_+yt0bBq<7YTk3~|;H)MSYsySvzFLw> zHP&ap?(RkqoIeu{4fmPI%3#{Rz{;07K>t9?v^X=qX(<=k6?11+LJ!*AZ3VJe%HH^X zk?kG*si~Y|ZpYE!f*nM|6+PbQn=d#@aTt|3H&;Btps4~7h=xbzmu$gG?TP)>7bmn! zxkc=#B~f?k^o7kZ6`SyPeVK6 zhaMH!hQ4=8=X1%1mEsjx2$(4%Qot3&1OE(Oi74ZVp(DwNZkObxhpBR-&Li}9V#OIQ zsJMcr*r=!f84pg9eaEVrUFaJux{EdO=^}b~U#Zo^0 zaS49BY@kG{flW0DhqL{In!J3w?c(9e5^F~LeB{OVZIB_Fe6TW#x-7J5kWjky;Oq{$ z!g6334xRM(k~^L>pTr!Lz2O0d)cj7P|Jt&}1#Y9g4cGCq1yPW*yZwhJyQil^kcE!? z<@uT&T&_bat#<_=Y|GoCD@I4jz*fgwK)->71Plg6tI;G>;dg3jTQzlsknpqtj@agb z*Dk~!Bp5NLnwo*=qouEZJc8iGOeBUlUXSye2CkcE1!%9!m4VaOZ(5O5f^ADfC86oD zR0(w-%2)5xVA3DVRSYK%s|efPP4e$+B;F9Ka`3LE+PW{r^|bBrf}S|GqE|DyY%!QW z6r$Pxo-n!zxyd#6I+}_0!YxgFXT($#eN!=rtq~;Hq4K}b^Nre3hyFEI#}UPW`2(T9 z^oJ^N0xne$?tNrB>&k2OD5}*XG|;+^y5#7ITv_aY%|vMxO1ro8{foePGggOpE2w3K z^&xW$D!(FDtet9=3-)oB?JmEZik3zN?uM%`xhPI7SvV>txS6u1 zjQiiobN0V?T4)K_7Zf`i#X#MN)Bd>HCzQzt7>KUzH}9`&j;%GC3F+29UE>|@w6~e6 z<+mX&h7*Ck$b|->-+p@2IIz4Ta>l!k6NtwsKhgG(-A zzFY+%#xie~?iP!E@I^?*(6x}bYpm}Pi+MGLsWOx6R&#VeAt@Dj8TK*A@NS?Mzy0M+< zW*|@BDvLJ+U(eaO%IkDgW`PF~I&bL1Q#A062kdb|(gre6aCstIKN_euTYn_(#eJ_Q z|FhlC$epYY+wpLI*v44@&Ifms1z(GFv)E}m?Z-%{*e#JXtujt zJa)44!U%Ky9--SXAR+KTCGy*bD1Ybn)@AEdam8!DVp(n55N>`vD}u}*f!KI>^x)__ zQ?EEm&pcHxQrZf7#{pK_vdutdTt?*}NAujOV@`vF!!e2~hFL_SfyiJJflv0v*k4xZ3|rs7 zvl$6|lXJzgVl|H|HwA$o{sda&lu-=dq%BwMRM0LH&;U=J;UL;g%C2cMr2EWE-|q8h zTMd#%!+D6+&EHrIBlSg`qTz?&7i8s4kNQG;K(I6MooFII^s%e^PIF6$=J$WvmfKgw z$pF)$%#5#i@VvnWD_OkL8}02O;;5Y957vaM|k6 zaNr6fl~T*!$X}kbPQRi8--CG4bI|jq%n0A3>vj6gC=*9FH?uR3v$$EYO7>d(tCCs* z%gRK9sXz^0k-7js=_eR?!CC_qn>3nK{lG5DzMHggz#JJ`P7x0L>zu2T^MwG!Kg<51 zS%S)3;fjR(bOmc{D}Y2O3*s#Mno;?uNBt6s(-3>#9q6eVr&J2EG^w+=4i5L0A5_#D zIlz?54>Uf|kl$zGWhA4;zdHBOC|qiMiRR0CYx*y(5YHI?c2N?o!}wtsRV zPjKV&Eyrqhdje7Z-j%Au5)2nx>@eB9Y6OTtxLfm?JyUcW`FYd)42eo;{P2IF@hyrp zCghhC;os0G`$%0(?NVVHHG+m}*xBdl8xj>#i6WI^YIb5r8_B8-9Vvv`PGz;aU4uh8Xgs) zSbl>0K`G1ZrB(J98Sx%Fn4BswUofALuU>34*vnHq@hK15l8Pz15pt$x4!&~QSvyyB zWWumukVTx4`Da9%=}|F(s^o4kH^YJr&+Tc7kps`;i%jKGCb`ruJ|Q1ap6JK)@M8= zM3fcL^z25vIWCVv!L$v^iMqhVOQU?wkA%saak&1ic%Ja)tw+od=(wW4IpF^d7^`|O z1p5Ua-v;!aF_>Xeja4IM?M686P<*;cleglO4Nc)f${YVd!XKsHE|Y?`IG^!}x&!xL z+3|z0pB`UoEYBBD%S6oDJ-XeU z`#= z8UMEHMYyoV1`uq-hDGY#*x};4T8!~zCune^-?Rf@%HJ4#Y7HvkWC!e>)3;Ac& zKhY;VLLG1YSV^w+_vSxmzUj`v?-8w4>wirF$X$dBI|>%wf_AnrUm1)`_o%)oDNq%x zcet-PaF+N!hiJ%Mj7fRTpOC#pv#&~zSK<)kE_EiYb;Kb7gI}%B@iAZAoL^T<77ar( zkVh|skrv?hc&Gd`mck1HN-0jLnlW}(qfuC!3$CgY{Tg?%?%M>lq3Ko^NKFc*D(z>b zteLO!9ED)5M5jG$ysYzNgQvt-R0kn*>Wmppno@}2X5~nP&`kskn(|>VL^!39`>5lV zZY{Qmy;$M^><@|-O^%wAb|5-lzmiO2>6*9gibMFVwbP`@&GPYcAj4DEp8r9~hF#j> zUU0N+2zUAV#M0{2_QT&nb5*@WZ`zpW=-AAe1F4z<%nHS4N4n`$PpIdHlVYEbu591u zRf-LV_&D+#D)Q8&1mooTIiXtIB7y(n8K@)_1CS8smi5Y=2PaNBoNh{wh7zCsc0ImxtlE5Zz<_Ak zSoe#}V@+QAcgUN|Yk@@`9D!%0r=&NyR19IN0)N9%w7oue+SFfM`bEiRsxglOB!NQ8 z%09e#XQnz1%_GC(+@=4HO=d~GwU4KNLVJ~o5SGS9P?Te(O$&mOV=c_{Ov8#DF^#4# zKr}yuxSm?|(br@X`ZDn!X^{PDpDqI4b!Wu(Ir7i>ZWZR2pOB4hu)XrlwA00%nnGT! zRgj6>XNx2p5SUA}esi{f@fp5oApJ^_;YbDZ=mJf{m_I>YGiFGq4X~*F!T3L`t=hcPFd{t#xZxwT*HsmC)~lpV5-v#Xn_OdqZ2m#rs--&zu3=g<5cqc{u@6GHIE+ z-_U$4SC*liLON`q@;pj6#tp>g(S8Rr34lT+hS4JDf8~U>wBh?*-(UlE*vi160IL(T zNL{gdo4xJk%~FB);Y!&P$39Yt-QTH4l3u9|@2rF0!G&M=#l`w5OJ<;vE+yz_pAcb6 z^peMBg?Yvx#VLS>sUMJfGhB{Tl2WJSJ5!ULf#l;>lKw`9A$52ZpJ#2+aI9pY-GRB;Jo+ zA9*uO7#`dT?VI^#RI!aIK@-kLI0+m5h*XHI~G6FN7kX z>Ep@y5!u-wk@-^p3>Q7<9FW=WB^oe&cMB5NRUS zhLi%igZDH|hG2!&jx1Ql03(}go;0!)#t*_O%rJ%Q|DKT$%~#~T8WFVP#|iuBPREVd zy@_w*_HV30G2r}Y3RskcxOM{;#vM4#=w67Ct2)Dbg)UDJ>0>64KHVQc6iT zQd>g0L6AloBn9b|5)hD(?(QzhZ$E&(z&Yohdq4j`o@dWmv*x#AX2)zE(U>Z0a(*%z zE~bCBYvl+;E3Rox?tka3Zv8YAh1o!20X|@4kENrlJ%>SU*T=^AGuJZQJn-_af%01k zj(vvuS8XHwj=XQ92%A{xw=rh6fsC(*!@HutP5PbtX91o1K4#?V3{nlh)^y67D2P6K$YoA%?t2hg!Bh{N{QM$Owj%v8TWqGZON^P#cEKM~2gZ!MefZ88ttOkn=^9!z}4 z3Ldv?sa0m+g)m1Wx!~>HG%D|5ek#l*@Fbwis(Xl4`?&A^p=2A?3o`ck3|5x*iEmXk zJ_h}X?}ftUg2eSgT;)0^8N}*;kYz3lkWzbv7#Ql0Y-pPjFqKQnS53OhE&W*>lLsdC zio&;Uw|E=i^?Q4JZUG+5R!B-V`c08H>@Qn z^_u1sYgpzHZbQF5=@m#|59AqBWl^qVReNJjj2{bH5-KZs4kB3a>?CD7_k4DHy55ov zIG=~3(b+pcvYtkcyZckma~Ou)5(gA+d5T!+Qo~vWx^Z=4Esd_hxx@u|BR|`jPxtkk){q0M~N@%0{#0C$uOO&yVCNoV0#q zuis(vbkD(v`L5vips`ZbV;$QB!JulKGDSrhFsD&_QCwADWbWd5AHf{0-?Iwm?FmjV zLNxEK?_D$KkR1UBlz>^ZbP~%w|0do|m`=)qIK9_mR7~4XBlUcW$vVJ0j={+-r00(v zxjHFqiN1a&!GZrBb($VYU~_;q8FvONqq#G(5@!$Ot2L5;)0dUK zg#DWy)~|xZ7{%&2eLYqq0`kmlq7$@WAscXuzCy<4%yAH6`x!q);rHOPPri{NaK4rp z=&hE*&m)izaRi42Gg?xGF<8!EFPF1aTp78w_va%&h`D4mFf> zzCKn^lAsOz$#P5Ku^);dQkI9NWMbpP&2Ilt>K!V$@_m8rYTCVB&)d;ye}hg}AzE-p z&=4ujA_47TTBVnly6FRB-EUF%CV8KW0o5k1LLRB6INgpaPx~{oG;OKIXSOz;Qbym_ z-RVP$_SPyV#8Qy%czVH$tTO-WR%{efr$J64Co*{1J<1ZNQeo$a{O3lPeHi0|g5?9a z!=6abmX^j!Jlq3+K_T4}c@f^QnS0OQsSr z!Xf&BmxM_$lp+k@Ey?VNW~wQUV1!hn+#YtWb^MAQq6t7dIm+!fT5eW1t{5w}|4?$2 zosX^BuZWt4K2kA296V%+v4Uk)l;OLIv_(0yhLG=2)BVz-+uv~aTlmi;Qt@SWDGrix z&Zs`{q4|IghQ2X5(M7;PDxxgomcs^Sh}HK1YTk79MB#F?lva{uHvM*ab99Ow@bvKY zy&Z%fdpvV;Fp|tuoFTB2jv}#QS|w5zMWtSM4=)QH^jc#w;>jj5#-Y^o*t^DLpl~d@ zWArQMsqE~c&8F7CZph}efOo~G$LLx8GT+{?mKv16ay9_B!;q6kzKlxcK?VOH{2*X^ zsv*ey_QS1TH62HK^|^CyN?X3KJ`^uoK&yQ|8<`vVLANv_r9P>wV|H8^Ps6?o);@Fwe>XoWU~A<|-0z7u%4eUCI^t+I@gp%_fbpoXEou&eSTKln&2*T z-l>X8mCw@cLHQ5+mAs`sl(gzI=(2*VLk?Hi748phqzOM}!OJ*J`c}Waiq!XXU$RPK zO$7%85Xf1mV+9G$HPLv+;ADzCvg-7;X&!9PDk>{Ku_^cn9L@q`9ek%-r_&6|QZBRQ zu9(140pD%3xm!#@kWVQ>`miNt;96(_)0zyuS9QqK@IzPj_t#4Zk877Q(a`}2k!89 zj#!zvxJ>f`hsbD3rYrVP7<6B)t}r|r;Q|JFNKF@)3t)A3VoXVz1H&GkfJ?dqV{ty! zY&T1*Mf<}}PTYPqR%hW-&RD;96*z1^$)O;n(*RC<)d$1d5|d#%4b{f|9l4=M+|LC5 zU^QeygS$|dSDQToWEJP9aa*Ao101o~Q06s0kFiK9BOovvmAAg(F_+bA2a3C3f;xr_ zT@C8jKEAeovvjPkYKC-gf7$57o2<0;ZD_ya>3z6rmU|fpB;ihG(Y!?V(v;)Lt&-D) zDr+1Yv}G8uXLdwR8Xr%Bvi3dfW&O9d!0QQY8(YIBY%tJPQ>n6&;4L3-p4-ghHcsA= zMzTn=vwzOL!U-DNfFMopNHcnaN+K$g%!sbBbbiC|Uv_W>n+a;U(lF2|<)0@E#4Lu>B!uGGvMZC- zXH6c`($#SWQ!3cu-eIWuOy-iO&O!V`F^g5(=pFHX?Q^aQ!wA5Fkvpm*5G)7@t{pDr z*t@X`yOA)D!*jrEV+F1`YumV}(G{2rYtoh9i^Wz-*?f$}hn*zpfC_abdu)m{>Hq8fs^zQ zyXtBa5D%(KkHbNh{l0$NGREhVJgwoEzqnW&_TW6+4@QWNK}U}QcIRlf9Du2HvD2DX*hv4@zJN_X6^-K zmSiA5_oP-P+Zw)`)UZ`J2p4BKC9>~GP@yRoZTVrVr3MeK4eYJEvsmHoL(@u~Vq@bu zz4|OXdsDkr!^0JY>?|j*D#jjW;g{mc3EJ9lC1$HC<0xyFPKuCP9&$gy55z#P2li;p zZ|{mt@ma5yS5OucO;{b=F{Z=N?L4yK{Iv+X#y107)K`gfBr8|57|>X7_F9P#tavWP zrf4tA$TBvQiO>uqiiKFZO-J6;ATkJyoAC|3rc-8h{W`+(T7K1Vhdc~l7gEBFwRS2p z*Wr708>HX4v?T>MxQP3#7Se74iSHb;ba$GmlSwb9Y!^xqro(Amot>DbDqXw!Zh@io z_ddS^dv{EwM5DjB-BvEw=QnDzFJWWuTfu2EvD*3d>EX*B0mmQO(8+dYydz6>@DzuH zX1J3xO;ngC;IoOF_$hCB`f4pb(+jj!64<*`4*wuRqDrIL1S(yko8YKda)*4!(3s7Av%|On z*85p*+ zjWgf6Z$lyZ1yI*i!Q-Qg!lql=d&oQUXBHZX)oX%W~F9Y%E%deA(|&(yPf-%woP zK;yTH>{X#?l~26Abhww^f2_efcABze?MHz3b!Bka77wa8j{`gVtR6!&Ja7bGAI3}w zV1RWo^m7Z`DUG9YN6d+=`b>1cIFL(t2hUTF@FOKwbADJMD!9Vk9KO2}h8)k=}z)QY&2^E~2LMZAi%R&R-lMJZPp?sU_IAI(p59+qiSMI?D)}R5*d+=-S z@buBsN$-`4yat=J zN_&i|#jrJKQ*HU^i%Q%Tm3}6KPne;DDOEI5T;=MO?=H7*(IrST|%2Yz@-# z;$PlE_{$C-cBUqL64T6$-HRo#8|v5;EO=V$1+u1%{i`10C;jqiJO*LAVYi-`33nRr z#Ky^Pp!$=9p9J~o#UWNObBiaF=gZ&y&C4NoTj z;6=$ek;F-_Y9Q=L&HcznfN1YAwGo~@c`Jd)@0!rId^_c*P)wtYNcX7baVC}|)w*iX zKTXmGRP!W%icup5?tEHAh+8NVLv@5jcSUUHuN6klF+legp&;|F*MRp%fenJY-$VUY z+281y;+>a9YVO%?svi9P2-UUj_ng^k>qlM6f~7c%N65lcKL}Hh`Uumc{UG|)E)=T; zO~5&|sLUOGt6sFG4g*_SgjyqW)lrGQPr_tup_a z2(*8-cHAh6lVLAe&l{_$s`_bfT~&=eG8tlhTKqX@!&!Ak%ZtuLja0TV)m8~RTv*{l zW2xtt)`8SrWIEjjlTN-c)GB4gPNn6F$WcURBdP9v;b8E-xYzN1DOw&_{&vbAR9pQV zHBreeo~>1S^`(NrPH9={m*0l&(JJ%)Lty{G@oS#3q@uUeJ$zr1%^zEk^y?4##-o}q zS86*?Rg%0$z+GM3wo1=Jn|-e1KqVNE`7`L45$*QAy~&hrwL~cS%&FlD)7+rTg2T|a zpP&Xjhu8jBunKxxeaL$VK>p|jZpS;r@Jd-bB9zI*1TSi~A& z7I5g}4R~02_VCrc(W`K3i#`h6$ZeHe`6AcQ;rbF*ujM#m*eVE6c)|Kb{-fkCHF;Tb zGy9G=ZDvIg5i683WVef!CcnSOOQoxQgsj{{VsW2AnF#qFuGI^zj6pOzygP`3Ws6NM zoG=1Zg*_I|VDygPaT9seXWYM>HD*obq@hBdD#wP$%Hu?Dn&~q-ipZ@JWTfo z?;l3RRF0w_KA_~=MV1!rV7M?Ymahd(pun)xRz;!_0lAnX?ewE@INWJow1xIlIZ8Gz z&6^eciFZ;<2}wH%54qhusH{fL({q@Nti+c(Q4Yb!fru!Bbq7(lo0C4;=698pl|Ky%r6vNwjW&-<#|%}uwLGQi5p22D-K#YA+Jf22cz}XD{c)*A8(jPXRb=Y9>yIBBL&3uGRwZaJvmpp$owBs=iqheY= zX`XIr=GdC*x;dsc_@2QUL#WcECOT+Q10%IM#F3;3O;@nd@N`qnhE?YXlACQ7To_VpwS>qaFwJd1ty*`|8k z1TcwqL2y1OvrGEVo(6fp!pT<@i@_GCIaV5-x)>X zkrjIamvzJ2ogBoNC2RZxd_MrMVDz@AD7Ajvfi{X{AGy@0kE~zjIf(4N137|7u<44D zc&v$YGr=}w+qZQy zMJI)Gvm_I}25vvo#iDI1b5$np>mBdG)h=kEBW*eu92M{*f>|oYg0bKc#)tQHSvDk9yNuLL2cn zPmBehFxcGQ)lp*!l^g+ncqR=v6xF{y$}kA@!%^)b848$Q9oBO=@iEXRI=~wOHzt2w zq?@QI6kR5@Rx|E}k9VUse8IZ(m=2#*OSo%n7nwxgFDCq3PGZmCR0da%l68~AnLAG? z!pG9j+|Tw>8Vj6rV+!f*^J{142ttC=7x!z&40ls*1<8Mx?aIakKFy(mudbB3`&g{d z!`^f%>>~x5c4j+|08#+fE|w)>dT{b(`Xjp#y&qv?u98vTXmSmrv!8A`SqT+lX?{*q zskxy515@&(Z&>?lJMVhd=wpe`1XV0;1h1e)c^eE6+_J*$_2ih z>IZ5Dc75E}N?_IXWZ*L~b4<-i#dlrP;#!q8>>=DETQ{H7#aBh1BnDr;@V$7GmuN0| zRnLwi=?B_0k3mj5o2}AEkMl| zOSMV!{ahE@@WkwajP{fIBPu<#>F;v`pCl^pp}b=v0D|uoV=~wZk2>*GPBvI8ur!~q zKgOCcdQ6ysVY2JRKP2L8b>UV4PZQycf?BKy@cH2XUv zLJ+CEKa|mOSM?uDdPEDoc4FWz5O=|y3oF;~EE*rEs3)7iGd)F|h?SNU-GwZ&SYs!k zx&SAK`oM_ddb34MBc4eQ&;W3)PRAKIZRy2xpDm@*K9@Me`w+69eeXg4OG=U{`twE? zR%$e1bek}nfmSksR%-lsV%-&>Z)SqbhOyIRVC!Vw6)cLC;ckxXq4OHX-}`iD{hLE- z@i2c=^>;qav-DpgCijGZoX2X`o&gzIxvdk<4pt|&RIa(dUdAF=beqc+8$L3pTD6vD z%YvL-xUz1L!{JgJ`Mv);@twp;wTkwYR)yN zF0de?QNSl)dSZ?e?g_hE z8uT#|TSsIPP&eN;e)Zj!3!6w0T=$%|vrp!$nSGrW+2EPzEuL{-Pfh?7%_M61LN@xB zjr;gtEw}SjEJ;rkCpcx^K0C8%hxP3N)3?{>gm7!0Cu#hDJJebSD&W zqj1eMN&Tpjwfz(Cm4#>ik1+C#X%NnSq`QxV&qO*=ynrSMp3O_##Ze-F;o#UFPI-dH zk&am-3t7ja)Gqc>(@MDVD%aG*%{eh`-!@+TtZm^wDK^qQMTtRvVktzWpt-wGtB4Lb z@%+j^)Mnk-wrwJPu_}W?Ir+o_5`+efhTzsnYo1UCS^i27E)VH1;gZJ#riL&M&+Fb! z{V_Sif7%B$853f%0t!_<+P+po)yT3(h9#G<@_^t6ry-&UGP9!`q}svMsbV(t*K6Y9 za<8h&PY#s2qQ^$n&wz%rc8jHSO*0M67YQy-ZTd5|o0})#iv;0{N~?dlV{}xpjk2^> z70b+PfK%zF>>1CG_@1vudG@~;iY&hlAFlu0lsOrX(DBlM%3QI?Y$lF94e$le#!`Wb zFb=66{{!tGbkX;oaRgg!KrhKwXy;wDm^)t%STy4UqGz@mzNaQ62Z(DQrCq!%>=bap zS4}U#D!d)SXT1}hdszKx$&AaGWHjACaG_$PsAg?rNp^#wi)Ke0%X(CMf&NEINdQso zf=M*;leE>?jvWz5a?ewp?I>}2M3l*XL$YjU>*jC^XU)p1whRoV z02*%Zm-jsXcQk_Rasj;BY69cWh9TeUGXEmJ8<6bF%^-{oLF|J<^|Z$DS#Z0A;*6XG zj@y$j+7C;SeXt)dke@*_ky8ls!=y{a^a>GYywVky!gK9Oi(@wE`I2+D_~=7EysB!q zwYyEvljSJ}bOa7|0!VZMwi2soT&~WHQ%w1zD-D!iFn!VE=1q8rCPobY6hpKoi{!Y- zDUlciUU&r0Fx;##LgUcq_a5&XIZ=mAS~O!3sS>J;rTEh2(4dsin0KG1mM5^>Z&xG_ z*%{`vJFqHilM5Nq%U}GRC`KkYdE_O*B1aLLc&Chrc2pk1@$*dF6U8!FUd*w_{=Vm~U#%PD*ecwX zn*sEfpdB*p{Q6>VjR444hnPGAFBU0T}Sh3JL=Wx?O3eTP>3_6allxT_|lGCVD^9{+T{Zum7nrz z9g0t7>t+UKH1F!Rzt!9GsqZy+qcK^2nM5Vy*0UL1wh*4)Sc;WZU`YUeekk!No@>cP^Uy|lfydw&yf~S)66EsUK1QRUX*#*HAOob_iHT;e3&yU9~ zw7CjpUE7m7NK0pt-s7At9C1iSG-8KWzjR3*DdT*W_}rdSq<0#IOh-&-#0fdNBU+h8Ra*^r5gF(^zYp?#)|{)D3q_j2tF z8*f3YIiLEXIvJr4HfVCCB(2!*IjdKVQNlw$z$4;kZNVJ?{o{kxt?@iLiwm-Xvw>{p3JKA^;Wl_KE)s#gUoJe zomtf{X>}bLZvKYP{yBb27~jpR*x!4{JHcX+BS_ub9dMU-KKBJT{m8(xjO7qxd_bsS zyDar%3N7V*LrhDy(T4t4=+e8w!WSWwuTS)=|Lw!9^##}6fma-A4KK7ib@>XtTP@$| zB9jC(YE?NCcTwyahHJygm<#4CMwmb0jC<~v#cU!>HQ5sAwFG|}SZ~2E&Li^TgfO4W zCF205zpTIlUt(Nrg%G_(V#p zFw#DkG>qC(=l&KoS-@k&-IFZhST4WIG$QNZSjyg(>m3AR9HUu?Z?#P2spXjq=|J6(^v1YwkPsyN8$yt<{9L{&tjtwTNb55-I@!m*SoE_E}_Wr!wvnnfM{dK&ae$d z(p&lGgL*=SB@yrFB~ zb&4y+@k*TY$Uw<(`HNq<`olf>nEHsxkdfnmBMTsA*!7-%N;DD}>A}@@+sB`Oq<+akdX}oV85=uj0-ak>UFA@ymFitRxbLFW~eYI}wLQ@l+{_FJGr7)${A~@H%Ka z6{0uq-6P0`yH)2{k0f=O2J46cJ)hmBl4Vj&bnnh%+djpI#WUOn$NbBD10qGaqIb}# zm|{qfO)cW3bwnViV8A*S{Z3y3PA!5JvnFqA5qdsLUC&tC%hfH_3aVq4pAC!ckb()A z(ZqZT`Q`>6}STL1HMu^l}&L|`~aQ0_;b>lQhinZT5igl@g5w*LP0;I zTa9A8CvGWoS%X}BhJtD?uOtAcL}+t*#3^-@7CSz*!!_Z)lYKauKpASU&qj_%=1#s` zE=X}>rxVVOU%vFn2IleQ$*gOvo*o?teodb9nk3OgjITP|>rF7N*`GcjciQHrFq4_B zIVvcy<=Q)PuY3#KIutXhOBVzlvGIP^+T4);w7It;dicHuel@*Vb?Qvj9b;*XD%h`&Lu}% zi*H=EJ7yMtM-Kn)iAgWmedFS?XYF!Y<)Uv{moEGOJMB@XBYcdl>dsV{{$4R3r6QlQ z^VA(u?zU#2p#2kPWC79Q)=CgNU+ZB|i9Xqqj3aN^Z~2mm2MK%Vd=>a+ zoi5}yN}UIJz4g&D>%=}JeGF#R;|p^Y0j4e;o15BIT*Xm6gNuO%I)XJ+d8bfNtZiy%zS(zujMOw6fzV3J6klRZowTko>3P_`=&r)V-;;XHs#il z>3F48>;VyXO5L+|pU%*y5LN8yhWagZ3o9A(l7TJEx6-~Bk&1Qr$jA#4`1i&h2t7!- zRFu@^)^Y#sHAUHI7mC{WFBQ$}(k_f1KokLgHH|}yo@?SUzSOiwvgbB7d)4sR1Lvpb zn#OaN5bUH_{Rsr}t1rbflj}Wil#?jmDr0*~5?+6TQbt*@^Y>evb=4 z&PfG+L=|}hX?cm~$eUvQLGTrG!A}r#!G@5Sis>nGZV27Scy`4P;3xNxXiTsnlKh9> zcEcfFot7g+^5&T+82Q&jLFDrdM~LU>z=rQL#h2z-Oh^l6oZ*1bS6h;<4&Bg_d(l4U5vgC3XELv>@ZW z0%U)_C>m4(iv3lR$(eKB#)p$k7mPgs5_~tB{M&xAL8<@P59piK2TK1HJk1sGm)wCH z;IaQJc;EjDzVW|;2LWDk2mTZItITc!S?e_90o^zESIerXoR#V}uTDy%7vz7Khs=ND zB>I0g7XSmL{lD6KwWog{Ct#<4U3}Br^Ek==_i+MT$(+9b>OiA^b>I#EvHn;8{R1T2 zzn2lPU(BCNg_Y9-Q?L6(+c=Gmn61+KPXfOt_XNY)NBbTmR4HugKNhPDZ0JE>jx;oc z06q_0M6P~f7y3LOv?bL@jqRP^UB+q4GgNmwIKr$QD#?oq!kD&-$X5B_ul5wrI>7H8 zDg#XLV|hqEf%0(1_83>?hfh6+dC#qrWA`^S0qRXiuk@~b7}CpF+I>FL5H=Nw*G!5B zUFqEM$kUPguW*%feHHN);mB>&NGl-a$9Y}C>uLS%*~WPpl@t$HQA{TYO(!l(A7dKp z1}eMxWjPTSd4o4n%RW*Ya&Gn-`YY}nSF(oF~(D!$4QT^M(?@vzwn+xcZNM!2eOYdKNw~JPJ}{QD3Q^_jFn7UqeRZ)P_oQ zk$a#w;2~|Vc!TgDf{^1+psj#|CI$x$TvTXr5gk0RfaAgc^%kmAGb+&)Z?SJcTv5&+kAa8UpF64LmZFD)*8SCTnZK>Yq<)kf9k*fYCZod+9Pc*qSOlR9HfeFvwB>3>N@w%q~}7 z3*T`ux-f!+)kXt|!1-zkOkr5UQZUci%r7fIZ><@F2&Db_%nC_`f!csx#(dZFl1tc> z0`KC;1ZjUh!OK5}=r&F9bVZFlUm-A3vTh9fbwS#n&#C~Vh_IQT8+sA41%`KlyeX1|t4)YM9burTg#r6{ZGK10X-nheuIubhr82k1L|@2SL&I=f!6qGl9oB z;lN*w>2HpQaCB<{1Z{Xa=8=VP@?EJo4s3-_YuZAy!^lE1D~m>MzD zR}lS^qz$-IQ|dbZc&?$Wp`*0n{)JzC7-AaAGOsF@kF$^$K2K3#>8>WLj}@`--!!^A z&&3rg9=l9^UQ!$SrKUzWuPV0cD7E^dm_5#_DGu{*mWao4&--&zUF1-teGjMpe-#BT z7B`_GS7p0T8s??uW3A?e{#XT4BJdZQx+sS)r>-ANxjWy%37QP{3@KO*F&&)q9X|iK zp(D;p8hg{@qA*BQE`oo1H1-cjz#k;ZIS<--QSJVna7P^Gzm+`~6$Sk?F9b<@$bcb= z{-#eunN>&GRaT&)Ypg(vfq!8ApJgv=8R+|Yb@Ts$)zyPHSphK}WfM1G30#AP{12@2 z0png}^)Iq@S6ST@z0L}vhzR&o2tZi$*8&UFbPbl<)xbKJ{XdI>aTN)&vb@3yxEWYi zkKTj@vYNTUO6(ddi5sjUud%u*+XAuz&dU}gC~wMMhXv7eHL&Qf1s1638mrK&to}z) z!0JEAg0Pf9SQb}c{R^ur2mcMLsT-_>ud$*zXLWx58GasE%GY4s6mGm4SQoO8Q`Za8 z>#QJ(uCmI#7FVF6E35$SdEcwB{x7osh=Q#8L011$!Mb|z3M=5UVwKI^fF*SemeGyC z>c7V7rfmCFRyRejvjQNRuEDw%SfHjWu(;==ud@3869rkZOU;j57Aycf*MI#l)&0*= z$iXYH{;-<7!RqNXR)jZLv0r0#Ll&^AzY6Q7>~&ZWO;=f&UJEQx(KS|{S6TfhQSkiR z2b@L!lPn0U1cY_9V%6z0Z|uIf5cT-|4Z2$q97|fkkyr%^sjMs<=_P?;OerWZ2AT)(QB}{Zw%P(8mpVK z%~x676#dHzIA1nEG+l+Yb}g_#P1gb|@G2|2^}|ra4bjSR#9Z*g;Lsw>?r$^WC56bQA z2tpWna%5|3MY7gzk*iTv$)T=Z#Z~2GVRO>6IBCAQS9;7T4=uivSS{2>-ctW zVI!|!Uz3mbXnuLQklifsY;H5TzaLk*AJ+?TJ~`l6i9CC9wl~`!WTx|kk7Rjuc9H$; zq%onSrsm1`-K049qZc?b85aL&Kg@nLbU~V<#xsXv?ibP zf^z~-<5Bey?Y?uxTbyxcfrFi#ir>2THwMNlYxaj%p91SAQztVe*2kLLV@K#DTjL2Y zHC&G7#*#M=vR!r$R}Oc~ZJh3N9UTq#wCz8LW-r;YcvBY2@tDLN1$)W8pnzyyIhbXV>4Wo9}hG zs%wdq*f}Mg?_}$tyFha+ZpZ*F?kfVED?to})h~f3qrBqHe7!AsB}yZ#E+6{UXmSY? zW_SC}q@59I`Q~A@He-T-7kr;dowjP8DD};!_wSnywnxU>kpeq&&7Tv_)_1m62S-)ovqqxiO)kb1>Q_b6^>%||}&Q+*TI=&A~@ zb+Zu!Qv2<8<-DMNTT6$N`o>L-m+^6=>%Bd|8K;ZqOU>hr>4W+DU(3UM#5D&lb~YU9 zCoHF{&4oRY`u*$xH?LDiUM|{RB$XY)>GI&@>au9FKztR~h{j}pkf!EK(p(t^v}TM1 z5>4ad-KlZ?l3QEN)2XM2XS7u&K|o!LCMR&Lg9hE{`vRLH7m@|hw2`r z4L)-itUW9gR1y-@jW#1*VckBI7kZC<2vmLjprGuH8LX_|8tYoo+nX3amw<-Bg8gSW zC8Eo|wO}7OFi=p)fBFLde+L~G3;p`f(jprA0XDSjFrhT%s6ANB$A?f(No-@CH_ delta 30129 zcmY&eWl&sA(~XlrfZ)M{I|O$~aCci+Ah^5hO>hap-QC?~A;Dph;10pvSzuY@BTwEx zU)5IKs-3C2bGuKUKHbyhRnOWIo}nqpK7WDz}L-{YxK zT%pA<|GJ)m1x*KH8tOn2PIkm$2veX*Cy%>JuU{9gx3g0ErQEE1n`GVhcPy7#O^Tu- zNKRI1Ywt5`B>_e}eQzYn(Hb1(uVBZGjTdqUV&5h6u(8H{TWz06ea?FRl0YzTQupr3|2JVR>}kg<%)dtLU-z(o`D4D;d=SH*6)S;4$8##fp9IL?%h`rS@DjCfkB(WMCjtmf zSff3+R88E97W##>2i;RocI!?cbf+`Q9~-&du<$WF~qY7F9|EH7*tRZYTBEO=LouL}xyiU_F*h*uD62 z;q}b9rRptkAqo3UIFqtfzsno6p7Nssqt?3nfNO1GX2jeapJx6el&h=;wR9oKM4#~T zM2)+I`k>}b>q3CLh+wMyAa$Ciy!#A=(T)y<525W`(1MN8hGivj{LGJ#<3@S24VVWI zr#BaJRT6#QwVG&iT^Xe2Rm@uEtJ-zc<9ht<;~wc&seS=#+a*z-D}=AECP4$ z%5Ef>VAAL6c0wOMHYhz{TsK==UYDe9;xO+O=zfo9wfwGrs-e>1cl2kVH|=HwI1mzT z3gOzdJm8%g=_73*PujAn$E5n~9>2bMq+jhwb?}F&o=fE$+zhm?hzthQ;_^I2(p`YUG zMT&PH-eG3JoF($l9V-y?{`Q5y)N|ru;ijJ?LZP8&e>8?Ni&q|YWl7OkTO7S_2Iu|J zG`#NRz{0#fcLCc2w)N_&OK!~9M*?2B ztIuFtNmjjdShiO6Ak*%AQbqk6sKWQ^6W8u|x1RVQROa-!hLI%{tLmU{ySMaHZ{0DPC>$(UhPZ7pzVoci#!+OIVJp&m&yQ-x&^RsWsGiu8T78+ z{U>*H8f+08^faNOyYfrsp`NX)ck1CKuh$3{!zt1#g)Q3{FE6nnRqmpEDMbXya=b3U zIR;06flKx23Y#ghVxN$;)(2|f8YeNtEguUKSk1s7EHH78%Qfd*@aF#Kev?XHQZE>g z2eE8F$O9mj6_8=LkwMy8YrOLP`p^7opSMU*mj=!Bb-12)Z;da3fcU8;WIo&=mW$5z zI|@IzaxMLOmtjI7XNiInNV@JP;v^2(+R3!~QAFePVCWS0pfk5T%;z;U_3&|Zo4ofS zYU}D4K|At5{~+#J9w}5KMhYT-hVoEHMG$R72v971`C$ec((C04Z;JoOuKU9pYM zP*A~jrEbHPhlTf9Ani(H>Izz_kB0Zhm9WfA4i$&i8GpsIAg;*hs+~62)=;UY+3Cx@ zeV|)(04el3CH?k1{wU>A=T`jc)Vvj!ny%eQ^+H&9!~c+Zp@fCWjtuZYk7KbA?k!*+ z6a2Cx|9!Rj=!L7PUJMG63^UCLd76Qv+VxS;+51B~idul4_mFWDn`~Mqr8H zw=Jr9V+bR?-_1eZ7MtT@0Ix0O;dE{CHWM#lG6ht@dNhI}wod2yJQMj-N;2_zSF6h! zo%7)N@~s7hh4QU6axW$uMjySEX_BtrnXG6EJc4mGaEH;@KM>#T~I# zl+%#=_W{bCnYkq)ff0PgUVOM3m8@3~~NfM4~)eqcKN~@S{ zq*f5d>h%Wby^4Mk6Gd*rVgx&5n?{GRrP%QwnsDGfq?Ag3ldBcH?W^2lVj)Lx%;&Gk zv$Q;rX-lSxH3z!PsdswI_E8AR>9xKe=U_5VN%>(oAqE9JC&bc|6E_$q%9c;KSyw0( zAN9kPW~J}x`MX~PSnc-l$iTkw8XdBJx+;5aTqK^m+Ej&<65~VeUP5! zvGmOni*MNTdOtG#S7Qo8&%+WK6yAYR*>D!90*H-hP>&e_S6d%QoiK15ROZz{Vl+J!1$XlVi}Y*G9;Vhf~()*d)O2< zrHA|iYn9V(ZwzEZ0_wisX#IZZwiY~W*?5{3>R>vSF%=PY-x>7x_bggm{5PaW!&0jN zi`6!Xt9HHL(6}mM z^Ct?W@xxn((O7wE>OeM-@C{weW#hWZe7QmFA>Q>DtV2!x065ADCaU9U%lsSk6SFb$ zY8AImq_J~nr1{3J%POB-(vszNWwR|RI4LW>eU=0N?Z7y~gKJWkQS6)m zYtm?Q5~0=)JI{hqc?Bv1;ray|eC~hH?>)R^v%Lx?XnZ^tVdK`?r~qbyj@*3ch_tNt z$VRJJ+e}ZTZqH0`o7JLt3X33z=3xJ=d2lm#q;h>lQO?WSHTc_LtM6PejYDPx?}pp^lmD z%5}DoW5bc;eSPu4l)m%VVGc`=jImw;eWltS8%EV$&2q@klMZiQ0pZpwh6-^K4HhXXc%M8;@jOZYAqz5Elz4@I zr*xbPZm}ZkJ|6L>vo2kefeOmcJc3VhyMo~$=xl=a6S|ilBJ5s7p#O`|_5J)TcHg1^ zg)5uF2t}uA@Q_zj>C;RP@=YCeIQ^G2HN6$CUR(pc24CiK(Oy z7=zmCBmLbR2|59+*nAgPDk0_vjQG!!D?&krmuDvij#R?YM3>Qv9kk1TSW-8%U1e{5 zGQk~%T{J~TlXqcNviv#&uld=zqXJGSDBWJE;fd6IHD8tA5Ht7|z zCo{Gg<>mhA$*EGXONA2MMBGrOjyHH1?Dx@V$J(<+eTQGlk;TT0exGC);S48;cb&WwW{Wv zL8ATT?X@?UD;L|u#_(}S%e#dF2pL!zn2?02bu>_=Uq zxj6qz^9x=q#OcKtGO)U<_VOs;vSOkS(%^Qg7u#~WQw`g8iI2u)|HY=gmC8~|{!C|z zTLnz&qRr$uoGLm5t*Z&a+kB`HA8ICPV_=)H;JAJ-j()7anLXo3Qo{9xlYo5bRb1IF z$#dVv3?|TDqbJHvw;;w7g5?S5K%LsxZ|Ppoma}QlE+mwugP%k;lmYJx?of0>L5Owc zn1!#>eU6`ztoq28@q;->?XF45jq#R>I@+W_uMKO$aEO_(h!1!%(Hto5J!gekP4GP8 z4QZC%Vb6cADSG|ZiFoDXL3CHsrW3}Nw&+}RK>mGyBbZx3MSEnywsA8k>o?lp)XF_6 zYi?#KW+1qvw4x!!4dk^pc|N>8K6xj_Zb!A0SLyz){WG!wJ50YZ)%>nTp9=n^Z3JyM z{wDWk`vX|g3v{q&d9oS>jZubw@Wscrn_6>vpz}3Bq_Iwm#O)ZQ%*g2>DtlCM znjQylNYbUuu#-_oqYY%(=+4|WF#VP zr$Axw*Fj$0%IaVq9bTkIB8mnd8l`#z+_^3*=5?~X1bM$iJcud7!?L_CJPu~p`uZd? ztUjg^zB!lF=uXfeLJyv1JH=A5TCr_3sZ!EI`pZneE@Nhr35L}a{SOzAEviz&Me9wM zqJC+*GORgTxSDvcRJ8{Ul#H6H^QMS;HCop#*j@incXr!EV+ z)V>j=99}Gm%{>q3{j0*){96=_{~7^aRN zw&(G09I0yt0s{}4w3+S9g9BKpN^1;1=>eJ}J#J?8-5Mo8kFg|RL*<#E((V}kr)8ho z#BLDtSzc*3)Cyiz23F&(wUGe7&wugo zk+#QA0()-g{ak_C{``4RfJ`Q9cO4FrWEk48EVO;n8Tk`-m4A78?wi^bIWiSWQY#d!ISBZVJBrYL)cHF;Qcu0N=$qPu35Skes@oE&AYrb6L zvl<`tj(dY`p?bc6&>2i&EFzfnp{b+Zx1Rd&80jrdL#gl#MFR4PJ7#Sm8 zuoBGWb~^?Q$sUR&Y{&vhcH*+8a18>QG4r_Dym&1ozyCQb{vzgs_KKL_Y%9*V3x|5MHgT!e zj_MS?SBr5hgUzP~OnOzM;UB8Y{Y&(MnFgM~(X3Z2pnxUk=o6j8IX;QUV05Yep*)DY z3D@3dlsQk;WpBr=MTK|9-jq+_;eRh3DEB@ch>YfXYZ4gsSS{L;;rC#;tx?J5=8qmk zTYVIE05@F7k8%qDw0^eZLD^;h%w|J)M8#0o9$HrA#*l|<#hg*%Lm{m;*%R{&KE0tj z3`lGesa9O!VB~YGG3xj1=ZG|Xv>ZVSzO&SgAN;@(>Yw{usn&$GkiNu5hJPC_gjr4{ zZb7`1m(rkLL^HW0+^|v$3wU&KX(9MnS!gdG6K;bTo9p--x%pQrV_Nl^BKbp~wmcDMGuytbn%&Ch(0*$D5 zJ*eSvHNs_~=n7S}<8|y8{CMc9v-Nh<<8QT|>crxa0h8bGfas77gPcygWNdM*Uigvv zzA63qk%3((P)RZDBJb{~sRU3~uo6y4p8fV#Yf~5tX82wJJ9O?>Yh)w(aVjrBXK_4E zNOZ1WsY!IjzpQj;(Jmr$x3?Q`h93A3UClPC^VwEC*NtA*rlN)YD|yaV{#VdND=l3M z!xpW*pGv}WUu8nl>n&Mz5vi8m5nKubSMi5bD&cumGIdz#yf|Z{`36#PXDRnnJYMk{ znz~$nONk|x=lm_TQ{Nx0w!Z+B;xGJa31h*8dl@dMh=$(R;TzE*UMFjC1W?#CB4h# zQOi}8B^W`coq{o@uc$&>D!WZx8z?azDaOZ6n%u;cX84W9dTkc);!%s{M?aCs&CYD9 z7-lr;PPVa6g)i15^UK_2uS#UJ<{7=DeH!pD2d8;TKPk5(e|oTlY@v`64jl*_zb2iu zjm)HgmkuZ@zE)EfVy%tbNVTOJjb#r1GKgn>$(VMLX);%FbC^V;iag_Ay||zNS*z^c z*C?2sC<;*pNZf9fk9gPgjhR2sw-3_)7G&OcIc_T3Awwt|<8SEXN}WIn3UbmcQS95%K zuQN_aWKOo>W2DCSr-n`9qs(q&>$G= z3#d)p`xktxuJ~3|_JOi1Y^|_BCNhjfIAf3RL9{?&3NC3PHGUw4j}g6v5}4eQVR$a6 zlk|q4y^$H$6t{tK5BR~8%VDqj4nGPKVIwgouXI`Uc1Sgoemz5W5Tu( zsj1?~k@rvvlhAgRNhVsEce`|VYZB9&`UF5!R{qs=t6v6j2 zX>XswfbF8oS2F_#Z2Y`?8Gs~ht#qO~+y8cqEV zqe+w_+Ri994efD|9N~ts(aW;%(e&?A-Q{8L%S%`%gzM#evgrkB7k}Hv;%r7i`2uFh zi{|qjF8ijw#10gDdgh0HMwc3W5&xql_^sf?oQULXVzUbzh#pAvC_rg{nA#}JuC??` zNd;KEf9v;DiV`ztO3Xh0>_SC}BAZ)L#+AbEvf)2W91B0|M{1s%bZVk&Oo<_RUBW>2 zpBB6P1euIakQj2SMjEfHy!zCF7WQVqv=TSjgl$(TL7hb*ShZ(4EHK@?5PL+ey}0P@ zN=V{-j||Ym={5EvWy(4XXWMu<+!@=0#LHzzRQXJOS`a@jSk^^%!fSlu(`Nn==#!#T z!wKf4iLEYU+ifsWdfTnA262~yXS|*B*+n&10&=P=ci&0ztr&whePjAZkXxnz-u;MQ zj)D|!g2W`~P{j?Qz3@0kRmrBs*zgH5rlEf~Skn zzRI!sf`PiB5!vFHH_xH`aCm;PiWhI3V4|g-plMRC9!2T0INVeywO6DOx3A@fSFX;c zxmgcQ{$XvEj(Qej`X5+u8W_Gix3&Ou zg~@b?vmuRCZx-||21v-y2a@oa&u15!9?TNY_KxaX$KWuuwy^D|o0dMlAB z2!)29`nPK-oB-l?NS)%m03$W<^emWGnCy_WPF+s4q`=rQFoh*V-!=QC#SoDiY5R#V z!|@q5M9gvz6RK34vH(Ueh{q1pY&}Dv3rm?aHYA}i6*Soo)t--rN{B@{=ik#Fq_`Dw zMm)Q;WL8u7mf^u#jvp-kM)%~WWe3ifFABZ2%k$7JzRS61I*;)4ss0HxWbBv4tOP>m z4>v*VHJ@nBkXd-Abz`NS>`dGbaqR;#zzV`o!s#m(No#%qe}#v*HSkn z3u~U9hNMMsDCX1n0IS-zRuN|k^Bb4<+oivNH(o4grXNrVW$fy&zQ09SZ!#S~7mteD z)Fl>K4;&M3hS#;PjXhi^9cjXMNW+Gt9g1d!%uZ1lGT1!&eOA!Yq6d8RiVsgszF>u~ zJYP84pl?WH79^cU#J@kTv4az;&`(WJwxLZvU)Zv!?9#PG19XkL8E2f5iJ5G+BE9{Y zAUPsUNqo`LORlX6|GOAS*Yo_ML($weyT8-ju3edHku|u2YZ-GVa~o%a=y!fkiWWYz$KeGo#y@8CHsMQ*hK-#YFgAtqHMhF8+UVS~kB{DL*FqvHm9(F{4Ku?V z0Ji&cc=)4`?DWslD{;U6pav@#s<};Wb$K?D>w4YFhl_DxlZn<;agrOWn%bEhO{+KS zr0U3-+JPL5?OB(|B1pob{t+P8jUKtN4#lQ-?wFOfzeME>8L3gyc+fHY-nEtZwoO|z z^}D{uv)xw}uf8P(l*2y|$_XWD`U9dBdiRRnjSRSKBl4vC;^ceOY zOfE$Z4#LCMY)W5d^i{VY{cqLlnTkF5lCHV=w(aYsHT5-$Z_wufk*O-%DBzTG*Lv#X zU!Q?F%hDz!^aFJKELXxl!G?Z+A2Mk(p6++u zST&Nx1yyum3UiWo$&*jy#f~W*qWo)G>g?rT*1K4)G&WPoTQx$kt&MEhX@Rn{Ld7|S zEtx=r(%Pb2$J9JNpi2=)l2+lxN@Y7OWaxCX=u;x<%l7#nImv@_H+qj8ad&qC5#tzt zH!P7FCuo)$ueNSSGVlgf;AkOe42my}6< zVLPv(`|qy*=>4!Z(Q|sb*lfi#lkcgyB4Uz*!ncPWQ2!Oa#NNZ-Qm?QesGy~_T1$^J zE5Lr``HqW|lCb%NTyLFFD9QW&BZk|;t-bog6XKV0oDWr)JG?(!BSH0DMf1wAoAny_ z`W&R^a<{j$4y<`&1S87Nr{uvHp`k!bxKkgu=%3`z=D|)JL^3C>L~SZ<*q}I#W+>op{SPdHF&L&gQGpPs7=lD_M5Y4Xbg)Bi&PsK=iBm5 zQ=d^6?FSkgSUE#N7$Iw#EO~e zUC)&*xbw4#j0{EKiNIT&J*Vb<0(ro~!P-9BOdW=dCh()=dtNXq6K69blp-Y4efVc z9ptOjmAqS&1zEwj7HLXne>0bq9>oIpxQQYAiX)?GYEX~2M+U<-G}{g#3#_;fwDfYt zwf&2An=}YzWrKq94cGdl1)CQ^p#n{741E-BVqi#km41q>GA56(DeDYIbBP))Sp7`_ zP9;i8QH%UM)4cea5n1M%s%t+SR@%W~S<j{y%1CGa;2P;2)K5!RbP~l1I_^LrUTh-$-YfwupmGRj3%<@FV8b@=YD8e43Uz0b9 zg%_CDLmDeur$OZqVCPlA#YsFq)sB4`syHpXTbS|e@K@G`=2h!Y)!bUnj>p0ZVMu(` zazD11_U?9hPDvBx(FQw~>tnwiP-l!PR-u@V2?OMPRiKz&pgNf^G?T{|^qO$b@*k0$ z87Q#mmgi1PwGRaEYVYrMIS=2aXcpY=YYZ{N|EQ96F*E8EaOStk&!saSM3GpH4j{{0 z)wh6?v_yaBR50b+eeg;y{w-GLe-_U|1IgN%dTi}_fLGs7_I}H`b%fKZ7)aHr^DD)b zda3*_0n%&Ln;#Fny_Qpn#Fz`Jck6WJN;&PJ{)V4HC{q(>3d))K zVDdvB$eF$HHnjUm1p#mX~#bTc0>t|3Om^C`(M49V-r9+3Il)8_Up>n~=*QPY}yMoX{d@ zXz<6Si@U8$|8)KlrR>bVRMrl+yaMmuZm1ca*kbsEE$gG_`CDfsq-)H0han5kB)vYo zCQF$3!0W$IG5Jtg8xdA)>DFu&Kbh}?js0gY<9S$mTJ6iGDi)`0!>6|VG_|-#K-;W9 zm7XZmAeBDyXk9TExu98nm)b()@|s500bb1CE6eYL6choHp+=@oZv8ov;j>i^#xHjN zTmA2@xN%(ea(~CT!_JAJMWuT4>{lj1V~)iZ4=+6-qm?1IrIW@c-dUGMJNmh$ta66K&&r4KpaInX@WBw6eO?C-7Yt#yj3$(D;B%JuX&WYWajsO(W8w~`STOVl+oyP_gYjckfFq4Yx~QdbTFz%mXp)#Xr$CXj$5o@^aVsp)gs%{HI%?Zp zout|0IRGG>nM`fF4}~=Nr`1O+G6%-__u2UB%Q7$d@s)6k&*fYAj+6l=OnSXHt!1>` zdfpqbSZg_g&Fyp1Tg(9*LB8apPj@x8QPE$1^6Ip|MX(!7DGn($CBs0Nu*( zL7Vpk>hGq6V&aZd#pT=ru~rh)6{eWW*suWk=~IU+XC3}9dt{FWS3+0QBd}gqGp~AU zG!mgkeA`9`Xi)sq4LOZVUS{i`{i&5f`S&iI*(3Kn8iTXOyrkpbK1*{^qDWEfBODz$>b`fA>=SReCYj+o>`&F6A(nFDa&jw;DLlack-B zC7t$tm=+R_w|=dd+&5`|*a?7C7Rc^PwXtrVneX!Qd(_-;kTp1mZkTV2LS6d%R#baa}&!h$9XD`;R0b-En`d8t}g7$8@yMW3pn4H z%LKlp%sD5`?b5bR<|qQv7^7-W}hC=JOsc zq~=7c^w{nVEDM?VFP&x=W^~B;u$UC|1g3@_l7)N6vP0#JRvd|u4lo`5?)i_3xF=)- zkGxfJS}N+>Z6zj#%s{!cywM+JbNG(+OyJO);XUr&Qc{rfg4uH9}A;YgD{XZ-octpCpVqgzf^f`^a8G^N*WS0fN->>$(->N( zSn{OxW)mE5c+kmQExnsmv(+fp;X=px zw$oCdspuOnnpmcJuFj;Dk68`)vA@al(XpbmuzB|)jOP$O4 z?&ymV^x2b$mND3P)jVL+)+0brN1`2iAa<)5=Skv3AUPXLf`knHU&Dh360kYKjg#JfR}>Ua&fb0hHm}UCiGU8zJ6}6 zOimBSs@)Pm(mIAFOVx*G9E>?qg}*MwH0=T9Hd^F0grfOYG=y?(sMm%2J+nFd_^Wte z?wQS_2b?^zH`Km=$0o*p7|p1uw9c%asvWNle{BMxU&7ff`Yi~_wpGMH_u1U%EUoPm zusPVF^1;IXE?Q&H;pedMUcv%Xk}<+&HC4`QfSensp8LHjJt(QLmZXMytBCfv?>|Ru zrY`FFIb5Y8_dbTfg?x+YoRiMf$Cu(k@-jUZK9Lt8>;7zm{@zO}Ye%04*;_8z? zz4p}L)QvVnuIkj&?6zo>z|Hw@pO^aub+pj<+1*%h6Sg<)i;E{5diIQ`-!Bg=)Nt>c zckPWO)HYTOv?`&Z4RlTw{eqm;F;P<~3~{~Hd11Y1=(}FWG$`KuxcZO6!}s!E zxpfp1fFCIwFW)$#ba;%nbY=QT} zWqlqAUHA7~=ih+ws)zL_F4{o17wS zE(TG&o+rv*-4AwbT}lY|8+80T7N)DlV$zI|kKb&W79xEd^|ac{rbUufj{rw&Prs60 z=``X@OmZxiRz(~EVZ8ElXouukS~@dMb@knXI;E(OjKwl-sp+`wSl@(Lu`Kkh4***S zAX?`0<}~MDWZ&b*1X^Wq{mLfxT3khAFQYVdwN7EwZlQJ}kEDSb^VTtXCOmdtP@Rb8IhOY*I+13%a#uMn94wZ21DUa?*JDTOJ zjnrG6N!o&|!1$G$0ynO>8<84&PL-8asiyGB>ZJI=va)#3A;Qy;<^+sL35yLe)@Fmw zKo$Lebsn(2tPI;!8r2sj&r7rb zMUQ2FOR9P7%4?X+kyQMe&S?VQ#*BX?;b~xLx^~y_xUNHj93{b0e7unQvN#9q)>2WV zn(&}%`FxAbzII2vFmjN=#9?(wg_&DlMxROuOw>$$%s9Gc=#;!;q3oOil~idRQP8cg zu`aENjjxMcTQ6PuL#?{Al{tgRJW~g5Mk5iKc|B0%-j-kyPjOnpX;iw)Ff(Y-qo_OT zsaZYNkg8s)mnb|2(_RJ|uUdAuD-*SjjVmS{C%>tU&Hp7}h0hMXNE~D1LrWR-`UV%Jf~qJ1dqo@jJ5>O^46C%H!!UY~15fR4-XC=*(pLbVGYcwc>7?D_>#Iu2xTK`b!Bgw*9hLE4CdPHISBMQ}~uCVOpTk^yqqEhAd*bWL77n=E6 zu1f%zA|d_?85Ub+tXw|OMkMB4n*c+eP`_vznB4bvBma%h$VW)y25w>Fof{70OeT++ zO$_I%lyz)ty+dqYSq^A(&>iKNmqq`AW0v zqsR?h1^9(gJ427qzN@#mmwwUp)E!6Fm7vZk$|E;>(fhJ2Mq=A=%^Ad=Sh|4jA^j-v zXdY0vJxvOsu4|RW0hu?KgZl2(6axgwKUj0boJbMNuQoe?@L9WsGxhPQtvHr1*<)Cf3*|33%osHx?1YNu3Y53^Po7lP>=FTnz0yrth*6VAFSMHt)b$ zIs&-Sdz$%&DO?|iQ-KIQ;FZ1{X!>n>+8E9&h%@((@W}hS%k48MHIEmge~RB#OGls` zCS_5A-1=r&)61nF6>BS=Rm=nj6x6IPO`Sg$hk8LH6F< zve?AY#{IVoq8q;%Lu4{$663we(*qE7P$`=roshgPb>PO^1KxzxTIk$JsoL)kC2p$N zE1f7fBh5}X8StU@n+m@Ag(9gl2O&M*wf2qUC+(X zl3q1=&xcB2SAq|~iHp^p36WOHx%?_nQLA;-V56oBSS@viYwyOXQn!Ol zJJV@b15UD4vhPYt=3AUxRM{ltwSv3pl5P0Q=2^6|{rpS@eNSawUYxWHFURi%77 zgpV?fRJROuhEBLKtyKF*q2G?Ir$bKF2Hsfk9%7~DtBN3VC)VdT?&4WAHAF54oUz+_ z>|Q$rLya4s8OO$fg!oq*os7GoSucqG6)}pFvd@IZ%@ap2#Zp}BGo+mEAjsjHEej+^ z*LaXvVVd~g$7(4yFP6uB)X@UVq;!bnbm$fJ_xZXdr7E9puC?fhsy~r1gZ4c3C3Edm z<_QNBq#sAX2{YmK=Gs1E)L7?xgiglzL7%CLj!F;|Kp9cVkmQyHLn76H+)QI~J=k;T zhjE5=+`Qa0W$6#R59N>R{{(--nI8Rlw8WlwL%h}el(q-@FZha#>K)?H=hU)LZ@-7W zgzrEu<5eT?35&8Xr#rT4h#Hkg*c)kw7v*V$w2=6>${K;owJwc_nz#EB6`>kV$(@pI zKniO}aJ~XF9U_PNQ;pU>4}*W9qhBuC@KSi9`dq`_XGjM?<8rpfi~>&>tUE+QSjJH4 zeXn6Si#zaiR9!UB#p^Mwn)fW^S|v_I8nEBIn2*mh;B4P+`9a&_dxsSm)lR2JQPJon9H%$>acjVZ9 zespiwc-%@NZ*uJ9^05#zHQkoH{Kv7JiK||QrQ6wh`thL5gUcrRaP;}4~7n){$FXOyceUVB?wO5k9b<@P3rQ@xD^NB~p zRvEAV0ass*@el5lZi`UbWt&n_B_jXJs8@p$sjI0_i&oKtOrY|?JFFi~(Sar8V}nQ~ zn`*_w{dOGrVCLNqIEjPWz(t?;5_8P>y9ThCemH#+|7zljtIE*pBZ9BStm6j+@2LeM zBJ!c+%;;oS!$}_1tcDpOpu~}nT#Ip+v-UGj{-q<5)|rZL(Gn)U4SmyfrLftQ{nYcB z^{31q3a4OUH4D*I>oSaOHgFD%5DgQM@qQn4d9!ppo1Tafknlk|@)2rg-zYy3! zN=_uX?dVVtdH_0Ap>93u7%#aa?ddd2AG8E#KtK1&f-LXb7-9ayZw;(Mv%wm^dYd^I z9wAU>esY(q5&IKbuzlP7b_uYVa|!#zT(k|_CvWxJ{pskdLlRWRF%M4cWh8FV#!uwz z%=z4~^6e4|tUC_Me|YY3AxiUxjA&9-gAy$ODQih!5uACsnciZ8^O&YK1i7$Hh2oCTd?7EY+8B#cQ#mZ*{Y*YsupY2 zTC&1|8_e*n?{wCkN;aD6Ja8a3LwDj!w7+%8=jo|pFw^;iJ5!rt_C@$6xVDJ%bC^#G zoBeLxy&m2>n(zVQqHn?$`Nhq(HF=Loy0g@hC=HF{yl`xkO2X{^;0y?a7R9DYIH zb6}xM%2ZjIhf$u&{%aw4G|%YU!h7c{;2AM=uJ!$wN3ufMczBR6B=l~}8@=FFo3hSd z0;#A7_z_~$i^$1w5MmGJcnigD|6t>nrr3%|Ba5ZkAMl5%tYp(r+xtKJhePK4nOA{h zZu41LR#%72;*IO8&=M_i9&DZAxZ6uvwSHR$$((T&(k^n(xk0S#8q@rAV9HnB`?elU ze%oYc4tdcptCes^ZDje|69gNnZrk%!{!xwgO_D%69-VKkI3GZdBMUeOV(C2t8wP1Z zBtKNPbPBpQlHH~hUX9oPTtfa|2Q5Lb6-Q#lqS3Ensj(GT-oG(8;;l-Uc%Mr%TuqFl z#&x}7InX1dbn-Gq7|@`jFYYp@1XYB+3^tsLc_1^X>Dhv=?cHdvjZ1hqc{D5^y7FIp z{yrR242! zT>LJ4l_o2_{_u1-H5C2F2yK5nsfZ#PbQ-|L0T(DS`wO+cvI33+YgYc0uYWjrTIxzI4OZK1@^(MdbFG13ra?G-KupFeSUF-pI zMgS?oJwL|C2bg^m&jPL-A5_o13g8(lFJ#ou6t3yd#MbJ;+IM{hRL=&l;%LsYPV}z8 zSu|%OxXWE5Ly+*mD+n$&O0d#l_wAKW!YvF)7B1}wd#Jo;zNhPl*%{{D^Lj4dW9KUN zIL0I%pp81LV-B|JI(ntgQ#6+qEKTlR0iiDii+(@$yDYG8it$jHjv{BxHwGpIY*-E0 z7cpXy*80!wF;}RdjGju_=>Iw?>wEdXui9fp^k?5U;s&v7+Bk|VtNcovkh>>3?Z;rM4!4GwM`s@C zmTlODJHkm97`IDaNILK+kFc%cO(|iwuE~BQ+%5KW-3qO2tT*Hyj=9}ho%#4y=;5rR z@7Ep61VZ2TY%0Q}x#0ME1o#c{oflSp+OG@KdOi9A2Z8eqL{H&JY>O_wc!-{S*o}Lh zNDdu5D5Y4h9v^hARr;Bgfyr~%ccaRr6nWU;=O6p$n0xFo zpE;f}#vF6A)?NiqHq%Vz6e}uqt5XsT7QZBzvox`pwS9c&YfG6&NmAa+V$NxmYCrfy z(TdT@QtopzPoK>JPS$(*{8^wRX3cCAVSTSWz7aBMAuI$QOe-|Lp|_}r8J63-LOZDS z`yP z@zQZ7hM3=YW+%Wq#Rcgmy`)<~yZ>T(aA>uZKt8Hk7#dfesRh(kyn@Dw%Da-9mn*xZ z2mn8Q(<13s>;$&nM^AW`w}zRE*t_5qI3_+*de6>8 zLp_7UL5JBgG_m*az1veMe3u6?=uNfVzgBY`?$WSNx61P;yLjGYH{zBdX|aD)n_#aD zD!`)&D2|^?Zvn%J2^LPw>1D;Y!LON7vPZwRCU-Zo6T?;@|}X}asvC5|)X$S|Mb z6x%L9H~o_s=a+E}DZfLN?jB6uD#vO;>B?ss;ij{8SdEquSlpgwy{Ri` z(W4?8fELK3;(^EZ@SrsE`X1Yh)L|VpQg#iXtyeTl4qViFqbqyW}={ufy|z zV@}(=weSGaH)?@{#)&5hCd zu`6%u06LoF_4MFj#gA2>!Len7yC~sjnYs0{1t&M0UR1~{_E8l%_aJ~3*zV}gU(ud} zJp4dp^mTCIJ6{)`NIe(qJ`AF9$~#kr2MxpN)Cy1TiY?5>GEGYSj6+iBdNr(fnDxV| z1+EF+kqdbrGcmL)ANUlU*yF7{;|Sdtt?%plG>e$#)c)?B2b)Is2%0Zz)V^j=i(lPZ zr<3*xdSJ(*DpHz_3lJ5d2{T5;4>^1a3k-{DTBXR+ZL8>U@;6}5Z^tUl?x*Yj$nh&r+J5g@t={@}J#`fZWLM6Vo=S#r4SwJIIjdW5 zFln9C8D@3wGlwL2Om6TxZIH`&3R#4aP!sBv7?U^3kbHcvr3+w}*iXh0?SBmPjP#}) z{t~m1b!YWXb4kROsK<_@2S?uTl{?!^+$bvVJbH7RHT6ci4qF5edVP}Y4)q+4b71>AwZ2_IlmoEpOC4?n;0rEEdX#jc`19 zk?jd1wf8AC0PYpICK3$PrNcz5qtX)PPu7D$?K7- zU+$n1%{skVBRe`sRdvhmEPK$-R^|Wj^pvE1>E}74x|Zd5*&+_jG(3Q43nR}M#~0A; zCh4uQ)gsZ%*pOG~p=ccw-b1dR5wcr}A4VCuPbyed6}|H*Q*%4TR(N8Z1G_B5yErG! zB)vS!p{^o|olsYzsZA!Szg)h&c3lr=?8oDHS9Mi-0nCwA9|a#b9D7kOS_6}(YR|y5 z!h5Rrat8x9#(VUDdBa_!Wps1Ho*(cO#tUTE(7RtvSospoh4P(Oc2s#Y*nZJETRUB* zx}i|WC#>chB=)RbB1^!q*pi^t2`jAWqjfP><1ooi+NO5})^P{sS?NgYJZk0yHXWWL z3MKWzzA4RIi(8ZBzb(TmL=~;{>xWgjwC}JjTai6puCE*xYHgPJkqw|VX$-w`E z#`~i@W8@R2E)UJtLZGaMp@W6Eo9$=BjakST4dT&BemG|INu<|d;$4DY;DwP8`w;sZ z12nI7x=nFjW=`MnF``$;LLTkX&^Aqwy!Q&5H;JdTDNY%ZO^3!S(d_4T)!r$;Jz`=Lm?Kn4@D(1Y==-tEJc7#&s+cdHW--2*pO`V;9rf9#lxU^%h^Q-cN zXTP|!mQWvAVy{j&@?KdOarQT=5B-lL(1)C?sD?+@ExtNghQ zBAgHLq4+|hs6!MyKxeFQ5|m0tBeXk`@Owok@Qc~1hhsZlWN1s z!p5CxJ(_n{-|NKsOS@?Pc*jquM8>4r!7vy#6kxFaP5u>5OGLJBA7zt@O`=Y4N~?LF ztg~<6gkt+_pe?q_xQa`fHdB#lB0ms$+p*Kxwb526WR)m8#e7GGu5*Mo%5EE|(6gB? zU;JX0jLgOG%k$>9jHF6^gbm}R&0(hBG|8?jr2fmx%HwEPq;MftSD(*QjeJ$kd3G0z z3EbM`1Xz=aG$B)ikfJnNYwN4WrxU@VezYrxe2e$K6%BP{m=kUbDLn_q>I4u5hr|yi z78nu0Xg!=@L>Se0ZY}NS`T0tX9}&_m&8;|8#2Fb3_tJ-#{uH(+bqY; zckZL6rLY&TZgHHY@kjGFJ-sce`^++NuVrf%#=~+Zwt~H{Ed^41&7PJYcTIBP37`)n zQN%+@bG9wo2MqO>BNq=x3X+Uh)@Lk7hJ~mPZWg#u%si|WMKv2mOy4NiegT=WNEZOF z9IetY8*RTY5I{y21QE+|aCszQqenC(V3SQ(*C-1)Tn|mt(%Qz(O2O{hT#@1@V)b&7 zp5$`Dp{w)*e|;i$jWjNNd4Nflq>jGbDflOWwX`{^ACNQ?IDoRK`eu#vXmJHyvaZVj z?QA7j#`MIyzpDJDy}C9_@uFtP40dbRh+HGOx|n?*_X80zX5R(~uZ7xQY*DFW1qyL_ z6P0Y~_6h7wuD-@i%$;>9d;RNUF{a8?Exa{qHtidBeX#+YqV?sz(>l4|dUEz+7sT0l zfKkj_pDTda%7WfswT-0xH>XWPEyv>DAr2O8Q zIjM0;xU%W?I%`tpeBa)`O;FU*Y`ooXOX*M@7FYSTs%m#{+;I=`b>LM%&fYDP*`cL& zIfn>o7h;7EzVzW0PHDQdhJtDDwr=+qsd=ij)dh++J*!IIdO(w3;lQoHs}0bA7ifSh z2@q=jCCeE4!yj+*wo4fgHDCegw}if(AOwq~qE5W15O`-ki;f$IVR7!qnSrdDKwoD& z0v;=oK~@!=<4YGBE3x|_dITOxB;ePB-#^Hk>&m@abzsk;7%9C&koIbOLcPe)zYuFm zQEMAQw?Z#sZR1g_2^fdCx}mnExDcLsSpMGglo~bWW@eS%>pxX=8g49mzLp!!F$0RRi}k4F=j^0& zqBi6i?+iTY?Frf`ky-R;l38A(+n1r~*bOpZ;%O?*$;1l!RD6}IBs}wgQkWc@eje$1 zMM5DU-V9!ScxV{DN~9Z#u8Y=l8EkJjwZ(Vt9Orts_Z3=P&lERWlNLQUS_9c;;9)PB0?58nM|r|h;58ErQEs`p~wkVe5{ zI}JK@U$lGUhE`npD!+2w{%iGLegxVxH-Pv)H796M*~3qnnC0GI{U@k5l`+FIL>~_Y zP(NOSyhY;;$m@B@IYj3@&oTUoJNR<2$W4df{FqN_9t&V^@a|z^rx}y_)G(I~Bs~x5 zwt5k2^82{LqMTA8DDwWj9M<=}_d@6-f(YO8jlD2yF#o#AREmw}uF~SYjgYWjQ^G#YkZIeH-h0yN#p76NcE#B@H%;{3l9_VS zfclPKOcg2d6;{9h40y=ip6WlaDn-!2?$K~Rso@>}gU4b^W4}0tK|SX$M^?>9kE{~O zJGv_bZZ-}E0c}Lka^P@`*}F>IZyho`UgjD4>T?bTZM43!8Nt*-z6xsB2GW${p#0n6 z-16T#cHV&%$hrnrRZzSQalz7f5zex{*m&PI)VVPht)6QQO2g{Qlr;KMwZn#f+qIWp za|oMx)gDMu>tu`8We9F~wB8^3O>ft&Hw^SNcxqfZ+@4?CfaWBa zJ`APrDDiV_E0`9sE7FU6#HYDSVLqe0YCBGo-LG+X;1;j{SIhMb9gVk^xH2Q3oE#@e zT#DyVVSZUQ{A6)Rl{DdrDqpeS?lk22HVGwFJY-BMYc_|AGO|G8aZpTZk7sG?ddT+; zM%A~`#rkygb-8m`dqA)6n-d8dSMfSTwHoHzmOWdYOVrF&aqK`G`&bzNqHJj! zdUq(xLu|;K0jpc31eYc^?Pg9&wb4uhW)zC5HUnQvk>*~!D__iL%yW_cL_Ul7(&=f1 z*sXyHw&7$KUr1I!Nmyxm-cU^+s)H^*qxluQ2f+RAiR+uOL5!+Joy0s}~wQY?R1s|i|!-p$K}KWt!z4e0|ERGIHyHv z?hvYoAP@Gvox7fTDfOioiS}~3yAs*1U~#_X)~mcH>q6^6PEHI-e6hdNW8k3sQ1@-_n?Bhm+4RqP7QDE4d+wQ$)n30Nq>bde%UWvL|Xri%f-1 z^_QPEnab_n#PnQr^CAl%|q}Y&s8KT5?n}atmS% zrNNS+kz72k+?P?Nfqd0j^m`o_kSMAuBT&w3AVcr-GvHo93xS#>7kvx=5^3g_dZh{t z{~OSn3cp>MApUJY&SuV@FtHC`8f+R3$k=i zv3Y7T&DSlxxLY1|w7FVNHkh6x%>;Lt=b20@VrnW@mm@cu<;bjr7?GyeU-G_5b%|c%BfN^FFu=dp_wi03ojjKGaa$;f&?w z`lzDw5~g%h44x4UBML!}+?g38Amhpn`DI%UQ!hyHUaXl^5X)D3mk$pYVnNMTcA3yJ z_iZ&=$h0*33bI)vvnao%;cG6^??p6)-ME3r!i<*r7PxHUiZ%iXC`L$T^k-|w6RSCB zy|ZS7x|P3#X`HUHt3uwRN$+Co9LH7$VKCH{{T$&pfy&6K5LN44td#5V{HT1$?3yJ9 zFQ|w}|ni3?+B!Ik>yn zlSPeqHyMK$zH2h~V?ZZU_#u=ER5T?M4un=i`+3z-J*VZFTrk0Hdkv=xxfr3=`8kYCdk?X9YU zag?X>LO4-xyYEEZ98tcTVm8s!;htORy0`P4k)SJYH7yti(W`GyW{Is*$%SYz?!CEm zzc&_mm5urJ4HG@`Rg;h@QCJwIvb@HKntf1qCt`ror0J2!tE^zt*HUkRJ`KSuiq90K zQrbJplih)@_e8?c@k3bS3^?jdUvz#J`AKIqeoZWhu+scDmc-^!nr2XuSeq@q+UHdcFx0K&kgB$Sgv&0#4)S2qN?Vnu3 zOsyyvHovyA^T7+(Lg=A=*pWKM2B3{__Z#xqss68gi5`P7V3-E*Lo6YU`;^< z&pARAypNtneqR{up*VfGU9SFFob1SJx({mzsjL!M!SC?fSmMcx9~+$OPs;PXsiOt{PT-U3aIDv_ICvuU`J0^4p9$roZ+Sz*#yyR-?c zUSNQkCs_YcvzhxB)Bv%>f1rnZY))drOQ>8y)3A9sx97+_$6JFleDORxt| zc>*xCrDh=?Jmz}`8_h0edm#lNox#{b``{rAoNkF6b@|KJhu ze>m%sxfm*vJZ~xY?4?ct_?d3dn{_V69)BE2Llpb7rQ54h8nVD^6AHXG!AeuG=WAcg zc7}T=eTNfg3KC)l`fZp&vU~8Jj~#!%>nde};Az&t=WE9dejs&tJ@t6QK}yvRHSn>! zf^pL8=!Rt00M!A{Fy*h@`_nuatjS&pwx+mrQZvhQFgfwL2g$}w$^L9zprubjwVi@z zft#~fOX-utUXME=gS8v8lH6&2Cz%Y#6gniyZRK~|)+E;a!UIaetcTG$@l&r$C?mIEPG)Yh@iF2Hh%S?jUn4$)=!#%1CiewIM`K4loH_c7e&)-Y z)>qC=h7X{?wq+#5vzC@%mjCP-N9(^_fB|~pvfokpVc8KMBMq%4KiMxT2o=4(D6P@| zYE5SOlRp1YNpcM1htVJ6019h#aNry#)tIGzl-6fL;7I?lL;l{tyrUwh8D`-b;q`_KHwFkJ2bFe|wg2=I_jr2cM0$Dn{G{K9k0U&K;=NO@Y z%NGc7_RXxR27$s4pI}5@-n2O%NMO`@?ScfH32nH1kr3EQ&JqIrKbQ93p*|0q6My=> z`jvb^33Q~B_xcUiLnS!gq)(T#} z^e{_z@Ci}yz5cXTuv9^y{0)D#4!#V)zE4F;{X4LK8<#`~En1z$$@vSGEm(dJ9YZqV z!|>BaQfa^Q1WR-SNDgq+ql4H5Z183K{as<>@GPGR*aa;iKE7ZH!475#9EMpcN-kyP z7qmf?tUsH<{pQ?Nq=&t{BiSc@0>N!VG5%-CV%rt&PLwMYQaLPz5o3S#ysh}$tV%7!Oi9}$YpE^V(Ms)$YFa*VlJ=xwojgylg{vee^&mtZk zSl>7>p_45YC=LE?xaH?f=^(qT&{CCfer1C|3Y;LWfr*6Fvu}o4Noyt8VIO^T$il`- zo~l0WHAHI< zgr=PuxPr42!{lR66;9`ZD6k_Rv&ls_QNxVFPKguzMf8yqX$vscK;D6E{c)?Sk z{Et@)TRq&3KkDamd7hju76|aE4-dt<9z^N#?hmNx^O)>pVg8ajX2_)N0;u}|&b6ng z;x3>9HlIPbnz7KmjP9Qeby3;@UJp`DC#` z;f2-0WOz7!s@URw($0DYa_xjvBg|bVmU%9G_PnQNVlViDm3rcOPZPgoeRKF=>qKH>KqC@{g!Q)E&H zT!`knvu=KIfk03`4QA9ckpbfXCZCXdakVfR?#7Cs5>30})5QWe!PFz6y@@M%QUgs| z&SRR1h85B9KY1U00aWzO6`xa7j2BSBv$S-XW0ed+kN5m!i5Z5pu<#%J>~c8)(TeT0Z=~Wck%+i zpnSsbIZ)spb|IKUfeX%A9K>K>3scpj)oveN+_XxSf_f%Yy; z7;bUyy3OQl+j8n3ZrcK--UR803U+}? zXGj!YM*;fI8*iuCF-q>O1Bmm&%*6H&r@^-A&lLiEds~z1qdbs9daDCQ8kc7@0!_f) zqfm(30#dJ!glUqg@4+{n!}ghdh5W|I<)_Sm+wbpoWF%u{n+mo|KYo520o+AP4+ks{ zSTUU!6|6cS^Q3MY>x)s#zqa(D3+st7dldtQD;tJ0z1;4q`biyX-RrhnA{@K>w&kUj zVyYVqn|0d@7KbD3c%%>ad?hoXlD|9jh2{|EnE9)@foG{L^%M3Gjn)yNIh$-|e)&Q> zik9^evcldy`-88Ng!^PBz?v_X>u}DyY_#?DD#Pt56P_KJj#Y@?_T$1ZNaqc+wVq_m z)T%@2{mhtlMJMOAZ_6BQ$|EM9wtP3}A?>6BTO%oMb8bON@_S}Wj22G#@lDp=y<`o3 zdd>$lyEshl>-V3sjG}QxTb0)ETixa3UlacpOzMHS^`?$&FA;Ab6>!|LDQ$DrCbM_5 za;6mA^2{0U+q%7}jXKj1Is9~g<}I_=iZbNV+*8l(u%SBVnaIQam$^^h9yIc{3zt=$gUd~ zvMj%s8qfaO!`5lUW@WB^`?o1=cdy^JwOY`?thLhBLsG#yH7GhjR`RqUW=8!f>Zm)Q zncv?sS}e579S=#)yDLPbCz#PP#k>D=d)*62%46=>d~t(^Pg`GLtYsfMWnLNA-d{(Z zgvLcA)NvT6``6FL@zet?G_vAvGtlvRz4b{*qR#&Ev$ph|PdfXq>+ysI2UpKO7?XfK zvT)Ha1Mv#%*_ef~LFj+M{}-9_a_VU4Rd^f1(U5WEucINwSMtY0sZqSwPo7K~IURNP zNb^=SA;N4VUo-{T-=DY%KDYGv-!re=NcU*kTQD6E2BI_KrAsNum%yiTp8k90HSZc( z7fo|ycQKmq@@vn?>oG(Eun(0;&IeY5y13x;P;Z=m=F&5ST<=Sl^lgnT?3kHguMcDq zE@LB}K2SCCVGQBrD4$4=7?LByNud1rMPzvl9UM*iIFSY!_@GsTE0-=|oinWD7peaW PClW6f11ZHH_RfC+{a@DH diff --git a/spreadsheet/macrofree/sap_checklist.ja.xlsx b/spreadsheet/macrofree/sap_checklist.ja.xlsx index 956adbe4fae1d30e75cfaf2f922d24c1173765c7..5c4de7dcc503e7d0b5475cc7624b3650166c463b 100644 GIT binary patch delta 37547 zcmY&fWl&sOvqggw++Bi0aCaxTOK^90IkK_RfKD?3xf1yM8b7e^4F~@IF$5SG>idg{ zy|JQ`y@NB8vAvTiqlc|cNP?0=&}WR0H~0-g8ADlHoR3yMpA)}J4Jutaf^kkhr0_8McwQp!f>xua9Lfps^EGo zSwRJQ`?1%+rN5cTVUVN}aO3(Xq(y85CmBhk+b_j}(ZDw3=88&M$PRNy86-bB8@TLl zce6W}pFRB=AIP*98@?;)h(>|BPGOVDobn=$jELY>>Cp%x3m- z7v=*8_2~cDL9USgCCJ$6Y#XfR<_j_S9N$M>(eoC4+Cj znz>W%j!6YO76t1FODgZe!k+uy_}W^z1&B2DW&lop8+$2~KF*I1W_KlT&tG1a4nNb~ zVLk}}2EfZy);+ZIT)HtOWbn(hU^F`_ptMLhWYDZ{>{m6y!6qAQv>2vlhi|zY}Ma7WwjO&b+-OgV>v+ z^pQ++_(AY&!TRTp##*S4#G3*O_G_7`-txkWegF2{4d~Jm>mi|i)&8xyO#bdU4@g(D z$r7|xII&NAJqddW=<{K=T2_G-1TnX{HJCy`p(H-*LagER~fbl(|U ziA#>(ro30hrRYt&zb4zR4>gPLT*K;kP8&mpS3-0KQBf5Eur*K7!iosc<|_ooAo<@`WzS4{8MyO7r*2}_06 zX;o54iItjF^lLvw-!-WM1grwb!GXVc3AsFbVfbJ6PO24PIJ|wwK{-tsTL(;>RIg&f zEi@UZ9c&Ww!`yH^N1^f8aQ1j2i&Q?)s2!oOYnrf}KCfP=BK&`9Iua3oJ)n`bA(Ot6 z_RNhccKeU+#^M-#1G$HM8*5F}E?b3uNu~M_b^W_^obKy(t5v->=hGSR54c?(%M91lsS7Cy)z< z=ri%Fodc2en6ba}`!~#8+~-f6U0m<)L!Ptxe0$tcHoU`Yf???px;3*3QT6`Nt(^r# zsWj$Fzlb9Gd|Y!B^#t5TPRy5H1%aa#74VgZ$LB2Vz%dT0TZ87e(TAtC8e`9SzS-ha z^QXr(pQmQi%xVHwgR=!g=SPd?E9=3mlILrehUL2$0>{!)ty}bLe2e$@tTAOrT+uiu%wFPqAdY)|?zMq|vc<8Slo2M!B0sBC7z6bOM zn=N49biyUPnHgR+-E&fKDZeSdGUYMHT6uksIFe2`iMZ!1lvbUxq#Yo4jQ^xRZxRw! z^t^EqrR(U^07xV3xkzD|vu6Z*BfLM=le;#X;Bo#oPX|>GpvLZ;Nk8{T^DZlN{#N%K zCc4ad_oRdYCpEG_-U{;9WJqzg`yL;m$NuBn)0-99s+me!v#X^vvPep#O;u!Nrn2>X zPiR9{Db`<`DFdUu5LbC@av4YX#Zp)9v!5~hN1aOnW=5o)3W~!P4E#Ii@v7z@dQ<)! z-^fR?60UISxo-G^WXA+!BD8Nx2lXenDm?XMVvaJJu)}V6E(N9U`{@(ERHldt(861( zOC|M}4STVwPSZDQ%djU)AzD_pYdgOz>?1s53DfT)e*B*Kvel}UT1#!Qsx__4+hIQ0 zHBaaDo?g!J7BNaLXk2X-?>Mobeqq5GG2T!qh#awY$Zs$kMfUUckW}p9N*MXtTA^(^ zGs5+hH3*1`LB_o~I@g;%7~UNksu0}{zC2!+FAFYjix3UHiGO@r*=-P9wz)ft<;3K* zTRn-tw^ywlJb5M04PL`jIIFp_?LF%Xed84aG})jm$Sf6;g_8_be{8}2i7YDZGW4&j zqpzSImLkCBAhbYSV&^68K_jcAhZ4m!6)30n_ADRjpX65C{-qJ+2P_P!^<^+guBwdi z6ZEB}K(pF8o|Zo=j$%EvrTeDYU+E4f&#$Zj>8_@pI1#ndDW-k#*hv)n&n_nQ&&xu< zGNvZ+ZR?axXNpX$KFxQgrstjdpwU&|Z^96R&CJix@*DwO0r#2asR)?`HLA^T4k|Ue zo^SEQes(7DWVwmeyM~?O8M@77zkUnDxcMxf#d6eN*nWV^K|~WkF-*w97BEfwMxnh& zJ?I&*pKe+jo(~V*fcV7@*~B!!wudSR2>vLhDH5CbZizv7BIC2b`w4q>{Joi2 zXr7{GSWW|~0vFM=CLd8WED~ZAsDh;orLn-&^TjD_U&>l~cxE z-^)?P-o|f?h{zlXjH&4K{8mp?U8-3-aX0ZojDstkRWag#}mRDBO=hjPB=6J01&e=bxAHG()erG=upxTYAj5wvhpGLC7q zV?9SSOJZU)s=5{>^#@97F|EL)?N!+pnW+ zmyZFR-DlEgUa}@_3Q_Z=Kr=~{+#h^p1_=^E@RcaWE2aoO}i>?Ph zD5pbfQL8>~sp73;d{ZB3d$??E{qe~r2iN^hG=;K^+x!Okp7qpD1JKP=n7AcVc9;L5--Q~ zfX}#m&JlU>!cmjG-}jpk>#Hde6r)U)3&+adcx}X?+%J1RGH?q0CbsTj(wg2_hX%+k zKj?gtUx?gY(oy_kI@1Q%88A4e$8=-a^ocnI{CBCjsNp?ZB-Q=ThK;2;f zl-9!5uLnD4H0hX~SAJd}7XoCY6)zf+q&zNxW3bHf!QHjZnq`_~vZ-h%=7M@kgCqA} zY{f{x;)iZQxlJKXwl|+6Lor1uwjnmfqhwIK4l$ua1TpO}Qgw+@b8Wn_X`0L+<3AU%oio?YP4g#nXjoY}UiZn;}LEW?!--m%A zsz_<~1t|=66?Moc@DYAaAHh=@yZh7GtX2kKHE;6Q*8$%jdWC95%8Eri;)k%w@TS8t z%4L6XF;Xc*+0kK77cUY?3dt9uO%COX1$~w@?S>F5$QOcs6H*kf_s74MPAr@*SEead zCIz7tR@z{w6iMjOvU>&4&b;H2e8^7fUa9XlMJ}RQuY^Vze(By{`a7cGfcr|D0f5Hi zUHSrbHx>}UHT;0$H;CCKZN7X}M)xf{Ln8O9vt1CX6H+2n!8TssVO!q(HlEmndW>0u zHHv8-^@I&<)#uo67~+^(nd1^nzbH4`tw@b}f-ouUe&>(gy z1w$+q%gF^6-pb7}?oZu@ngAe|_PcUN!r&y=x??G~@!6}F8c#yp+`TC#?OW+|f}g6M zxT~5>cp5lNak-Qdx_N*sByySlHm~e&SqmKs?ek}T-j{DXXUP%L5ZuYF_&l92dS>eu z#L|++{^WD2a3@0^eJ80bw7Lkk3D$RjnXNYW2dMls7(J$1*!b~BH$b;FbdKA(vAeP! zWrz1-6^FcMZpD3?Gh!z2B)T0*l_RFGY-YO1q;9?zS7)Z)@U`zUo@&MoQ00adF{ z)Z{(3d!B9O{9C+*o`>xN4vzr8!0AUS&ohVLorHG^VTmtlUztF?PAE=ynzOjVN_jCo4E?y+rP6BccSh z*_GSCAEi9bhq)$Cf}E{ZZyT_)Su~G?yws4J4|@t;R1YBb$YgU*Zpf2I*T8IpB0L*l zc%87pY8IH#qx!ghdU9#^ljm3gsb_TMn}g$wT0IcXv--^C-KukTfvYxPqnTU*CRNOwhMRdr;JUt5o!x4QF^Ei+o_ z!)yk5u9jy4_-(R@qG2)yrJO{1D}j~M$ZKPi50mlE=)))xV^(++PhV>o2GW*D4g7uJ zSr@FR{XH;VMb@M9K0~8H{{=Nb+>jk3GOVBhVS@LkahQ)aJKPVCLz0xdSn+Ko7>&Ya z{{#UyWZ7x^A1bI7x6lcng+LIzHJ>k829iusBfoJ8H&BbJ7IKSgVTCB+0P3D!=Sh$| zdr5FUNc~&CSm+AEw%zioq8|#ZXrv3-kaz3GcM9PcjJ$BI$Pty*FoQ#&&%hUo4 zd)~#*qy1n=mY=U-k)?py=4^y`uiY#S9}dwSw9Hk|Ef7s2^qn#YZqK zPYWDGiba?9cUpfa5ND3c4V9kO;=T${O7R4qu;NJHINQsrFNvw)#q%Lk`V_YZrm+eH z&y+(l|9DOY;a1qe+t9t^)eNx&GMf>`TB-E}(xkqIM(&#Czf6_Q3!WTi=4Sooug|W~ z?cJro9X37|M2SEsq{o1c&Zo3QRVS4om4^^JNY5oJN5hchqFP8#+2N^M1W3@Z|8t&2 zKu_xHHZ+-Ivu8`!>(zHE7x@jQugT&i@cU0&Hy~S0;nsj#S3-Zhzx!;agI}H;`4#^_AlomDozQA6Bzg9Q3OfSkGSK$OOZD9yY z@#I*YeyZ?WDCHCqQ`3U)n^OqDNkp4a0~MzNcKA5mV3JXFSZzta$+-WSDV%?qCvAui zhNgSdoRChj<`(O$`F;=O;RZ*M8TEQ*(Q+&uynq_P*A4zgIP1sgU5IceC%(y=O^X<>5ltbZ`7#5~y+kUeI-1R2z*z)~I9g)JlD8zb&T)Q~(^W6_YPSVJgvPHb2;z>*zVNkE#u! zynUwcr}{@V-p*RHfTxZ;tqG)+h2J>`A|2}D$VPS#QK_tvKJb+c@6MIyr|mjFV%$oz za7vwI)yNdb*`wcvdQ<;w-tev*VXbuV*6>ici9LTQD=-*&1i(w1PwzQTH`|{oY>z9niRqZQ8(I!Da?r&J3QJt-n)L1LZwXq5yR;QJw^R( zXc6Ccj}w||$;OdODrI-o=qMn48NCe8=+P8u^YBISkgmhkKKkRBzGl2d6Mcus zKs0fb&o_77pGe4Z(fmVuTJ7;#a(*g=!x8_U!Y5kkG*K|2MJa}8#VoOM$x7hRY7*h| zN6Vf6G5CkbPIK#hw%La6srkF!J>b`1^weS(MFQKDYh1L@tbH)tkG(%eeYD#ji&z_w z;iAK*(!$j>s2q?clICeeXF27~qngt29NavAoz;<)Fcjo!II|8#-O6S_<+U$Y&l4*p z%7R}&*YQwki25KEx;0BK`D%R;smRR6Q9Zt>c{9BtVe8vc2OAEDbO|9dO9lE!(y^qp zP+-z$(;f6b!$PP+C+WNi6BY0cJE>Bds(tvCtA?jT$sAq`{okQUoJWw0Y7=5(ct0~z zMtk2=;b|BxO=NS*Wy=lsLb*z$J zv?;h%!yCg1B%r0qd;+>ZE#rOY+r9ReYceg=HA@zneKM|>J)w~PGcX4id$SkhXu_Bi0V_O79bYZS6XGk2lE^-HKp~la z(?)e-yO66BwxsB7PTsQUqGyM~zT#?0ywIckeMyhF*wMsBLk8&8Ml8~*?`WyOW=A3v zY_Mw2UN@g;n^Vf!Ij&bc194PqIpEG}IB)3@YfeT9td0nbeF=`jKoidDSgLk7`k`Db zC~g{jBT_OdqEgP;01Agx&JDsO<65u!9U-W-#V^Jkh7C9`|<0xesC7DqO3I8lkGC@T;2^oS4)`Fz@mu`;y zK`@JH6Z+2nj=g5=7&B9?0tQ-R?>Y*BjVSc1n>^R&c{3nWD~`K053 z?-B7f*g>W&)_R5c!0fGkjfR8@tpVg@vs&K2qUwZ9%U$CEr|t=}iTPk3#R^>7!MBmU zhmACxYKyiu$P53!XaC$^jJ$v^@(V_PGndR48ks3}(fn_y43>D<{{Nc%!!kuzL-ag^ z^6-BOi)T9!+_DTEn@{QU4D!ucj*iB|-WZ6|hOaOLI=TaIWiT8*0u?%Y3*sCVUl!;o zq*cxF(ynLRWTFA(BToE4YFwiFD}htE5}^?=t*o#QJmQ>Gv``zQLLf4iF46cTljs`w zh@ZRRp^kxdKJ5~YnHzz0ntx`NZSR6B~ z#N#q#!^Tx_YEyMlh`+ZXFxhC>!xdG}MA9@*%icw66PLO@eZ7I9Hct|Db$&>D{L!Y> z7N4)ST>a%Ax%GaWUT~E_>%j#Ko}=p^ri;$5qWq(*#N$M7D~z2X+jx7e7LJuPeGf_{ zkgSez9{vmDs8%Ven!H?g zGN<919o_IK5BS7^*_l6}w3apB3i*B187YV)y3+5ycKGrPY*yl$A8cO zxmJ^%PAGACReg1zEsBjlimg4h>(t=_^WDV@aYY2S zb$JE^DsCs6D}}Itm-rdaeJu-a z5h=o}=kUuxNjUGNz>(~1E>B~70tX~~a{7)W9iL-GyI9!~3Df7B5<{{r?Gu5Tb@W1d z5y@_Isr*bpoI*sLNO@y?kU9=W7%I$jI5B^H=?^VMcc8+52_7R+4>~8WpyODZ^g!SI z04p)J_7x>D6<)gLaboM{0b!V?97R}t&kzbn#$FCoKV0QexU3zeYo4rS&`t8U6#Q;8 z6dA7W8Is6008!m4riHd^L5L-e5`4r`-wSkq-@;=-pvU=FWY*Gy4$3P49criTFm7I^ zYQ@&dGUp50Sl99XWUI6zGcA`A`V!X{&xm@O<3C?CqS;+WL4ni)2QVIN|4HtnE$S-g zjlGJEDJoCJT^(1%0v_~NFf#2)_#FVcdpSEQ z-#Z4ajY(HXBE^#{!^S+ke{zWy`?m0(aZ_`>MbmPiU|85 z8g+(ND_Yk;($*sgYPUCB`Y$Y%h0bcwE!BB{9g3{IFqSKcULaq+vn-}X^Q$jcVD{2O28#<9I};V)}z3)FOgHR7w8TP0IS(;mbrM7kV3ImJ9rb zbs~5N9s$vax4gbL#Z7?v!aA8tlWdpt_jB?+Mv>9`Ur*GlR?eTU5$ZeYYSURJsJo$4 zaDHD#oT2mLI~KR2eEbC@@*Dkp_`#F%KrTwmQR00ab?>1#j9fD6rQ%fN+fc;U!LG$B z|GoQ?CB6=paL3d!4a>B)xHOchfO)S*>Iy7`9{7TH%|fRq51W!2@ZYhlyQO79AY|vA zqqR1do`5wy!Ljyya%st_x`P=R4%HxvIm_!K$?}=7C??)w!yoXkRVwm-WSDSJQ2Lr_ zB>hw(Fv9sjb63tcYicSFS&WTONjsyIyih#gQJ~<}b;%mnzRUEbgj)0;|4aq)Vq)`N zbr5I_^+^09?#N*N&}y+N)&+*x{B>6N1*lzP)qd+FbH|8ZDPzqha^%5N>~cp&Kc^$% zaQ`v-N0B1cD$^jvcU4u_rP0#ujZ3KfQ5*dG`am~d3&H-13zla zvYNw~l@E_(;woQ#3M}}%PPLD_KP&`&giq;KszF39q%SQ%WK^(FzSM}Ej7)(jZWPn{ zUaj;!L``W|T3PvsO1hhc>%Z9WOwkTn-@i)fZVn~Bk>(jV+vw*1lltb=8uET4qA z3Vu!gxEN;E9t9P@Seo#sMT$MxYa-2+B&lDTWIM-PHQ@}kwYRIdf@cKljR&*qWVg2@)um-)5_(Rrt1^-qQ!!EbBC zk4|2DM?dPXbUd6^XnagoOF>mk3FtR_=c2=&S_9NudIS+l!(<@2VKNDERP0jCJucdE zmn^Y7wSTSt@eP`hw#d=_E3Az7EutLB>^G}eSlS(O`DA3VDM*h(JXIgc#fGgp30U5)KrJmj9c_>u8Z00*Yek4;H-tKIN$rm}jvo*t*mm+Oq z`q^uglviya(nv0ThC8c6a|-c!cB4QUmMTC>eeUk(!{=twqA|&|u6#LoEL-Ioi*G!U z9OR5CjwHF_b!W*=`r@G(asFba@tBrHRCO&v4hxQ8>25XA5x{$7s^s`NHvaxv}}(d~kIv zu{7|GJt+Or`OzU5{nE+MTw_xnwsGSA;z9p~zJ~-aOr*&@20Rxe!9#LaETkW1?h5RF zLvuj$y!xOLWw0^5eg@`}3jxLV(nH}?UzP@T*?Vo%-U_iwju^>)B;}*udg&LIo-{~Y zji-KpprfCiS6IjrR4g9Bs0yS0P(+t{fo#Vy%&oI$cL}wAN}vmH?VLjdZj{zf9(iI3~-J5{IS` z;(t{5HcA7W+0}iM0O?zKOctDha+O4aLhAIM=dJZ!{nD($B4fN4FwHZDn4GtvQ%jR1 zY6Ul{3nx>t$zWXjfkrdwxYi7Kt+S2HH+lD|_7-X__~N!j!P(k`8&bevbK-ut>+*0b zMoJdz@@VcQ)>YWRo{i<`^&FYs0p>JI%*NM!UXXv0Wc|Ifa8$Ev>2CBsy(jymxx17e zzkPF67BgMKv zQcNl8B5H^wWe5>g z`96s!@^h**9O1}3envE|F4b^#jqFACGS6JL67NgnF`@}^0Gm308pfLwD7ZRrnl$a^ zrajMqy?ijrl?(`+qA6Dt#@f3+9P`IR{Q7)xYN;~3OlJ7x_iN30qhds((&_DRPa(gc z1-@%BKR6Kj$9wc4g#H09iv{N)A@)9%!M85b3CgF8E8{$H;W~cTU^h^0Jmpi<-U~GU|l1!col22z?|b3<~5q6vJHnjAoG$ zUI&EdRu1*z*|Emppc-VTXTi)y1pZeCj9rzZ7oD!!F)8dlG|2lfX5B?(Gt4nJMr}up z&0GhV6c~}H&7+ph+L``JC9X__x*kS~m~j=$TBmUB{E8NCM)JmN=o0-DJIV!b+QWyc zXiLjGtiAkzLAbnK|GUt323pL^wj3bLvO#@oR+IE+uOP}v){&G|s(`QKD$$rLf9))J zp%LVG%e2i#mhTruo%!x#n^VYh>iWxaOMeto;<*AGRz&Ad@1GwyT`U@ZgAt2HNKN#t zbQ&pM6=V`Kfg>jBt|yKul>c#oK^onEESWlVsNy%f)19@CV`TT}6>vrKq0_uK(6!jX zKGYNU!;(RMwL*zBL#w6w$Sw*@c|}vBN*3kj_HiMG)^^Q~hgM<2+xg5&T$ZQt7ThE% zP6qLL+X6WUB}%}|_$fnov)U0nb$~@=xp{oQr;GRuYwGaVdjY#Xz`=8b_WBjv)@@Lw z1AX46QG0#66BFjO7kJTcu8vO?QfY^+^o{LWG>@+fCukg}EI4W-u@>u%$3Is~%HspE zVyHhmlhDIzDJ^chK+OvLk3wbMmixwLV&*U@%JX{qNpPPi{kA=_Wy}F@e6ZawFrwa5 zx%3J44BEp&B{(?iq-*&=MO_%f&dyOYi=R?9+O~@UEGawMgmNk(*~O5ju~gChIEh)X zwF;E~8Rl(W%!KP=SMoSHSCP{aF|9P4JI`*|@ki(P?At`<>gSA63#PTxqWP~dtmD-* zdngXRr>;%qqBR^VqRQO9`4*AsE`Kp_m20_;;Mf`eicTc|l{_WCj9!!-j{m)N>pk1_ z;2;XX1!C@#yf@Qx(dcJAL%u;&HCKgE)67y2szuJa$bA{u#7Uj4qbAjixh}M6E8G~NF&!)5W6FW#c3YP@Gr4dyI)w{g{sWMnPe1%w zyF?3TM{O*N^hl|l`v>WHH;eB-;~fEKYQ@CdUqtnDyWB6IqaoIg7Qk{mLCb-E@9 z>ELgBWs?Xbs<(P284FU1>`M3hd&b#c#0Z3=Ac6f~0{+GHVwZ_A*eoqMkr|J)=WHQuh&s=QJ!sv}foy``s0 zzCJ=>)gYokh{s1VMXf?x1Aj1~E5qQV*4pf7@b9q%b*Py z-kso|!L~!)YVGU&Ky4TMc3vl&ik_P?-Z)icTl8_#Vmt@6)n@R?VJT5XW zA28zx6wY!Y_Be_2r1DgJlQr<Q6wMyDMNjSBb-}*J$f~09X-NKie5mZy;?#v|II9dTTdrqH})uFQrb0I zc@I{m+!N?=xBMt=O2U4HpndfG&UHGNDRi%n1@IEn3pQ7p&0-syUF2LD+N|8PydkRU z#a&?{vK_ro@QRDgb0@#GJdgi77OXbHK7PVHmbR&~Cl8Vh^b8poo=Q{b+p6Lbg!U}N z*qCKV61}M2{~?TUo#r$b)Bu+?(&b2A^LY(m(3bfApn|dgu4@)lAZ(Ay6W@JB%6<0j zSlI11qXTm|f)IE4Wv-)|(^9ZC03ZEP{<`Pay6>uWOUmE*k69wH#$yHQG{fCpI{_Y+EgP{wJI(FLFamDY8cCey)YwAcxAKZ!dul9&BJ(nqogB^z zEZI@<8TE(75pPG7<+-^J?r`r;VmI z#f&h{^flB4m~zcjxwF7+yXw^T@VObUUz_6=v)v+n<1H`F+k8P}HOFfV(vn=JDoJnu zxX8#`lXl-qX4%Ud2L#>8UmR5zv87S^ms`YqDk5$pNQJqZ@|3hNq091F=*X={0%0o~ zVE!$L5wA#Y%NydDN*nIjKMus&vVQz(3`kL4Op)I?EgbVkjDLRQBE%0MCh2bK=C-Lg z2;J)xxFMP}x5#~9H+icGNrJa7zqh(W2{SRIFH*z889?^l(aXV>U;=xz{zbk zxi8I@K0@6Q%GHhXSxZOIIQztU?Mh~CL?eB`;HAy`>ha5zM?m3quW<=qDyMHP>*mQnwI3#F z7D1(lb`HqOrUP4y^4*Hb$b@uURU_qSU3gA+11@1Jn>1EK!T{FZ#SHuQuH_&HFhp4i zaznr}@ps09;b9tKNa$JinzxQoCAW=1T{9Sd55v^(4NlTui^a7no3|O^#k2@=+hm+E zg6Y2`QtagXXjJSam_zy3@_oGa{+3oNj)_|94r`65XyG$mO8xYdKbK0bElZ|^qvahI`Lb(ze5(678#U#qkQMJpl_C*yevbE)4-WD&BFwNNQ zZfZrNK)%!Z;#nV|#DgO?CI8 zuXt#wgoM2Cx5nLXOMxU z_twC$$f~uFBuh^a%g2Q?RSKW1q*q#rD-5V^qD87XCj5`0CWmS)c>4%1v^GtiQ=@ij zTY5B9&gHkq9)*+cxYHL6qG*UoMyZKA5#ua7ZrXmUdj6yT;$+18XGJz@R^23>3Xm4r zM}Z3&@jS>{D&6KwNV;1P?09PP&Wv@;y>!m#YLXzcI8`UjA&O0%D~soe#?3QElKmXT zQJ1qy6(DBw$Mln8V>rP2=)6a#>sy$+K7IzKAvn&cka}l%OekC~Pp@TgnNEZK}6xYYE>~Y~#PY7_U zUkv*iQwP&!1-utJgfp*VF6F4cR`7pHLe;f`Bg0cl?bN1(o^(#YYZi%t|8P73ueN%- z$E|o-F;+16=)t$u_7f)?FRXo;tzVRGA$eO(>Qj85T9Jt2g^`X)>!Lm9jwF*WLaS4j zu(sg}JF82#0)c@IVmT6|WRMIYfgEKfB2o-LYDrzQb0!`rP@m}zrK!lYBm4SUD!z<9 zo=6~Y%;8)l>U10MA9+Ca{3H?B@W6@Kau4t0^KdHK&WU#pa^`2T{b>xTSMK|wdWXy5 znyBDgt|l39k93+P*z+w5Vi4TKl}JBk%YZAEbLpkEz{>d3E56#XW9u9BSJ?_s%jU(6 zJ<@9Qsl`-Kg6NZ^TRhKD`YKM)IpVvp&AX0E_J>D;Ej9u;9AIw9r~X17dbr9ghYwzX z2C;!F^xqUSoM$&{-#F~}I*~U7<+exYfD+2?>~YQ}mpaUZ30WdWYo5^F%O<@fcG7?a zj42zGm_oaphJ+be0eh4X{>sFVCfZgXz1xke0b@i6UMD^``O122WOA%0^y7EN6KDG< z&Q=W|Ppc{kik6m?J(Kp=B)8vQ?hOc{R{qpnXdmm_^EF#Z-Hxt zb!^6s?$>5&c>ac!v(NG_aeq$hsPT&eD-dHl)?RfTSn%53~ z)nw(%0FT@!tcao54M)!&P$&VNh_{194(hqVn=yF5KLj05`y%YOBN8;sCW-&w{xB^U z6T!Rq=ZLawtdP4-Fdjd75sNQbPy9<|?Cxo>-mxocdaguCv?^OQ;(+Zyc*?~EsD+bV zFiAKH;Psdy*FG=p<7bSpMqLrUNr;RwIA{|ijbTJzAz2I@lyHUVC>GKI)5;vwC}1FX z5D*VD%Si_;(-;c34{89~pT{1ZYfCTi7WoB62617&Cn^roFGJ9$yF;9DhLct>-|aFA0OKVGE@|!f-iHK29Oeb@{OltN~?9GF}(UgHW$sxiiy36lZi$ zFrK@fSMc1Rsdq|X-szKI*TgGuRSCcs7XlG;%Zw8#Orv$xzxVu2MzKG zHIbTt2R~_Ic1!NoKx&Tbpjt1HaEFR(0l_^xEBEdG%FBGT8A(abb)LBcgwwb!hDzaM zh`5hKC!b^kbiv+fTeY3RSzz>oYp3yTCHJ@_pkG34xAw+q4#tq~KN@#z;jG*dBWwfx zcZ=rX9d#j9`Yp1|ne!>%a@u56Fg9G|RFoi%&z>=Z=HdUxI}zJzFgMNn)c@`fi-QIt zx*Z@RO|IhAfa6N2*a=(z;Q1U?{PFjCxIU%QP2d%Byh0U>WOnWTlLR3eFrPkJdgQ%c zm{rUw;UQm$DpIo5>(gc@GjAQB#@$+ViC5ut+t^cHsnXd3nvhLHP`L?TkGh=~0gIzW zFup&ms%&G6`#`^QcmMf?Kb=PA;h!{D^z3=#=Zs;wd#Ufz`Q|V0-QelLcm5KJY}0Ca zU94uTck!&Jf`j|%sSEh2Q#gL4H4~uPNGpwE_&%L%1k(cs(0Qt1ahJn`k}2}6lLjfp zh5JB}luEd$W@?EfJ?|U(4C#HkKPNdgi0v~{T= zGK>KW``$0zwt@;azG|NRp_75`b_@2JUV=RC^z#Avz&d`jXq{Y~d^gQ5i{Yj4r$wT+6-Hz};fcA;J?$eNbtH?NYkE^!S@-ZEx89n^WO`l4|W3hTr)m7FqzPq{Jekh=ymg~HQi6@ z6wO%S=e3c~2kS4V{;_V7OU=c*6xYe3${GNIL?7bsSGkGJQpL52J5!Q@43-B2Xx{HO zx~ff#4%gOD-4%23)%@pH!CCr>{8D%eTYbmY3p`n$AW zgELc&z!{XWYGF5O=usG8g&%l6QG-;}e~hqeY`RThSMK~rF=T0W)kbpoj2Sw;kKu~G zZ)pK0sUUnms)ZsrP4$yiRr2F88c@ai85!=|nIU6QGza!aB*>qG1RQ$DXi-Y&Yd9`` zrI*CAPDC0Q-{kFGlWp)c-=~2xVael%0)!Th}W~Pe)_TfOrMM-tOjnk(? zql?nJtU${_yOZivq;&J-Lya*GE^}nL_gTS=6rPzbWKgE{Deu=Njyh9`ud1kAWjX&> z+gm_YwY6=-bV-ObQUcNqN=iwGbSWX--MK(P8YHAkx&-O&k}m1)?(T1I^qixf=X;-b zeB=KeL)~*R<3W_e z{mWYtT7^Tq%Xolf4QR$oy3T9>PZw6X!2(B57W3 zq>ez}9XaXvdJLX;byCGEFZ75kJ^5|BTfx>Dfb4g7DaZOEnP+B7yQpuoYG?GHIHm#>0 z!MikvI@c{lSi-x{#MLV#2U-*&}PW!6f7?X5@VzssyYwd{DNv z0G8SAO(Yk@973_&ev7+{mbIA?9{4+>F{7C>$5K7K{6vW{{QN`=@gji_k(IL2uOn@2 zg&b6=&JwxKLa&;HvC@x3d6sEcDr9GN3@jHZqH|Sl&@8mvPG6dJ$M&4RiFn16PhpR# z9v7=a{%tug(3QT7y07{`Oi)bEBC-iR1+bX9@PDuU7OUaSVF;5^X7(Z&zDY{gDx{Vx zH8Z!yDlDI_X+5H|tb>D(zM(dUVHg|weHn|lQ5dr&(!a=RokhY3%dpJLaogfXiKjm< zB)HisD(bt$Vhxu5@Z8y>w&=*H%$0u|Qn=_m5Ov#&i7t(XX4G$r?@8)bil8tS0852x z^|e4k`BCF8WD)$&ng8(aK{JsU&pu?kGPFrG+}^Y9Cw3L4(E9R8C8|4=#6({ZF$~l@ zOc*)alkU!!HdlAuUVSJ|(|c!2NrHo-`ZYi_aJJ5zZ)Sr1!r%QHU*9YSV~VKt6`y6p zbM+pNosjU>S5Eplin^UFO#sJ6iCJD|YjXZ1GvpJJ>59z6 zv*tWxw!<^jXqIDY5(piFYi&={=KB0(ys1Wkl{?LT{B#(vz z+NpwZ1*XRl!uZKWpu%JFBUl1Qy_D47uS5Jbtu3edW6s{bZQgr!{V-f_h-1w65E{nelay?z z?n!b@`w4_#el%w4tLCYe%lt&4BP8w2e#H()uAzk{jO9b>5GlhlYS0T0!5L&^u++P4 zjAb=2t})8BJ^(M0{nqXojZLI0qgF4(O!b|~_aVtUp>ur{WP!}SAmls7rzd%G&QG6+ z_pAwA%#(|md_p(;em+nMsqKwJHx82tX?;@tZH?TTl-7L;slYba@~b6L&{8Dk?5A>> z!ik}!26oUz0$N$IS*vrKswZaGX;(Hy?hzWFBH4mMORs^muAC7{0{azY+-UJnN_kxa zW`y*wwX*|h6{~~Q8qG%6scTB&Yq%*`_|NHFdxFZ)1lW)(NC~xxUwM6iEas9a5NW}U zph(N3I1Rnpxt;0YQWN>?*8mT}TA)1`Mn1hy#*iWw=HLc(;_qjMZT#%105S?VvEkxx z@#Hn9Pyy%+@)i;-uTyk1zR0P=#B?W@ev5e_1K&CT@pIEof#sxmKOh z;>`NiY(Qd}CwHl_eKe!zp^*5y-Yu6kDOvaefn24y>NCY9RaxV4)y)P-QSG2-2E$?0 z2%`(PZrApDT(GL}pm$U2@bi}@?3bU>@kWG539zAo^d>YS;uKG_OH4ni0H3rJz3oVk33py@SM7+%YhM+kWT}*ky_+r+A?oHZi14i ziHAW?6^i3jo2*kchGWkN*x-D ze{s{DY^kJ8QtIcr6e6pwz#r(D-#481SyW zm$+nMo<~%5PoJ)}r5RZPqKiSPR&}q?d)wrU<>kn^rk~!wq*xvx`Y;0KulGRGn#uh& zpRO&Z;aGjMq$93#s+H$;@rny#wN~2Zd*)%;rl7l~do-Vp6XgHZE8dVfR*8T{sk5>E z_I<7|bp9GIhp7qshj?fT5{8$HDHfasxfLCInG{6r^x?o)R#fq?P?gn~frLiHTO}SP zl0*a!pH$W&XVX3!oT3@$_T4&P-Ly%st<2R8e=Qk8)*j~UB!sY$s^wKgQ;koeT6Zx+vUEHP8|Y5W98@WAOFo&i$92F=G^1bh?KJEp)JOwYBzKvKDJiY+ zF%XGxnjfpVdR6uzjSW|SzMhrVcJw`ikiyDv7D@icH(eoLKWBPkL4gdU(t?B%5E?@I zR?{XT*LEm3b+aojCt_MyeCVKkP;(t0&Yao7V#R*I0<9|BPZ0F#;QQ_G?(^8#4OUX$ z30pa!r~|)ySz|`#)9iDJa0W^WvC5~EHUfwe?{N#$QW~xGE9&@z$bP=pSz1@i6e7<^ zkUBShdboHXG1Yw#RR3nK8F~GZfb!FxAi5U`nKAW%_pJNcf4Omv;s5 zZSPzBpk(fm-i4}&A-&>mJ&pztgaj*lRlc>TdeJ--2StnwO8hR1?-MtMvxDdkL^~?0 z0h)mW>pRw$ds|d;Yb<%f_ON8off77#$d5bMXluIW?SklGNu#_#*E2Lauj}Kb>j$YO z3Ht$LxcZg(16*h<*iW@Ju|ADNL7{j5HM@yA6r_`^lWp_ReFJngElnw@7~A>8kC+@b zKIdlVM!;Gn2Dvmad3%ZU}grAQ+ znP46dY*^1^}auaaN(qS@0PQkj~c ziu9F@eq|VvJJ+i#7R8HtP?cza|GppZvb;<5AuiBaC(g6Hgy|^;`p)tgiTtxRr6S^o zCj%iwXxrMh`PP^yo^4#pqihrlABecv>fA*VBQ%?AZ{pv1DYj=m=aV-0GLJ{?XAdKf zoddmkiP_HanUBsXn@Wq!wDsOng-am z-$)4L4~tGkd{pcglIXA<``)2m?Q5KpN5`e)YU%F1@zB1H&}4m#o~HkrC1x7475h+C zsbW6?N&!L7I!QB_`nackB{KUZ27WZj?L#rObcX9EuPL57w#h1E;|`MK$hJ42MY1x` z;+v7?A;2E^{w0UE%K}ybt6*P>GRf-WIP*YIfT>H&SCfzd$H?>{w`=42dHWJ+*h?YWEy~n4<>{`NkNcd*9j)ao$@sr$xXF2_yBA>$Gp=vMa7Ygt@sK*s5X6N>HResDgzdj2Q-3*pvsfK zRk_*{A#KI^PSt&6Aj6un*gS^HOMti503Rf1w9TdnL-c2L7oyz_Sf2KHDXg|a?hj?1 zZu#kmq~O6{?=f8rNcP>KzSXF8N|5MtZK@ex=Fuy-{B{xxI)6wm^OhcirG7ZqNT`XD zsr&dr7Ue=q2Hs_=L6EE=E7er(oK3iqN~>hDjVMiNK~0(E!i3}aM5jB`#&^BfI7+H^ z74GIE{MDSgg+iu^FVIGx9#q5Ep?BBvBfg6v*$uVzev|-(0RvVCr5=*D>DifQ>s^A1 zcR#WOR5AM^a7_ihAPAaR**5xQ!?2Ufb3CLU2A#-NBOxGH!VDMFvr>IVfq(<`^9u_6 z;Rg)lSA>l|P6r&H+U~HiVRX4Lz`Ancp+!hgR(# z`I;Z2sA))7d=j?dh1DP!?!>~;!9)i?WP4(7h&#n+Wgce33mx=r`$ z`PioM2SN)CSUspf$L_#Hzz6M!n?b<@chBrn4>BipPeMSlfE9(%6LS7E%!KLgW94TA z1Tc4V1dA{KX=a4JxTvQT~UqAy8q-o*LQql77hI(F0)zNHJ9@7Z4aWv16tp6n;J#~ z$E=$tK!=os2CmNSF$LdBiSR9}f@4p;Hn&dI>Q?PCPBsro4Y0P;R|^%;%*r|odPn|h z>Q#sC2Yr$cD~L7Yhw}+t5&o;oHSWY*LMd;QL{@LsUNODCa+H!0b`~(R&QyNd92(-k8x8AnCQZDRTE|LKzjvGPjv?OhDk%3!4z}!7eF8uOS(LfstA&F zR<@^2R2*Nh%&O(E@p?V8HVU<1io5xg>v@w8B}2JSWq(Dg;DsvDa~~ugJ8L$^h)a?l zbTKtO)R;6j9q)N2(WjD?-x-+%Hn^y()&VW}+<k&rv8zanoOdgEVTM9uwyO! zGQ?1lxq5sJ%kiunYOq0?{JP{rF=_-qp>_>v32DSl?+44B;q4GhC*EnaAj`X%?GkoJ zKDS*2#hB-HbqQVAE~k={F@pT@OXDP`Tz%<7?$R6K`{E*0?JoNw9vE~ufF^y^v>8xt z*D(-FUx(wU|G{@fAi@#ZM13ziUi~w~1Ma>&sbYliNetvFcxYAR`b{kFdK;jEj3Aeq zdb4`qW_E{!efud5c!5foi;5%IwpaN^B{cQQBdEQ$ zi@%5VWAQhF7?o6evpygk=_!`d9-a>Le(L}?Yh8z^ijo%=?ZlBXng;a=iZs)To0Gw9S0Msxkm^5@Oi-E zc-ahOm*Mv9WW+TNhf~^Ei93@6%!N`fi;7zH1mea3H?trRtfblPJVVg7c79Rrp<%Fn z(jP@cj=oD@CTC*f5%_)Ws`IPh{$W`Oe^hqbg@>L7w25=B=|iUO8{-h!F$D+%ul&A} zJh|LU&7$VC+`zr(S)uDQ+IPo(yJy4$tKKl3M0d6C(BC)~oUCfBG1YhUa`fZ0egmxq zdwjw^={Y3=22UPs_zEicQe_~gF}1}2II4QYub(~h3;TK50B#&Uye5g-i9Vx-$`$j4 zRM+IzLj4S&?h%aG`54Ztk6B*xZ7S%?anOcYf1F^BOEu^|RB7(C;DJ}cKl0on{}0n3>AXi_irw@*`TpCDRc3YYJC zTGqkWL9Cyv7HfEnZ-+k9LEyFkc3u*A_(GX5++&=X1Q z15=Ed`lMSnirg559&3pMy;1&o=gi|u+G_2gM-*T3)02)*1wZ97x?T)T`F0vc%!c^N zI08CP$)s7=|aBPp|Rs61Paf~rl zcRx3Td27Yqo%BTRB*T_KIz{Ntn&r^gdufs*fv*(8amZgbeq8j?v({m**%b*zpS6Ru zXo4E4b?`Cz?Ak#4d)khsGTKeNXYE`O5P%_^+4c$s-ZbN_uHx%!2P{Y^?xu7f3ISV% z%6IC*>FB8(8fkP-5p&}S{WV36-_pO`MKQ}ocsPxCuTsE%vm;m~nr4tn3h0{q^16W^ z#40lNaDBq@9;iXLrC&BpJRHm_+3?MA-wC*Qd^4LRW93+Pgq3j*e2mS^ifpsx z!alrQb*2GId}kKaeKQ5izpxWmMCZE))woLP<4M}Nvv!XUy=hd^vwdo$v**fUUv#8! zbWoG&Iql#ZpyEW_OPqYswB6F7(Ugtc0p`Ar!l(4Rwf(?gu zw4lVAKReh|wbsLn!3BD62aCg><#afSAK|M4LyDc)P<+ymJH5--?@z`Dd?cd%vw|%R zP|qF_XD##>3OB5Ja*vf=QT1fbP6qLQf2>hEu(hv~ZVRH2Yr~F(MG5tSsNZe%P#=2lApwG+IQzfgLB&t*CSR1N#2;I!*;QZpX;b z^CYM{q*a>&F~%&BC7KXk_plF|Z{qPGo)ohgZ*m3CHfG{O$Q8dG>XO*Zfn-d{zbuX} zgma5=d;V0GD8^)kaBf&K8y+H( zcLZS-HQQ0{^&3wA%@-#x(Mf~)o{r@8F1cQAD)Qd;8y_`>WPz@39xvZO3{uW%(8mkV zK=;ZPB66J+1>LD63S-NulHQ3byH^DvcyZ-c(i_-Y-uKdNQW2SOH}=a?&r}{RZZq>H z*Zx(lMHLy_lkO@2b-AytBNsPIhyNpKOz8kQ(-#U7=cplECG?PoC^|uhCtSk%Sa1Sy z?bE{$ipYKnFcDEq#`;fB6oYV-<=iK_RhW6Dc;f@CdDNZo`D*K~Hdph;9CZiA^HG}f zb2ew6NU(k%hfx>InebyUH%%gj&q?1xj%45<=^VN=M}H&=&@AhJ<@57CUABoY+Vv!2 zM!(=VYg98xgIr4K^P?2UKg)&UI@GMifV3WLie1=*6?J)0t*sy1K^7+eec#;eP%V#= zCs(fCGEa^qh{!gvb!*J_Y=*n*x=~^xw^Hv+k%-4$InKGY$w!x;6~SWF#F)4O=MB+i zW%-eM4K+k6(CYLpiJ4PLVZOC-x(~~kC1U<7XEDR8pc!N)qREA|H@&&iXzw}b;$W&> z#3Mz-qf-1NQH1iSgoMKssrspOF-672Xlsbz!c^b>Bsro}LERk2BNc0pGGVRFOQ&KS&&#Q7LPX z3dRg~nMswcf;wL_P}$)ln0iZcp+j*~xr)P4mK`m#nUAw)*fz_1@P%p$)vgzc^CO&0 zIRRt*3tYHwTDq?CL8H;Z5tAl*WHK>RWGIArj~UOlMG2yeiL{7do=1nssCW4r$D$*BspQHBKD;ieKVP|i{2>I_0cVL26F1Ko&UGibJCtlWf z&y5i6_u|caTAsK}*wOgeq={Q?%9m+IZ#_KN(Xg3&-Xlvy`7~EGwwNh&)cCDA^T6Zr z?>Qs`C{nN0#9t(C`q(RIoi?asaZ#?NDG&nhsk$5Tc-)3#uj5W9t_9SL7_T~VY(9p> z5h}(`$?V3hz4VoAG6dI?%&fkEgc_q^xA`=>V)gn&W_;seYMfCf%%h8d=opyJwBQn-S*vz``m@$h{ z2QNX>^9`2~vrP<`vO#jcJ(Aw@(GEz7;slbou!KSlxm1#Z@C3MNs$is=OBikQzp!z6 z{H{EQ@oFxQH!B|32 zs~4EdK@?9dc+4Kk7Evep;exIJW*WUtauZo5t^O#ZS7shfAFj?mjd3A@{LoolA@jo( zk&mLVr~Zs`!zZ2Zk(Z_ILT|6XEUg*R6jdKtIUuYzG&~6PEv!K27Xk>;J~uaru1vr0 zXjgc<(WnkG!|(*$bWN{M(x}M085X8-mb7mql_2jKJz77&Hg3uwdC3__o$4$o7w7Y2 zu|NVn?Bj}nh0hT;j$|ha1U#ItlMg?0&6ezp z%5b$zwhkm2oDI(c3UJk!4sI+wIXxSq4n9II zY6{~xtq^li4|MnsqKgb6W=CD_b(qsG`Kokf@QiaYX|^*;3RN!Q}oyYgs;RsRGO zT5S77;1J?YZ9LXCKyyt|-c;f8!d!x& z{gphqQBJo#ffAiQ!jVdVky=!?U$|5w4<`6Jcc??pUN7mVsJfJ1>7PD*S6K8I7k9#> z8{CujuPIXHiLBIpn8unOCI@XguGw6GbOI~kR}oh&-gD#CNq#=zXkXkYK#5|n|5cN6 z1&~9DJ3BFbd)cQas2I)HK#~bH?{8-=sv@l+8#I1yG^0$S0_$bZZcc?@*75S)h-q)= ztIrm1V&?-(6X?%p=VT0#sr%uWPa{tI&PF%vN%yv%qG_qVoZ1%+mr7dSB7>hJS|{O& zpyVmI*odp1qsA8@*jf~ykK?yk3$T-RDFmiv*i*d?8WezBu2-$4%qA*(Dm=jWM|ECF zDyu%>F9V_@=h^nf8>b&IU)$9{H&b^w7a6GefL=~}n4#}y6Q>>d36`N5$(J0;jvILa z<|k(CYKXlthrH`(zW}ZxEEw!|)~d>i+Hxr=`A9-7 zq=I;~2s%$QgH}L?lK}@=EadmOp6O5T>6v*QKKGsI!l&!m)|AIwEiaKT^FNA;w(yy% zGg;*3iLfUIuuvzN$yJ_y%&>H-Sjd^sxwzb8jn6ip_RdsMINQE+%c+Wepv$bd#L!Pf z{RKntEnY)boksdJ%QHSK4CUV7?+g;#xaRiuT80Pqbp?pzfU3$Ba9Vv^@ZFS!9zcIV zfKzG4=S}4Kde2UJEkBoo)O%R>JGSIpW{DjBzV?Jyz?MXCrlAO5&5^NT8p&?IlkyEt zh^tSKE-eQWa`@7%Scel`gy)JUn9kz_{a>>a#Wjj5JhiUeP?R(~Tj{@imnPJGF@|oV zo!QtWSA7j^WXoE^T?flAFp;2&fjCa}sW^)W?$|60<&#BxN^B!o<^Wdp0Xj_S#BD4> zT)0+9amkp{;&2z5X|#v%q0Mm@bvah->wdmSj%bgBA1NqiK%KG>3I%B2)Me#5T_B7~##eO5S(nW!kDNP8xMv2g^Ml;#=ZGsv<&U7oIq4ve? zSIA*@=SNoJq}hT0q{~@KiC>11<0JQc?EEDo?qYkLTzhtyc!~uW!)!U-lnne>Q^gqE zQ#m+EGnQLtO%K^gz)P}7gbHc3PI+%wPka>XfFYh#1WHU%W88uVNZt)^{T_cT_5Lyc zXS*h`*rz&PzM_ZOQ)hqZmT3 z9gK$o8ePeWJeNP_QY%kT3RF0D9LyK$2a@t%FaiV#ME#<)Lk{1;iXEen3n*K28i>j^ zF}*_)d)*ACC5$5v1e$Yz^<99g4X@5Dvmf0?G4v<5tmik|C~uAkyHQI{Zkd296O|Xc z>@^X|oO@{c#_E>hz8?eKc$?&uFuK#dnYskq&>psSUal)_R?)bO5%rl08Np+S^d?Me z_lJMYa>L5F<`s}CM!QPgS86gj$)m9Hs40b*p?R!KnSGo)l>gRNy%)Y1iGfuBfoeoa z=LY7}gS-wVWIlFhwl$9Fc?+_N${(Y@Wzb@6Ds`Dktv2owh#0hox&VnyV|TtFoa+X> zrM4HG#9#JsVFtDf+f;JVWDMpGaXe>t2SVdl5!T)63UX=NM_m>(ovzgn*zCRv*Y6)> zibZvzdI@0x!66AvVkAVCZ7*NRyo31R-{n$lbHTU~!K+m*9UQYtO?>t^=3^&At$S({xQj^%p>(Hepx<}&nbzV`t$J0W z%o8hZQ;!UhO28_i49fL%_0G}JvDchT1;3*qU=fhc2!Bu@?8)dE5&Om3vBsFrXSY`` zBDXG$yekcb-sCA)#PTpBKN9^{`&*r@HU;WAa@{+UCOSu>F+6w{02VkdG+C>Gfap{I|vgU>-IVj6<3th%xZp!=3E~yyyokxMCrlfu#Ux*HBc`xB3-* zCe%IkW`C*-!2`R{EBeQ~$sdca!_ua1n{jT^wsj+nLUt883plUVd~by^b_twI$9h}a z{4O3O&z#HPvd8TLa(3%|HCJmrz!!QMUKPFC?bZdECX8LkZ<_iSh|`m5qJ?}H8IAzC zMMHpPc&p8`^U~?WAbV2p(vCCnI$Ae{#=ONer3hXtMACLFsrs|WJWGQ&}mzoF> zZ_>Xf)1H*(WG`-d-()0AvOnDW>hbl`Dy9GfO}-1w+|?~}lUU2hvHwtRn-SiIFN4N1u({hh_RCCo~?e*^E7)&jbK=UB^LfpI(HhJTh z1p8x}GyP6}h0A(0_;>W%%%oOO~{=yFW0*x;ViB=Yt4 znTPhv8|80 z8u5G{4YF*7X^GDdYP`AKQA1n#5}+9i@T_=ddks1Jj%J?FXx?7^@|tZq{h6 zS;<%`gRSO{ij!Q}>5tat+-SWZ#*@L~yAG48`r!77da?3TNk~1=bsaj)7@fC6D7h2b z=ymgq(tB>ky_Apg+QNHd)z12~)KoMHI|O7>*6ZC&N94&G0r)gyW_--FqlLE|vDiyT z+o^SUioAvUrB?Tl>!URuZZ5HOeto`>D9Kq!;Dqje$amJC{N?WYC9d+i#mIJ48cnwq z<@IjPq4re?aGN4?Hvew5WwbZfZ&Y^T#$8jY8W_70ad31wVvhz)7qzZ9rW;OuIWs$^ zURqVO_T2KhTfLJ~lcQi*u;44VEhY{b^wZ^Rj*&S$h+i`zws7w{xKdg*SW@oe;&Os` zq49-p=EKwTDY@8+j^T<4tD5w}{p-rp4;M2B8oU+_fRluitHS1rfphsp(#t5E?)a5c zxX-g%bM-IouKTTIHb!h%jc(oMT^DFDCAqAQzHf&xJ)EBT%x7dtNElRX%uCfT()QM- z`dh%#QORka+(l!rLP;1w1P(QqRhD#bU;RqX1UU8@-RFfsTHkXW8z@u6fG@(P(SO&$1=G}Q}sD@sH5%nQJ8waVZUIvQ=e0F z*6IFD+C*LtUI#du^55Sbn(VKfZpjdwe^Ub1%Pp?32S>{cJ1f?@w?;0BcaTflMph4x zbWV;^XQECvyKiHy_ba;Nd!yS-_MHb4N($oYKK6_9_!1ZsAy~qi@MdQPy0LLI#9+Q3 ztQ6PEGVHebs=;2Y@tlQ^uzQUx>1D`0_%Eo;QJqie`=9WE$Z;*r8>tgb-8jSq7@ip` zXt5fPMhkUheHWkR>=@&pbTfFx#ip(40^0cOf2DOt)otsJ;Sy#Q>Hevz9*o)~`^dUv z(s-Hnvx+vp7{;q{^~pOU%g8&6ncBwrwUge>>$Ps%ix2Mktr2jR418LJ4yN|rowZ}^ zTh9?oD?XH)-n^I|%|cn<&({Rfok@CNyNB~Nq8tZi<2i9xmTY7()i}o)ZpR94*kfNU zFERCR3fo9&rmu4(JkMjliZVPQnyrdlvT9yhU+Vszg{(dICDW=FbS7KMbKh*`##!OO z1ktx4-Dzmvg(EGE^2om3GCfx0>eb`OvcaIaK)saiWkRL&eDCfD6 z+9P6^Ch**1?*cap=e@9lH4hb~;c&@dTk%Drr&wt+KPF5#(|jV)A|^t z8}ElR6%Em0AZ;y@C#c1a__Gn#h;Kz+GM&Y3^|X2+w&6_&0eb_+)YFSe^G)8KnKnU3 zVVkoB*QPjJQ9v!J{=E5Y@YD8ga`^Zs7a(skba~M7?y$udI`o^<$FBu@y}^q9-i@!c< zL?0*7f9Nd}_u%Cs3MwvHEncq0MSB&DD3Bkjs8K_Mlcl6`m(i=JWXFaP z%Xo}+V~k$*ys6#V()T+^Sqmx}Jcf%&0Pm4&Y~9%&wvl=NQQpbobyPhD&{f5{ro;*Y zQuh2xn;Iv6a@6}J>(N=;no3;EUieH-uUG98ZHF8+91(j}z0M=ZKN3%(ah}1l?-*SS z!Cq3!m|ME9RS4HHX{eO3Jp5f*jatH&sF}~#9d~h#cN2ZCJH%>eJ&$K=fCWWfoBc^t z->u_FvW~p`1J5_yTVio5-*0F)*x%!DuKRhg_Dv~uOg`)A1O1HyT|O^RvpN2@W?S_N zVRcZA;m%;66dpWv#k?^{r?>eyY&UTx6(G)vN72o;CAQ7duOb`=@3Q}nQtDZR?jfnL zyF|Qo+%Q4Q&q~03EsTCnp*Z;P%hnRO``odqFqz+!kcnDnC@&S)$)uL4CaRO{go-xA z^YJ@nlFxfEqsk=@87wTb3D3WX&>52Y(8AVNM*Ddq#Zo09t)Q)a3(!1M zKKb0>*}Z))BOOX!znY6__*JHJS2GZS=Ez)2vxWcA?uvpdi;-lOm71bgFNSV7pR7oR zCo_}{jr_!4bOkJvaf3`+soVuRiWyit;HP@>$s#-+-k@s7h&cvew#}9?CgUf=7jgPc zCL_3e6A*>+|E#lwP6jIcY9$^hVZrv!C+?~o<*d*7Z=oAcW^WP1;`ri$F^qYbIqkTb^_-S9@J|O;s zfqygJzYKH3D?QXsM)9lh(s`wwcv91@wUfb*6I==)9ae;MZ@ z!x3iktb6`Mxf01|JW!wrvVJt7055Ih!k!m1t%Sk;47Xe;@!t7`_aW&9`}>gh!PYDG zm^bDSRQM5WN?xEJ;WkB*-XJRcz(4CyJ3=PFBl6D(Ie0t|nO3|Y(&O$!(I6cKM#`B4 z;wMyc`Q=$Tc4Rnr$VQ~Vtoe+L{=W2!2BMcB0j$zR@5u?zILxCfjOf?a6*8O^|Fi~| z0J2}2`yNsI+WtMb54iNJdN8~zFd;vI6;yg(`r9};cnOVJ35{X*#+kGf35#lc@M``i zT`9soiUU&~8}v_Z#WO~%orehlwFba+uS5cF&K(}tgh=pH^QZgoFgSiOofQ-#6;m?P z-OcSCO_cwav+n6Qc!@-a4gDN1pEfLK_si4l zMYY1k1j~PdQYqnR=i}n~Uv$@Yq}j&V`fF?7@h853>QBB22z9|)OAq*a?3~2}Mc)L) zzsBa>RZ3W*`iBq#YzcNins>;N-)qjhp_IT%`Rk8Y32at{euQ1F6C+4)+h2z^?0aJP z3Oq6Zn(_pkv8;Xke`@U${lNQY*e%xe#9FTk{o=H~1iT-j|B(E*vE|!1?|b`^ zqG)Ej!FB(kaICeSi7-WLkT_tXyB7`kLpIi>9{(Q{uXv!j+QadO)q+?lf6m_8Tw}p? zfA!bBqCZF$YfrxqRQETBfIGV{`=<{!5+XndkwZs7r{wErGK>q*1qF}Xuj13+d0C54xCE)IUQTtD@fKk3G zbWc_PNi@#i9Mbm-7{Cr$1-bVhhk)w->JZ>w(SL9XuKXJoK)wBd!VM@wVr^T0>HObF z6aBNbC|CeeaCQK@li*Jzkp%$1Sq=Sn;d(e1e>Ka$n}b~VkH7zH{0G$jlx@uqj3wYN zhyJD+Sn80!;BpVt|J?e&HwIzNn$b4oSBGYEfR-w<)<1X$xR3srKcKn|q85-T?x_V7 zM7n4n)k2l^6%!q0ph;(FO3a)~Aa1rLAb(C!3au2K(g6({Q}nCH3KKHtlyCS|Iirtv0x~48thJh{U6ar_h&Bp zos`x71S9NkRx@n+1B}=|BnQCrCQyj~IyM*&;O_p3GH~VJSowFb{Y$iWzXG{r{uela zjrQOdC<6L@pvu4HNpNrfq$+UbADccuG8MSD`w#?Sty^=I?pLt<#%y3>Gwl3BYX@+g zQHF!J%D`DNoE7+EZ0g@aRPxWkmw%0t-^K<5HT*ZVL3Mx2(7*HAPtgDh(54`0WecK* zsNb;k^cOJPJLET%M>#r+Q=Px`*UZF8?|P)Q`gyxf%EK)gb@DDsOC)?<|3h6g-eNaT z_&mNlPe!!juHvd`F>#{Trv7{>dgRdPD0FMZ(J~5Xs8^eveSWvv zJ9yH&a=B`A6uLLd*2{Z$)z)#eH(RP-Yoxi=ZE|p93EaFqh#y%!Yq%)AxG4mvfHU8U z#OsBfT|hWOvlfAo*Bb{o5^>w9SiB{i+_A2iYYQ{K1g=EdR$#qxfgcTZF=;{$x9|8-YY1kjg?TX!zZrFga*C(qaD|k9Jz6K`<-KN zbo=lNZR(z_Rvsu7RNS(jkTG4x5qn7Svs(1G9?>=`TNKwGT;{0N#1vIsQ#EFj`EF;qh^|Ao zdPnuqy?5*mu6E_OHf0mfbdoPA%N9;^9DA|1;!nyn@7zW#j!zkRH8p^V1U3y-H{kV$ z1~zu~t@v9l2Iahy{ymkzyatO5YcwL|&xviRbw;YxObRD~9N>6c4q_oK0$l=ibbG+9Y#7)%HV2n2{6URu=> zMjuufnEOu#{%ElGpCX(?R(?Fv3GIda@rX5S{l_EX@K-+{Sx0aof*XEppLa!!D2;gj zqvmb|KID1?Vk9XE_=h;KXBC+t5D>UBFc7$)QUChm>6M2N5f+IR@ir3uzG7Y-ZapLn z1jHL;Q02dBf&TaO@{I;nr1;T!O(g#7`gjNkCo@J{J7+U}TLvd{Gg(PUC`{;obgB^D z3TOm1#fE}_c<^gikb@}@5L!0+X10tB;D7&Y7{T}nAFBFugybi}AH$h}%7JMS0$~Jn if7Z=dc&thc2?6mIBs0cugE*!~419VD*O38!`hNhk*Of~E delta 32748 zcmY&)Dui_gMN4Sza0n`V#~M#0LmdAs5wXaMNm`aV}2rdTu*7Xi9tJ)G!QTh|Ivp${# z(fb>9ak)75`E+A?ILN2pd|Qxdlc)Olvkx1vG_%iO@nH&SVE?eAjHr;`3myJe2 z1Rh?N7ci@rsDSBFrh!36=E7Cw$3sydSTa|Pp>4;Xe}yN`t@7KL?4lIlJ?rf@xca2( znlMeCE7f7SAA%v>pax{9)!rk><1AV)zXpj3L)lImT8Pu+I;-}uW_|A7;W@1)^v8YN zdg5)o$r_E+eunt}WmbCw33`w6S8BW8Z@L6MARxlVp<=TVu>ocV7c0x-cFovjt_1og z)lZ(A4odvL2Oo{h-6)So%HsGxODn3cKKHtEccxm((B$*QOj+MnzCy(O`e4Th`He=q zBE)OoDL(<)2cr45uTKZz^~JUI(ebsq1UVMqE8~0wJsoUqoZs1~sy=QSfTK=yt%ypI zBodZaMV$Tsr+|Rg36Zn1%ABB^nyzaEx;DRI>1gK5*80&nW~)>+ed+C@2slx2HB?Ru z*(wwHXtrSU&&$CE$+D-bVtHfc>m}8#+@)`(DvujiU$086 z?gd}kwfL1%pUqp7k4tuRU#^!P8~x8*z&3|xPgcsFz?$=md(CUpvqz(5Jgb+Zm-|>I zWgs1>a!%Q{Xz0Q2b;X+KG}LmmHI*w}a6Qyrhm$BoZ>VuuS1i^>dJ+*Nz8bXuweR&_ zNn6$80jGF!nlKeYKgm`kIjbR86SvmFn71SCb<_~lv0^1n;R7F z{q%LWHCjfvRi;Z}12UcEpm`f|Bpv_ityZd~^Cga_1|-mW08yJA)SeQjA-d4A=!A_= zWRwxQ-m)l{DXA+)tL$O_E=Nv7c+t8zJ`MojHG;x}k6?AMsW?QE>%z%>#g7Zgtd=EV z70sWDj|NPJ4qmycGCrvCC;3uMJL*vAVT%U$YBgO>I>3%o+VtK1DmC7oK0qcMcMvt% zhB`#foM29mMk(fX>7t{Q5YRhiHJ(#s#k-fXM^O!*EJj+CaT<8jlJoL-toAdWUK-H0 zKYNi7*SpzJi>m833aYmej|bY8KET=n3$`x3c>GWOM}WXd$soAD*$ur;l1GV^kX6Z^X0=eV?0cH8S*UD#bfF;2vmI2YYkQlY+1KD z0&2mxqP&d(yhQ@at+N{l7sEtIAU?yuLjH?Z-tKf8qB}e9OMJy{KC9+M4XXsr%|aWw z*Xu-rOatqaAl(iNuY>o0fI{cip2d z5XZ}gO}Yg9w?B!;uQ(1u)T0sM}+Fw^Ym5zl_@AC6@|Z%^+P(* z5Yb&H3VLI+N(>uOvk)so@Op$CKeF|{_~^Rrb@#T7VEr?~5wqjR!sm#2FNp}NWtD{& z4y%?e30wDYOq*7KszX9u!m6#sJK&=E9KXMOPkY6JzcS-Ye*TWR(@NBv_H^9&yTnT1 z_&grXY#+hlUL9o5kat^vhXE)?QBzFU-ujPD5kJF+}yuWm`Sq*%g$wrL)x;?z=M-zb#lX4Lyo@0|GEEgaEXZ9zK8&es^%Z>w@nvt#ne21J6}Xv9H&dh&<9q>$OOc7LAMP zaO-8Lj@VDdzz7{y@geAA_DlVN$v+Zj#sS0+Pn=}9M0Ziu<%6tywP|Tjy?j+xW(s3f zR?fE`=R*gdms2V8ENmnL^f#4H%K1|p*CIbQb_6mxh_1ULs;&|rW5qgQ%Mlt@tDr`{MNwhCp2ft`>KiJ)=hu2xP5H^B#A0$j2c94 z^ITO#ZoLdCQDD?!AVKatTLKeFa^SUU`u;C-GT1aoV_#~x%qDsV3CY7rc zd31tRWpbkeYTHfa+fPMhiT%)$+(Uyv^-WuaE;kCsD86b1Opt&nrVwCzD5fC$K#B4| z={G`BlZCpakJFWn3e9kLm7%Qs9Sq8+DN<)C zi)|4LzbI}|%uhL*xxa^SVb-(QS-=N*>?}`BNTPv4;;|);hwY?mjalfUhumEzyYF~u zWaA4h1yKT>3gH0DC)uj`QTs!XVncO0Rs8GmnN4v$kn>zl`upbP+ToTNB5odG^Gj>x z7DKDZtH4}8*|m=jaA+Hr?zYl4;rMXk+%L8wo9++CFY*2tOFI4Z!E+YTwg!}GK)6ls z2iC9>1@UCPnOU)GIAP&1z+<)US|)*P-YwW#nBFOvP4OzMoTOZ^oCf)Oa#B1cC=pO$ zC-*SY5l*^3uvkKC9&b@xb#ad#Nz>|bnd28PJwU}(*m{a&${BzTW63Fcqnmq5{Y6xb z2~-XFznY;hQjBZP45TZwi-b|$sHrP)F+B<_PINKbQKm2x5-}A*V+kDa5q3bpRac+b z$E(XK5J<1f>chLtosnagW}UMJ@N2EzqUPlgkOd;$*PYvm>e35{k5w%kX)|%r@2(iH zB2K>Y;V=!CnJ7B!xYR4}YQt^HX0{KML#e-%%D*2uq0lHLno-g98s8hYM_&p2EPc!o zi!+BKE|BQ7Y+q0f?}@9LiEc38Dsn5*GwG zF6WeD*6Rdkdq;Ah%5#-&UartJY|00jO8WwyU7LbP)Yd)E!|8^bo~&0fMM z6+If|TqaWJZL$K%usNryanCUgQ~?dJ|FJ8-N*dKI9yveGqr=nXnL>d<_1q9u|NAv9;Q|H+wtaOl*c} z)NT0;^HC=Dtfk`ArO^r{ZAHyx{{p^m#%^D{JDn4 z?;unwMX>RmQ3%^lJG~{S_!g7&OiOapcVL8l;*MN8 zAXwNE)6aFx?!~8yMUsGUqCW>Y)uA}5A2#}bq|>TI%aHkq6m$O;KOB57w;o74vRON* zrrWZwebV4|)Ml2t=YDP-g0Hh}h=)5pf%4@WJow~gLi5L|IjHamP-AGZfgcRq?f>DY z-3tAT>g0GxdbzF{)Mih@h)T*j{~IxG1&tEENToNn83ImAXpKOG=$Z6z+$A zM_6PZ4Y#EK{_Y366*IECnc7ZPMk&jVfGb(DLAWwu(rGZ zxq2V?YMEl0=_J-mD8Pp=T|xbQftQ=bPsVSCF*r+rad?FODt~;46k`W0)K$~;Ct#93 zbVOZT4BJ2N@0Or{u9Q+k0mKItxTTe9S`f6bEQ*()A;?Q+;ApL{p*hoWQoP=ZW~Crx zy(9}wKX>}sgq#gen%bGs@W4E0qaSe696ltBRfs)XGhS>@pyEB<7Z)68$FpWxZjKLN z4%5V}97({LSD>F?H>=aZPo^}t@NGBlCCC@D%YY1kCJ!wf7RYLahJ<^wn{>G^htg8? znH)xxi24n?;!Q;yi`Ml5q_1sECPRXbwFC!sX?i5&PIZDWKs>ks(UDz#=fbmr7-mEFRM_%&s!w6S#Yf7{;pztvhS^%8L;$^N7z z*~P$S9?5DI^kQb*UJlII-RZ6u(J5Kg>)Orc`A$1e67BAt%zlLlRyOWiH#w?hn>M}&Uh4p64EgxKzC zci*4%wM5cUIzx5!Zw>9q?a;&Uf2Gt}^T1<_X;;ZN(C#w;jIjQ!+?*J+6Kb{d$nJ^> zppb?lEWwmIgjH zwLHRyVlx+{dcS>IX(N}KaXY(lrhHSp+RdlDqS1JJf=e?XRFfp&PUZ-Q{P7K1wcEtu zOy3{rmTQlJ3tPs7JxfIbf%)1|WI18OxP&X-LOe3k4nGNx*$TB2S|dE8^LY?bfn!G4 zBQZTZDeL%`(2sFNpRa`zOuUHauJom|FO&8j)D?PN$A~1RB!x9T{TI!XmzyeNc#GLp zM6<;z9f#*-mjgJ1d$>{q%>O%#D_jKHG4KZTo{UDGOMNF=T(ic6&0;buOmb48H#guA zX%-(SlpIedOPUB1uUW-*!`g6twPO2Z6pcwuLw9?>B3gIfTLSM zMHK7-DJHtHO+JGVmbZ4go5_S21I|$TWcWH=oG&?M&`NHb_&M$=Bj zQ9CBFZgB){ap(0}qI!7p1e2yO z-BX&oBf8Y_Yk1m>Q8-WRHex8g#`D%A~-GmrU#=SV=Cyvl0650!cAek*`9A6 zt;+^N^I4q3dfe9974Uu@qcoInfbWJEW$HIE%M~IUlMtkRE!_`md>0=d+$x9WZ)z&N zMq2MTw_#)6?+W2!|Ff>s_Hxr78Q!%&D{eUyNsrqbga3dT&z}F^@+`Owcw#^>Fg|N% z>^$>%Q)+@l*N!m89mZ{beJm!}P*v7r$4ylPxE&&N)>P0O?0940`bTY(R6AY6NQ}oe z9uLD;R7Moql2yHWEsPbjvjYtYNwPPm%sMfULpm7hfm8KB7fHPNJP~qCkjt z5JM7LT9_!{Wr;6L@-K%dmMB4G&Ajh^4_D**E8+6WFkO z{!}pb-M3io!1&=>y>SmYLt6;vn$vN2Gs}@IvE{(9$njkuP5Vrt((VPh;y06;@U;Q& z5#~^n(KUS?AMW?9Jm4|G7Hi9pYXI*1<)QC@^r7w_M#SZik0MiE!Y#Oey=Mhwk+~iY zy?TN;%oZW%)(tCMaw?r~p1@~vfFx4rl2{w*->GXeJ213IInN8n>M{#<`xoRCHM>~8 z>4GXLC|X+yR_L5I#YR7WXDmW#Hpb*Mc=mZn{FBmIA^Th#NyPi?<2AyuSiBnQEI?i% zWVnkLWTB4V1Cz;>5GO=3MntQ2Xd=B^=#`A6j*kU-zj+_k^!^Ppz+2h`a#87Fe>DoW zDA<)~cL`{4+iC9KnIE?~vti$L+3#`l`{C{s-eG)L>`=EcXbYJ{P1y6rgfBijY&-v` zwPr^DgbS(TM@7S=cdqly;ezCv`2;m4mk?t})sXKwh~OSODTlyDo@4cccT>IhAzdPY z_B~&bYET>K5IbiWDEkBslw>X4m6%;C)A4bGeG}(+!5Un_>fXueJeY&_R<+f7&8dDh zh}c9CZkRTv4J@nx&AVxl7w!LzD`$g0|LZ$cM{LUBeGev)~EGA$Dev z<-4J%jVfzR6ddedni8K2f!hPop^wcxQIlDiN^1xnIRYbJ)UQ`c8nWd-%&swSeU>xa z|L#QLJA#m#MGMJfZdAJVC$~c>b8e2;Tx-ySueL%g6Mxi2JE~$=*QesI?&%kQ5H&5j z4n=a5mI+`igIgZtwJ!qY4LdJO1HYvmD>BX=)?;xhqF6L&*$C=Bdpthu7A~uz#F^e` zwxej50Di}udc(wz(xm$lC0U!aER6bM6l@=S`Se{0cj$DDt&}6NGNC z{-(LhEVMU?uQkVvidVUo$dWd;h|&epxT`_ zf{??W^maW8Khi<%$;8WDTQ%_+=k)nz&i;@b#oXlHhjSGeINEcTbOS2p1CON;49tKt zFk@%NTj2eWXd-u5yu^c{^kJ)qP_yf#T9#tEY-Z3+m8gc=b08;f;GE8V{dW#xv$_*O zHaMCR86m-+ntJC#XdgyB$v;}L$56Q#MLq7Hw{|oA(VKIvn;>Rp?xke(TRou)u zG!~nU6G}_X)$_UpJMAe(bxDA_9!KGsW;~$=99KT#PzG_~*nW zI8?NB*FD77P4yHp-fMqZh(k=YME>fLY@wT4Nl$)wWTmDnhA1P-WR6dj!m8j?T47!B z{7Z5vora8-mD#`u(sO{Q0h`sm)EVxD>CNW}rV6ekm6fds%&EujFt``>6kN`_!R!oM9WcQft4PoV%{!Q48Lp zF?gKk)*b`Vt!LD^gVCvUm!VaclCzbh5u22C{WpEY<%l%?xREeb6eE+b8Xc3OivJTN zb%^i)bc`{!T`0-FdI+m!Fa1rpN3#tufw+u+c>CRWflnu6kIk4%{(+@l?<(yjCO+#@ zi*#UayxTMZ|B`xYcTEAvc$Cxfn;{(=( zf;Q}z`$A`dygcDI$3b2E{WczsLJV`;x{oCg@0kT@n2B1SBu^68Q&P%*0G|{AelolR zgJPC*s;omO*Tz0&QyS;F(%~eR;^;+(^WpP7u_ARy<|1!B#>s7gV_<;P`&32zW1a;Q zy!SnhZEVHUMHyKBQ*rKYAR}Puatewz(s#emS)t<6-vV~#xp*X@ZCx}|HGcY*cWa-@ zc0mb_ceG|Oe5xtbA~Ti&t%jL?#BY&8$HyP8l?zO-p2WEOalGl}2h9u#t)uqJEWj~# z#@HJ28dm8ygxD$|`Rq3^!YMD9FTjNUkVID`9GUOBJO3_OO3hW6Fcxs|jCz3kXLhXu zw1hQAViDVVy``NWx^bZQQU z4;A4?*09=ecGS<*-B@QxqT7;|axGV(6kg{!U+EimENQvZP$GDsjTDH6Q8l{_0`KNE zpGm1gniXMI#xDZOT0UOzZ}%84$b116o{%gzzB1YN>=Y`4lN}KD6tyjw+qWPk95F4O z9Y+G{*C%T9%73G1RuZbfE(v}yrxi8s@Lu|yAHB%J@Ey}nIxs&T&rWW`B$=pyaAN6- zq#olRSzV!cW7M-VW%k^S-ox5w>W&F6XyYx<2hRZIICD0ps{t^b943;V6$$cmti-kY z6ALGhEo26trtKqRDEuHP1=rVJr~bXIt@p>@p;+6L#(28@C>?!?vhr)tI3eJA%Dj&N&Mz1}cA_x;$n&-1 zt)2i|5G>gwEC`6-_H*D9)ESV6!JdTuiF!jdOw!4^m-C&a_@E(#Az9ccIHZ4CS~jDl zboj9ic=%EP`@_cGmQ|G1{oqD~aT^Ps0)% zoy=-qG}qeJNk2vd=eq0c?>0ttmv+WJyIL$gzW5*oj1op-vFm&@b-C9FggtF0NDRWR$3dVd3Gf);|db<)QmSJ6;Xz=`s*#`D7ut@*s^-7K!Lm z%H5O?lB&*nJfQb@)H1jO0@m+5UAU?|mHAFo0vYoz z?IEPjAj#Wd-%q*AH+yZikf0Z`RQ(=hNocYC-A0Y{w8MfH$P)GPF=p*QR|1%cxuJxy zS(n_@tzkOiu2Off{IQ`sm`Ah%HFw-MbF_GoxsGQ(`mLF^bFj}QMRKZN98Kq@n}>)0 zNSF`;W@B~Rd+>PR6dMHiO0(o1kKwW1givR;ekyH$6{plD)?U}o7(Mcqp1A&>WwSlE zWxSG6WWr9VGkj-I@9^Y_x;coUdM2b-!n>JYEv|=+SJOlA)Hp$w^VqnI!XUb*kcel4 zktc&7t^J*a_9wX9yjp=^7H?K)hqYRH^blx2bn^bP#8!j`@gKa|Xv2T~9ysCaF2GqL zG?+$|k-{)W(;L0twAD7dz!wYZaNXkX)^T(;QKr7>;A!*nNPBA1P}SD<8Md}|xTzmU zl$)lEvZTnnlqp)_$xsEc+ zLIKw{K_l;=o_Wu|3f`>vX_nC$3#q;7SxbDx(Et>Z$cI}j$s-DJu>N0F?4%|KfE~{Q zG?y!)tzsL7R|2+*Y5>oz%d{%{Z{NkX)Hy-1SjUUaYBpyBKUr-)>^n(ke5T+e&TFsz zgs5mi4X6*#tYzAVE!%i`+2=0)zFG2orf`j{IqPF)4I8!ZSF%0csZIprZZshx%nW{N zuex1f{&vmoOXqNS1Jn$J9FjaL6Al~SyM$>PUufJKv05pVO(x|U`s&A~_y(tyA6+5?@3at$K{ z_EvD!h6fhYNqN5L%I;8FWg#H5ZJ-(~|X%>*?=QLKXcbFp9E_fOwlfmA$7BNKrn>167 zgtQXy`LMMj0&Fu-~{lx*lwG6ra##k0aqBH3qY zLgmV3Nw)3?)IjxD-hQ<3FsJ%#E&wQkYQIRP8_R6NW~)qaDCwIu>^(E(wMo2+qJmur zJ+s`x+#wa1M9;UoV!uj~r(f`V zjv3}NFeq)KwwopzxB%XfD>dIZ_^9M-5;jlQh3;lDDjUTqZ9NIa>~0vLNFrpV{aTEP zP)pSoR)KJG#7&a{>(Zh-I|?iQ(S|5~L`{Zyf9OTXtJjk&-ABZ3Yn^*m9o9clMt!wH z+f7O@d|BoP@%{E6Q`emn*X5iBj%S@N2f!LE7j!`>;)MgTZ=-^`J1Vi6xSfHMk0%ug zuaGcZx^v61sj@r76 z59DPpM*#EMfL#vfrl0?jwM170M?cTqX?uM?_0{~ub$4laE+rr;%Ers(q}jSrDSe*+TNf)Y_aOu~G4BECxbvLmJ^V zF)&hp$cI1Q=x1INl6?B~>mLx>1LL#4+#w19kQQgmHC9vZ*h{Du{mF497OQ~+<+2^A zMuJ8+{+gqDNsC_fnWl3Sg=HJTVX^g9L&X}U#qE@{A%GoxYVy@Xy)41e2Nkl)2pmommaQ>0p?aev4a0F_*_%@^+m+TJKIW+^%Wov;d(=rbM ztSvvbC-4zg8OCy>eZSrz59Fh?Pj_@;$qU;;e3kbXkebaC& zf7z0^>QT2C>LR2E3Om}#EhG2XaB@U3_XkJu)tji`Z#o{A<<^~V7qsW2mD{a2vEp1A0#=NzTKd%awv|KQQC zTQ1zo#9drYj4K4?MXb#$F*F%wy3=s0=k5}T1U6WUR<_Cm1jp-T1x|m8&jy9|=jQ8E zz5Xa9)^7Pf5HvkZ#x~^e$@CZH6}QPUl2~f62uDL8(3;UHqcD;nL$q=sjbp-2B!*=Y zs!^Ck)2Cv4hapZ_@n3!V)widb8Y!$^rwJ{1JXZ7tA_V%2AttWqJ3d>w2(C|5Sb>|+ zMz}S6i0~?zKL;UeuGX#$VN{90WZdBi$1iu_?2v!T8nD$aSHM8SmhD#Jp2|bZ zh4VN`4vN_gJD{FygMRh8LcAbuDPFTs@yduDN&%uW%6v+kt3KwQehT2c-DBr9%!sXf zeUMd6@NQfmX|K!(SHZiQ@lI2kSTN5msrSl>;GIj4MoN!&kd?pbeAOm3REm3(3Cel2Rp*K}ijjK&jVzh;F{52ro$mtxWK*yX-(^n16`ckyYZ`e1gD5 z(#;-s>=RT=31Fqxe)gV=qhL3l$Jzu5rX5eR-m#b)vBXqYuKd|)HfkBu;Qb(Ugr|Xb zBxYS^Z(ya$Fh1ySo@s$WzPepK5)VWqzpK|wympt{Ngd6dh)~(&W+9k#;Tr7vjsbvk zx2du<-a`!`CFwS!WgL98gL<31JGX51mbp@?9Us-CPhd+e!Nis~n~OF2 zR6uJFTq)4mXSitUJ{%RFo8Q(g4j`J}+zo7j`p}rYp1b=)oK4y>S2uLgwt-E%dO*uW zwkvgbf=BHIE z@1bD0#MO%N?8gV8JHAvTWgI#}CHs=2k0ppzp>Kjv4&Vo57b`qv!JxQmOqI*3Wr3X| z^HIG7Re4tGZ9u)k9e4Sp8$`M6Dc#$kKbYble|Fzr2H4lXS7>f|}tRLTTEbZd%5wc3* zb50vQ__?X>6!c{EW%oA=eukBvreFQFtVBSaEZaOin|603A&YMc@;EKf)&-r2z5i+* zC?>R50W_paWzxB8g(7ja_^#yQa;GagUQ@G!C@w5&XH zBBcX-g`i4rWu8#r^;@(k4D~FC2@4&x1xael2Yjje<}yKGOi?QL!Bja~$`|?I^}oJcaA)4>iz8rzRzO#dxMT5~|CFO_LG{uFKyM;Ki>^$T? zHz>U#DLl`I498yON56=(p36^!jvn*H_Fd-(Jad#d@EB@sUv_(cQ~1IEz$)Cp2?QpW z2Ya6ETZ{K|xExFpnO`dfpNYJTI4rK1K}zoCNS6$L@bIX~{_kP@iwc_J&@_$BdVG9d zbyX4E-xVhs z2596mo1fme%8{`&$4$x^@SQ8P`$cvuJ98#Z@mfq~wtef4n|~4Qm20#vs!hBECd6ED zv}mjFH{98FOrDL2k0r`CG}0cP1^c)mrDYCCa|z-%lKH(9A<_pZ$~o<5YF2&e>gWwM z1N~@*)+72$OEL@NLvp3<)I>HfMnsL7i+aN&?_7B?T8W~a>=Wv*0Xnu1AI=X3hDgWNl3`bP-8y586wsKc%0g;Fx=F7;Pw@&v zLjJq?D6hE6yLXca@E?+v1=e{}Dkd!n**fpGsqQ^wPD@9<0sGY&bN%NO&pikgX{S`| z9PuK(GhQ$-$=FS1;HJanuws%x58C%Enw4)Xp8js@a`e291%?p5A8f)hEfT&y?YeO( zSfVih6mg;uQOj@}GgGk?!I=r$^Qo0zf4aKOs_Zs6>$ms)PR*^rBn33`o1IQBzJq?@|edL^HJyV)Ad*_p*c(jZofE7J>i+C^FYbnU7lZY42pTXZsF_rCzR<- zx=}o}AY3(fU+Eyc-xadCwY^9oCodEH^xl=cb6v)vu383rG1P3!@ zBfiBG;bSWAqqZL!9%^5m=~w8ah4Ij;$4h0JpT8}C9%u+0pu3b^{!BFx`?*Yb_d#sT zXXQ$*A&d{xSW1~Ll;U>M!4P5b=0ENzuhCzYU>s<8;|?KBqoz4fiBKxhlWd6)nWP7Y zpb}ZvkTh!6ThcoT_`^-;Z|JJdaQ6G1W4ZNrbFzfB^+4{|{Zw(ERe&TjH z9g+Eo^Dx5L>s6&oNf%riCf1SKZ=39|F8eh@H0l8HU#S95kG8=6+UJ{z{W2C?7v?-m zh(y@R7~-?infrtWU9;`c!8&UR{M0+*_UHX<U#&Lf*x zeXcyOkLe=2I@A5i_FD2Qfwq)$8c&@wmvw(ne1?3qrB!7|1Q%YxNnrsnQmOGsyl(G9 zR^9QU3N+-(3dDk@)h@QyVI=^DfRfvd-{p>(k<1UqNEM1K#frx-Z30hKy79ovPnQdc zS98rwC{GG4DrYHmDryoPI6N9IvyV@|W7XB9&WZ45zI3%M{*3rw&LET&sGTlug1)PJ z4Dr3)B3%{~N<2zHT08K?e*BVeD8a0As)trh9-z}sxEoHp*J&9^$k$ZX6BQ?p+WoKa zBSEafcDoN_cKQZ3Y;U!d!1=UHQhrxd(FaW5Dz$L0f<3mBE`r#L5o)n?uDK$GhScVM zt6#P!7hq)rMB#N#=2B3`Qhqt7{P0elDi`Gkii$06o$YT6hB|ncaE^`TXI2=QfEd`P zfrh=r+?#DCO3>P?gO25A;-B!hoQO<%jjOS`)EBkFt!Uw`2;4E0flSn^V<$50rOe-a zS{k|X(y?Sc6oR)|qd>6er53F}`rycZgiyTjx3;}1w&8NYBIVhDnDz_CI-zFe_HFpU zXxl#-FAt5zt+KIHU01Ry6Nf3bC?&^qHIgSq^E_`G8-I9@>|i&2+Z; zy%pkQTvza-ctg&Mx!HyVKgH$s$X$ERZelAj0V#r*e~GV?Out`xBJZy`FR~qYU!F4a z&b@z;Snb$_N;n~sw0Fc*XeocCBf86c6sbR|&2?6eB}A_~ptR-qtOvYzokUF*d#`g{ zGm_BUikPgcjIpIc_Cx)9URl{?4|wx49*xn>(jhy1GEkS-&G|=Sf!5@wD3r zf1dxIlrUJzZL_=_h47;=QkqozySEoXj1P0x&=$N?odERcj6MGcUzUYO#ePe#9Xjm1 zgX^TX;Z1 z>9XYqUpVmS44(|AC2GD4%k4*9#AKfwFoNhRPUWx+2DnOSv`!5-yM(YLuO#nQ=lfNi z?Ggz}#upO@sm8yCC_Fu#RRS|}37#wwbv=MMK46t)U1t{ zvAEicbk*bktm^osX6019w5m5V>1DkThulQV)8%kELK1FMf2J2(u=^P5!XK!7^)dkhDi~efh`KKudGO=Dh@_ z*3&MCrTy^9C}6L)!RKXJ~i zlCd7mB(qgmL5AtMe-ezJDV-OX+FIvS($4EBCP`mz}8>+$S5QYiw9PEF( z(xArC4A$?#?7{#!Qkxy-lEksC=bUjVjE{wCBO9H`mP{?$a+{mXQj_ON@gu*rxQnN( z4+oWsv}|%B+m_xPm{WlbP{6KdYPY$RB>qPx1FhDa0F$!L5*Uy1gb@9%a0s|xU|T$p z%~ouL)mb{f+}4rAb9_DVbgWwI&qPFijZOT10K3E{Ntei-2uD}g6Y4Dt&Mfb^*c7--W9W#A49or+DEj0b z8HV&3AV^O18)T79I`ZR2NXYKLQz`lr~pGsa1s zVQ<7jaW-Swk2jcSJxV7Q#aZRyrFJjy9xSE$K3`-6<@|%H6Wjsn8%=pMI0OZsy{IXJ z^=bv4DB^7v*>iCd;o8#iL2bY3E7OgEiszi6cjfOuOVOcxQNDg=1+t2Gd z&I#g}r(IE&v8Bnm6#~@GH3F;3c9a7Lpy249{_^`yCh4mFM0pZ#?X*6V(x^23wOGuB z%Mg@V+BFBy?9rRw<>gqwW5v;T_ms2kXEftaA&EU}W~`rOE3R_be!SQvR}rIYmfGSl z**a+BV@T<2OHYLfUwr&8(+blFPV7;6M+U0KsXyFGHlF$VWT-_>*9iadA0PAPCYa2-4lHqznoY(r^Sx=}tkU zLs7aB1cnCb6s23b2fj0a62JGo_x-;6UH=%_XZG5At!F*!+560#a|WNM@mpp|VqiB% z74{D@Rq4v{q;;5xYEEP?zT7u*^Q7NeJ6633rlaQ3%+NJWRx}jf-TF2nb>yC@+6~sF zFTT%sFwC%sRe$dm_gCG}C&}?)@90cVcK8Ymuu&OLJxq_xu1YfPOXSRO z1XO^PVYFaa{1{LlrN{3S!q`aZLJ()a68@};Ai4T3$@UsmFG5o!nys1@EzUD z$YLGVJ{c89ch8o0eAFuP)aO1@EC$+BLKrC*sTUcF73%k3W% zMpe(*nez$;{Up@uA#r^jsk`7))90*MY*cr=3_Ce}5xIx!b>Z>1C)#b_g>M3b(_x2; zrn0zb*>lTxgDu{de^1`gp4h_j($7C*@5u}L^^_7kNVcLFu{oJBrGjw zr>21ei#^ji{vP!YZG8>ibAAD+iYTJ`8RzKn84u&l2vewb%1t@rnf zVPNf$86m<9wvRZFb*}LlO46~(MWi9eCSG66+KrOvdu8xO8XcWRrButnbf4!2ZpZys zf_LQ8?TlQ~8Bov}6Rod-r{k+Cc&66dd3 zsO@anyC?H`)EJ+feDW1w^80?QZFJFhgv^YKIYOQ-Zot|{-e@`aQixB#u>D}}@~NE^ ztxLb<#~@Im&zjB2m%Ca54SC*a$sgFY{$!a_aWvW4om*nctG0$;M@Rq}ys{{PjF*)c zz2JKr`j}W?+1%5D978-dzItxeUg9S;SNIA|+b`WIkac*RFyEdGNk(N?-p;U%=pOV= zWDODa7V9GQ?~bpDVG($1iHmJmAHr#^7Ez|Yv~2=Jds-(Wrv#sT%G~^n(jWWqR&ubE zGocB-zwIzJZfT~&dNEc=I*&>Ac*gJUA+0$YMbThpZi=cR_Ihg?1!Ebub&~)~!vkKf zk=qg&>VBC6b~-|CNN}I;39i>vPg07!WxTB=R6_3Eq8F+qFIRh2_wASb25nqUi$*}< zz~yuHSmB3o7IJBtF#3~1lTHuUlHcbEqG#E#NJcJDVVdhjml>W)3iz?WTrxP}NhRj)|sZt!JmmlMj+7dpU?@u0k-853RyVs}aMZ{0c zLjM5$eWEILE7w%HrvG!jsB4u!0$xA}A>~mY+r7KDDOq*EkD68n?l8SYj_2dgoy_FV zcU;Dx&w8~X7&lS@G;uxL9n9$tC-!ksUWD4|q%R=^t3Q{s^`Tp$qZ7~v+-^5)o6h=- zy?JYYOLuiop4`qgdD>%+@t8|7)6&`9+99K^rM}7}HwTTn`Q%&%tUuPLANIdh)Cfkg z4vw6DRd7%gDye#Peazmp`+K*%@Li6I`A2EV4)?fiC5R&#nH~(|m;dpB$g>SuTmY#L+tBg!6mqh51 zZ;{QZuoY)a3_vL3mTprK{X%D9>Q|0!2W$UUxZQlX>5?rldDzsx16WS<94-{a3K*jW z3QWvsmZ)*#mZf=>uVFRmzq4|zSX13pPP~!XZ_tTJlLP{x2L#E}hPJF^u^L&#Ar9kT zb;6%{%q&^MqG4pBl#F42#{$7n>4clc29!x5`?m~~K;@-1HYmnTJh&(QrGEkD7%pq3 z;&@PtOOmDCca_XPTz^MA>H3eH9Q@_)d)G723yhOwYy)HN1<+WQz2dB#--g`_JQ(|> z7WoLg{)K~sh*imnnNj-pGqb}lF=C&xt$QmzOry!_M68XBzn?Xf{L&Y;n1vPhV&>BF zC*cF7Vfn2a8crYP>(NYu+HkIQB`CCRXv;}cmbk~DfSYhGO=*$oMb$&Q;iatI2|wsa z1kYE#A<4s54qttVI^1tQtcb5VoZN&lsqXcJ zx9e`QN*jQQqOhtsHB<%{`Z1&O@+WO%$3Soq5#y7Y7Tk55L&V}n)EV@*NzZ@s% z#LZQ$q~zGH!mmyx3Jr%ytn$c7f0-LkAq@Scu}Ei9G(t$lF|_zeKVuM!T8di2Pg_Yl zdlgX3QS0pE3mxb7>3Crl5|&68%x`0zPa4HbC`>p@muKbRv0xJI_Dh_YitmA`K3bi6 zOZzC2K7bsI3+_)W3&n2mek31nj_rD@KCKm}<6+ICpfazlt@Ciuo@Smr_?L>y*t^2D z+#nwxK4;u8C)$veZU0G;XnTtp?|aUjZI1wTyp#Q0o1}W=va(ZC$Kfq&ZFq_wnWy{~ z!gs*V8N9ve(`q6SfuL1d>ool=3BynJWn?2-eTus@)5fssdun85t~aP{d!kAXkb8QQ za^v|c#wwlEY15zAD7Na-uqwLVDhqO&J3KdhGPm;<L!L!sUA1sT8}r(03J4oQq%4xC4rIAC{yukZ;bMz7 zh2%Fx&(|8xI408kBGsnqzTtZEDRFAJj@T+s#|=3Ays5u5M%|&GU)6Ss3D~}lv5A3Y zP^2q5E{Y=xYhM94v0i4ks)nG=71MIPE;V=~zDECSr--~xtb2r2JE%QlI9-VRJ>LeB zn@JZ6kMM3qrg9d4Z(42t%ZW)Y1N}|$VHXWzCtG0Go1S| zNH*waFk14P-wF;=Dt4I`djOLhOrN-E|Jtg2)vD6XOtWA4U#Hz5xQ&$E44`B-4nS}v zg8@SNq9N@yU8())*_YEHr8vt-w0%#xZ5D{|M<3Rq9NplO{1%q`wmC>dQUKG~2Fh@w z!dux4*WOGyj4~toF!aYK+@qf0BQFBYv$5$xvDEWWCSk%E?bq_;ka zG-y|A>(YX9a8(^qIOlV#q3Ual_&J}ODIxksV=M6@yj?LcQm<3k+>=&|H zF)ru6YLj9zP{b#u?D`=3;KjRwr&f#oIpfU6{#q*N-SPqSIO_X|vT5w`x)v&i;!t_c z#T4VDJ!}}oJ1fn{J3_85rg)R`YXNt^i8puEeYAFNV0O8- z0}FB~dZg34V+~W|A@~jM#PfT=`)Uk}F|ER$DLLn7&9`w#Vj3j?7E)*A?+ISeR~vFK z5EaX9zBACzaW{V}>`RhY=S;tX2!GsbSlObR0tHG`I$SuE4RYBRXW zx8x9By*^g$b($WD>ohw=GndpiGc+!1+e+$$lw{F=*IMDz4;?rkFX~Kp# z)N=i9nC(UeB%_C_kU$6pkGZchDlra5_l!_|VAxvAnLT!g?!rR6v z`iszj;Y@ZzBN6<)*0%zKUX6UfPkSo?)%}%Gsmd~-0X=CwyhYPuj9ZXQ|McAXH6%qT>k~$U2l&SE}i=_$$K%3Q9IhaKiL+ z-&L%~RyNW*+}~N+fQ@WH-GA@xm5Cew21Z}yOT~_CRvY%d)f?K_Mr>fy-|C8=1nLpY z*X@Xz7Vd=XhkS0)j^LiHo&WicFcFh3XR(|czs_iH=M|r}!_r23?PZF@Ap(fMk>xH% z#@5z28Q=1bzUWMN!^a&LBW>jZjZ)L}2tyY((c*c@bVKlV!O%R)%-t+K+Q-Tdegoh| z#|z)g_SPHt%>?p#T#>!ofcWnibI(3a&OI`IP}vu2L9a^_bQPpLX2V-W+vsF|tVypL z#XSaOy2u@$`PHo&oF1>_G*1NelO0={%tyrB&QaHg5y~XG4T?irL!131T``aQ#x{sV zd+-`@o-jO!fE39owwAg-0=KfCk@9TfWVXN75PuiA@+pC7v)Tu(uJBYwhF|= z3Um+iav<9&{CB)HH>H)m*+}hc#>=o#!~_i@?jR;lbowAu(&BC_HvyfTG7#E~27f&= z3K9JIqaH`sJ=PCOJfwpWA&J46?N{(?Fmfmk5+WgOA5M}YK~=;SJKh$-PL;KO_bsnW zNu`z&kYl2T)v~7n9fnXPCG#16`bB+HdTUngFlu;_X@k+8g3V+wku-E?ATMyFOA?6% z%tP0W8!Q0dQsJQ*pEv1_#XB77U$1kUlLa`-u2`-t!>^qV6q#u29r7e!uX0a^rP6WH zG|{q?Us2n;l$ju{ChLHhK8zR~E!^QRKJah}BP8gmS+0S}SY0-MvlyXa7$*gvy1D8a zl3WQgd{4yZ7H+Ay%Ohu&J2x(Ak4WE>{>7R!2WZB{pNfppaL-p(3xSr)3r$D*_Irsq zLNDi`&3@bpUrw~Al1Z1r;a6~3N8p_$(6JooaH^_^&u&?uwY&{YG?XV%pBRs)jQKTe zUuXb(c{e7f4-HH7TGY$~V+h$?PUw__KT}Ly<{W0O8hEKlw?Z_eJ9F-N#>YrqWkF>I zZvcJ=XS4KMiojtv%BM66Ph=Way&WBy-WH3byBW#_)nbD;K6(j(J;C*DE3q;h4Myax z2hWL9`mezzuR6XVs+_bJt!1yf$K0?Myc{p3eR{AXQ~Y_HzemI=>)ivyol+U?Dr;nm zoW0I)A~qL-$e)l;(xp@u1uLQf<5)lylxv|&|2y^d_ueUw@ zKF7ENDbV#63VTaTZ_yZ!mfvJO zZ6wN%nYk9?aWC?ZwXWO|8F z3(U%&Tao#quH=FzpGJs&!9>J=BNiSF-j9&FBS?z;G01Mb*U;i;3F zy)*A#^L(*cYfc!QhGe+7ahKZUr7~(~_{3Ugay)&zuTXSVXQ_ag>1NCF7nxzw?Zo+? zD?i>i*Z2MskAsuSPPL(9y@ERT4{0VBw6xU0V)FBu)HVL zm+gUx*QADo&T+NtS&l`{HU>ccFNsmQP`?o(tKz#1L@VCf*B-rbc&y13t3cnc^TDpz zEoDfqtKC@E)#IU*&7JQv5jgx{?R)^>OI8Z+i;Kd7ZkuF$U0BO6)b>YLom(8uSc zexCj5+u|Hr80lj16ClVjs6N?({>KQ?T6wV<)YqC)qXn;7M*`5VmbWnCG;TGBL%}G-?OVAKd~?!%9t%1 zo@$FqSLEd{h#aF(kQ8yL8iM&Qy3*xPV^kJtRvn`E-0AX$vq?tJ)9Vf&mbpZE^J^Lo z`LdKhu07ZFR~TS#CL)4P6fcgpZ#1SU0RDkVvJXS6NpH#WQ#DgnE#$TyFb^q@kxG(v zIG54d=+3#tHriGV561|Xq%RW-NJ$_L@Jz|e65rrZ1GJ>()N`7Y^amoNBIeVDKb0Bi zeP4bV>Qk2#*`wSX|0NL7gRzBO-#xOzy#xLQ9iQfmUUH;#Vx)%yCY-8#K6(JYhhex< z%cOoSf<>D(aeW3&Dp+iBEH~L-zK=&d{?vZTP#Y>C_u*iWq^DhDIBwwk9fI$*>t%Zg z)LI5aSy|d)NuEz6m0ZkTg_C*y9+BuPS3?c2aLyp$8T$J3hYaObS{_fiqSdTav1AEt1jEI^VQ;-XwB);!<=!U{kR~ z+UPqdPOZ1IVo$B_7Ta9j{zf$_&}q(LFsQk1)-vRb{E2UAQAtR5WzlA3=qA_V@f3BU zT!<%WI3aW)OFlB~KrX)=?f#lStA*l4X!v4vl_1FL6?hC0OZq_%VB znkUQ$x_0jabcY`bL-$e&SxN*rCo35>Lt@F~yOGckE%KxnJXn;wA&0ERzqvk1B@rr$ z=QF!ybH-M)nnm^cYkfr$)QfX(yDwCwqT5f+9I8r^DP7Rqd+qLo{$0db2poke+RXd_ zswgDtVvMFo5te1O?oTmod^9OTKKGicaR>$FdL{xO2!260rXRuV_8~qS%_}UQ-9apy#882%`{a7^C9n|gTI}+F`6uJwM-luv}T5w|I}RkS|Z`?+3V1y?;G*g zMqUz-gfV;WVdgUp4`sMBLWcWAy4{sg zX|)iK%U0uGZ(@z=PF-$DdDMyHIdxkjNUq&T6C-CX2WIi2aAoTG^TKEs!Oo}v1gCgl zynrgPq^oU(R?zwj#_fm~hb6Wleag}=AV1c2-~8s$Qj?WVV=B?4L+?eHO)MoPDKXnO z`xQ8t<6CO!n`_AwFn_b1QM!+v-81`6tUb|FJ*MicYB=^;v1($UAeLn)d_y!-6XNtm6j7z#5>mo zk>A&2IeR2EF@vW0Wr2efjpeG#DVjiEuAwOyVk34H!*8Au zcybkhss|YpH^=2Zal3n$-pS<6^+r(6^ubc+dt)pTl~J_`WwSGC^7E+9!%uWsNRC3R zAVno2;fA=wI(%Xlo`n(L{5dhTIA7LiTeC0%+gRMPd;$OmE2TX3*x$@qV3Uz`E8azo zurb);h?8EIpkX3ZKA+9?=8x&EK5Z^@Wt>-j9sVf2rRdgMgs&`0?wh^h`#{y4C4q}- zIcaI=8cn1x&7TZW<2BZoI-qR0bEI6aLebO-GV{V3y~=N1P259w^8Y|1fm=_DW}QT1 ztX{oX36MT-fS3+WJes<8#MB_ORc)SC&plBp^ClMzhV9pilyvIYVRm5swWxmZnDp1;mY$2|ak5r@QS3 zlYiMTBiHXY_}?F15)r%q87{;xzAfs}`T1ttM+em{qRTS{3)`jItsBR$Y}hbbw^T~* zi2)g(NwKz+hieDnqZ^oW_+~tGetV*+HDECHFA470%UI_7gcM|6t{gVayr!4Z0a#1% zKJ!$~9ErYlCzzXjQ1I@)V*xoP#~tbNoJxS9`eWY}UY!U`Ppa8(#9ce6jZd@IUJnLb z^M62it<9L)e*?d7ag}mba!F)H^2kH&vVEBiZ)5X`8~( zsj0+e19*H}CuTBylUgG~!<+n>b5(9#+b^~zf6gB{Wb;MG@@YsH5AoWL0$-7g{*2;B z%@N7YreWWXrYGiUn7eb|?^8uKf{ZTlaH=6CXfO;Zs}`nYxlx`87(`FkO9eFvQ|8hL zr`}|tiWEE+1Jqoik`~zA(B>8nWBs56K}LdJp}3;mEw;-xhJ;>vqZ3=)0UwOVrTR?# z7q3bYQGJZ2Hu1|SL$bfQX+xKoV>Wl+qqPp39jO)Ded*CEZ4}K<12QByO)L{efy2&^`e)ee^!C$>c6l#p3T{Gn>W33^i;SXPxpW zM^e8A#zVH+`ZXH|j0N!llU{Y{SCV(@3#7KC@36+zO5+nnu=)SG? z!V%gsWNkB#j;WX0!I<3hcr#bvl3Lnxi7o!a@RBm)GmzT>8+ z8MC!lVupJIZLJ9dTG|&Im@k86BBr{7Vf)5M=o^_bzhuqa~%nK3CG$ zj`JSEY4YHpQO7a6c1Q_!^TNk~^CE~}wo<#k77EUEmTld`a2r;e^TT7VEnN{hrjD#l2^z^XKj|NojzC&-$09repE~a6>p%R}cKZfJ zzIATy3Ep1}*W8UzK1?ASGm{?g<<<-$>y|BWuLzytE;^Sir!sIEbTZw(CIjVI5aCYJ zImKnZKI`4Rs5xPwG8efOe|YZxa!2A=xJUjyAiy6B@5BHTw{3K<;Zuakkx z7T^RIoFqB%5gg-4v_T&y?>fbS6P&GIgrA#oS+j&XGF2oWlqAc!6+|K4es0#)j*(*PHjM{{c~=R zX<&RuOoIcZ{|o?6RP1w`MG@f>{MCtLsvS8AQVsO~j|BaH_YwF{ocv$#F}YpwS!5uR z1#ltVY_ep>RMU$m{i~$1Hap(v{~^`LYyTb9E-(%0h-tv7mc#4eUs6rzzo%L{$N!^` z;QU9c(@~a>YW7??96R~H=p*<={+j#6n(dsX1t}?fk&-cKNYi&IgpuYR!{7O{8o}B7 zkFKCl{!8{^T&yr)`l$Z@Sz>Uf{-Y9um&e)i{zr+Ou=ij42pp^Vxf1(_lmCl80!QG( zPhyT_;JlN^+l5ZD8u9B$CtH?I>br%K+_jvumrm6J?54*8mnmj^bcetbnL;gV5%PO* z;|zwjC?BYAIT0x;;2Wd!^5K?^t+WNv^c~Mb6nU+TccJ%Mr!{=lGIPr` zi8ef!J|#mEuuOx}{qR{(3qy4iF0+12wKp^IxSdcN!pM8S-M4nQmeF>9@e0K^gJ{A~ zV-$~W=50qrB1#yoqJe~zx`LIT#pvA`@Q|2iBMTQ*J2py&{xSyw_rc>!fWqG%NHg06 zm(TQgxoE4kCl*Z0Y$)E!T;JmYEeJG-VhGh=l}ZfazD5mm?Plhj4aQWA=qA+H>a>kp zKWkfLJG}VU_LU=aB;brK)E;UPfE^7t1wh+4Tf*tHwyw5XKmXd|*g>zJwZ((Ck8IbM zZ^McaewTa=Mh!Kzl!~Xt#)LlPrlkmQJsuhy*>wvX=``k-t|VeaZ*CBtgoI<)eib-B zwrsUi)4#WdkM;)-xbb;gu>J2%|1t52EpP-T9(=HWZ~Q-)_pd2hAhRF+vg-}P#{242 z(1~avG7Hq?P$6LK_Gw7lU(biM4W_vG>z@?6qFn$J4Z9^x>MtJuFa`%Z4e1}YCr|=# zZsGjH_P?3n<=}*x8Y&bRSp6p~ zCD+jke4;Bi;{I0E6IVP1=vM^eat~Ijmq$ns(B)cSCJ+;!1bz*7~J5Pfsb*v zfsxqn%%8tT|E()rJF-`xMQSbhOabU^<)60ZkKqI6N(D4N@DQ52t@abFZqVSk?*6A9 zlmZZomgiJ|bz>}Qz@r;{k@BIHgy8{U>|{UwuhD_{#&zRE7+7r*vHC6C)O> zh(>1nR5`JG0o7XYmzJ=o++;6bSsiB`ry6Cyzg4eBIGY@#Mo7zYWL&=6#Pw@kghdMY zW8OCFNLs*|#-yOv6cSUH)-yI-bXvJ}CFay&Nq@*TmItv2P&*a7G4O7^0JY=>_{>Ht z_63}gbRkbq0E1XC_8>>n9jjd4_6LnPE9}1&P{272%(!-s#U+Uy#jC60Yh^`_|0i3x z(^GLTt;j`=a^b7m%JpkX_%zr)CJ3+fG^~VM@VE%#aW*Bi8lxw9_xrfW6D-CC0u{?PXTma zh89CM`rq2Z$2yH?a!MFD7Z7;hG@z#Q0j)iRSeVHq!+8nE0_^%9n_7WGonjGo77Kur zV;Vg0hZc}FS`O+n$uonukCNBhK;Y>X#c}N@Ag?O%H)BzxU;Zg=KlK(4PaI8}-tS(>yw*SaM zCfD?t;>xHiIcguRT4;E>NtJQIfd@_lx^W?(>+sShKbB4iyz99d`7ceup-!>DyMP5A03JAA z!a*%zJX2lp3E}M{DIsR8%#N{YJQM8&Ift}SUhoOb?U~euT!1kIb0zEu3m`+i{GZ0) zV5e9}Ucdrup9U0pAt1D5P_>2O%Woc7BmccA@Mq};y@ii;ip2$8Wdz%QWmW5fB*WWB zGQ_7VaEau*Bt@f3** z4#UGcMdFMc!x;+q|AvWf8b>#nvLXl)n5uQojDth zC2AE@PxeWfT-QM)fYYttaNL!%NPvxVNVuL=FR*b==FiLGSw#go!F6sEb>3m%D7?Rg zMaaJqa(n*^E1IH5_x+#Wcq6W(J#gG8xn%}qlROq*yB|9Dlxq7v_yp}Jla2d|PEkX2{irruV2 zAJZn(<*<3DY%521xXrE-$d26@h&|kyDmy@%A4xb^e!7)rUP*AUz1aN5X>avFP?XP3 zm)Hpb?O@EqX(4iT$9d6&$t=MZnAiefYp^P-{SCC0%_^WS`MO#d+UgcyVGe9{-%KU) z|7@3vE}aFr%_W<3+noEQ~}r3#9u;frMuo&S6ZQ zJ#(vdsz5@C9oiaGxtBVOc&zz%{Q4~;UAyaRyF}#`>N)L9z4JYL)D;P{ct6_5s<8$Z z0$em+FtstoZ^u&|RzKLS!EzWhZnbuJ{`-(VLid1%x~fxjr@(eCwv~U!pFfzY9mb=# zI(nGu(wWva1VYoF!|FTj^zKWoz_Wz$_JN`#T|jfa9X6=?nb0>aPnN0*8&OoC3S8hb{@(qX{oaoD7O| z9RPmV?)MF7Yx^NkSgAe�kV5=I^ZA9@wqW`e*5K?@cOBe&X2MhAkJtNJ`BkA3P|7 zr9C&(-04aRu%jw6F9E9X_NtZ^cW1m>TPK$e(9tpuKCnj*yY!hHVhk-#HGz*bDTlrP z?ec46vZr;)8t}+N%Ubm{D;s$}ugj~M18@icRs3c9dm{{`O;aAqfBOf3l!hdBwuO$}k>d{}Jqwgn=4>csVUOqk)oiuZN$Rkl+<97?@|K;{wpB^4(WH4WqV7+KmK1T~*fzBGd4wpQ959@BtJmvk)+pIb38 z!e8YiFC$=I!3IY|x&-$JPwBd4^5sjHsIOeQgm!kW%SwTvU($$3;hnN{EE)5`H~kSV iUAl9w6J>DdQX0+iY4h$R}1Ox;cq)d=bD;}{D`1d_-XxkeG^z-8{ARs88Z)Ogr%FYgs zE=;Bl&gP6BcDBLs0Hr`?^xzNJ9RgWnc{^+*>+j47Kcw@os;n+JNsAP`5!QNIh)v1Z zuIhegzHH2`i(*qY25VLzXxa8cKrOh(z%;--goU8&4ich&t5b5_T(_>^elFQS0S^4c z+5(kHG*dt)PQ~ZJ@rzFj-w8@GkxX}3ivgj5Zp_UUllm$@$`fgn{NiHddbr=m;ZlC_ z(mFkq=^#ETb$88~5}Q6naseJ>P6C03$!)DGXagm3u;$)QjOE2r^?@M_=?gPZ;IH7} zyx9;s{7geXM_vRFEnu(tlWxwVE4bl{So!l6r?k)_5d|-!xfZTwBC(`?4CvHGP0pSwy zxat`nHL>@&37qvr^pWOm_+2Ph6YR#s!uhRZyPP;V?dQSNTqY6(l2g+rx}r_}p~pS~&%c-P&XRKT}6 zh8Oa}{Idb4u2p1Oe*X2X)EB0$#Jl?&!w>X#8Q)9eyQ}kMU&pr`;7T&lCZQvN>ZkoBrduB;#m0k~?g5t8weeO+t{Uu}2B<+uF1c@Jw?u${=gg z;Id@2uF`%qeO_v|G4;i?qpPQCoI{-psS((1`OtYtRBu(@ytcIx=YYov-zCWhty)wF z{7zakn(q5TS^Vu5*y?MNf~<`ZH7u|@#}dIy+J+mT4`$(^Y!VUo^tP?B+js~1uIVMI$*{h1 z>*bjy#YeK^S2D+jl4)u^hEd^_QDqGA^n}_V@-oDA(Zn7A-_3j8_*YtbjJMH?YT9*G z!X)Y%EDYQ8wsHt4gS0ljuKTj#e!USO_aG2^77HNy zsoW>5a21KJf_7txVX@kGoFm0e$2DmUym7kTT0=oE8%ervDm zV_TkQIlB_*Z1UHbnv+;*1bsFfsjE_|iaX_LDDOgm=^w zzb^X5eYqF_@*Ptv*_VFU>VA{}ydcONSr^1R*Rgkr{yuMHV+3Fz)_3Bw|sy>gj zd$DYLUu2y^is2*98S!;{HF-LSjWHw~-}`h&M-KkC?yizGh>U|DyxDUp{fpKO>pH&A z_qR&Gl{riKnW^jXoF^tR_}AMKpSF&S*Cnu(wZkLeMYZ9_-WlHbw8g6>%58(LifUBz z>t)tnXibYo#_Oh=Kyyp|tNr=&#<8#E+fM)0z@O+RvOWFj;43-9tV>mAUw`D*-UTl1 z>44Xc3Wri8P4Qc$Of#AnF2-x>4|`Dvk@Thj(msh7syA4)ZT>;0muO~qRZeh4mcs<@ z$Q4bXlV0K0%4L6%hG)- zZ)ok~zK=_0fW`gp*R0bOrakVTr<_Od#vBx z#zZx$cZCBs)o1DET9*GuUqC367}d2l0lOxlvRZk zq14%H2l}wK)@504wKt!8%3yqP))}r$=CK&%sqb>r(P2zYMy5XhpLxK8;@$6prXITs zoR*WoO&#=RuST|Ih9Ubao(u3uk|!~Ngv|=(Tep_-E5@$4K_yO9+8L zem|-Wi?As3vKLpv8l!bZlB^y6x-Lec!)*t&%#vWOi8Fy>WAB>41F;@qsu7D&;-4jY zz3z64kqwS(JJU-`HY(>_HRqalzTV4>u{FnMZ*HRoqVGW0o{h?wwYNL3mn+AOxPjw6 z$hw|_kkiFACck8F8$Es16U)4dUYU0wANda$P**a~U-Kd=L8S)8F#QOl0E{6}+T(Wn zBe2-n#(EqaQ>~4fKyVl7+FEG%N~Z6%-5%Lm7b+*{i+sN0#4U5@lMjl6+f3p~w72$o zfgb_+Dxy2a%?uf%4+rh*^YgIl?{7p5jLc?sBI#4ZLWpK6ilwG4R%1S;|i#CzQPjPY`yWmHQrb zORjQmZl=w+iFE~v*b22k8sy$^t00TEu@qM;W=XQgMdYL@+3AHHx_nu?omcjub4hX_ zM~`34t*G-2Hc~2Zp$cBl@caWn&}v!uixq>K7GEqJ>UC6_;uZ&pgBZ3zkeZpvs%^QAL$6CB>&pAXUTw|LV=^ zmDqOQ)^6hoCxac1v>zv-Q}|rGeB08f;M9?r3BoNPOJsLJohMg5U}OXyr2Q@M@H;N{ zVcqvkY{-vC8fN%eA6oM1z7jTd77%)HQ22z2LU8cfT>ElhtE{qUIkd4#Xen_}yC;i2 ztEXCA7`p}toCruDxr=grt&BWKWG4u{S24)p>~l(Zzm zpRB{zrtrd0@?KHsA4(L${vFcXaAN1Q5ZWz0YBM5xk?X;-5yBJtSJ1)>`lFop#Snc7 ztzQQ;;H|`fYiICcCPQ;GeRT-oO{RFhr_AC;5IfFj7E zTR5c`mFlSoVV6jR$+mAQt8h~2F9PJPPx?}Ls*RP2NAZ*BZBgfP2Mr)8e2XD}7A?sH z?sn76k-gsu@N^$FpWIrhaN9aj9#Zk669ub|Z%nwSzB5Ga)ogV?_148I&SW698&(oW zBJex`-Na(XP!4-k?qzj&kN4AwIpNuUQLN;bDVtpS&Iy6F@YzDtV1qNo7VUvEQ3wCF z>V^C3O0hu?I9cD60_|Gxzpmu(fv#YV7{CuU7yY(m9P(#~Hx|%Y=_s?yYn_sYA!mXt z_wUYVad?B#|{2$EkJvMi^moua8xB z=bH{c3Ns_(>!0r}dlFXki@Dt273+S#l`8yv%nY`-YHF9E+Q3}7i}daM3QW!iKHcmu zwZKK9y}#jI9Xd(1B6m>TpLb`@>mL8|S(%^DTcdwU5eYI{wl5%HD5g8m^^SrF)c6S| zo~Z#LJLZX7@#T*o25N@7Ke^EO47~=#UxU=sawElB@k_&T}(W*&^_~Yt<&r3}% z!-OrA8~rL5PT--|UM4RFs>^g%%3jM?Mab18YW(z3oxMw94hZzKge@8+GbzTz$8g|L zN;x0sUcG~zj`!uck+S`LkB_*vn!91INaQ1#?6XQxME;~5 zW6?(_&6G#+%GnAljjEM{lfO|G5vQ{z+yD17SwFU?M6x@xI> zikJ5mD+DmRzbNKb#qATaje`AAg!xSa54(dFfg~?N&Ydkiu=t!8uB`x4ir?I%K%AH@dldb6K#cG#UN>kCaY9a7M$mW zKRD73A=P(1&vzmW3A1G|jD{F;*>Tm@&6_j5c40r;k0;sTRVMCd*&CLoy?{G>OzFT{U!#HpZYkyEImQe5F5Wzv(7K-HfsQV62j49wV9(K~ z$BuAu|5uTk7Q2r9L)f2kcBxl;Qt|gDU5B#tfi3n5vC;b1Uk2QwN0+s0b`MhTYdb%H ze6~cudyXf%7s0*n>=XrM%L(AX6r~Xp84%CO>M`quc6NM2`b;RCgF*e{A+*G^$4|J4yVAPo>wym9yC(>`sH0$}gn``aDP zKR+eUY>f@w0i-A>(9JPYKaG*SdUF8yjj!BY{j+k1QpMeXf+j%YmR*LB{>()I6F6mI!f-G$hq-3Pi9axBBayKM zRV8yn4fYuJrOUUOe*!k+U{@NMi+%$G#`Vy9>-%|lOH`{6$gs^BIw2*B*}$9FlT>v_ z=CpWYY`!XVI<>+mi^e|o%WP0NuZ>WtSuh^#5vADVz*H_mZpWQc^x$acrX?ghArnBYTGFC|HLq^XkWMg*z z@HlcYdS%g)@!Fd2+iGF)BkfQ`uUjFIwC;P{{n9TCOmF8Nuhvvx>aX2j=WX4D=PGN= zA!#BdlNPu)E|PAS)L^X}fbA!xL-<%la@~hF=3l#r0Z;qHaG$`m&J%5>uT(fEBE?e&i!?IDQ1tX%m zXqS*sN(9W(Pa;?utA%T=m!~EOun;W$komTUxtEoVfrkdIO+5YJ z)Thampo)3;nkNz~nRQeJVD1qYL1G=YMpL|OZ;f>iz)Yn~UIKMBlH)g{Cfw>?;l={w zInDG%I!{#iVMa59;&qhBUEv6YkHQAHRN~`{VS<`v&B*8F&S>buBk%3>xwSAx*%>Ie z9La3-x0{%@wwJ4?+RB-o>h;8sGgn~C6Upx*mlTY5+UWjPp5KXy)55AA>>0d39 z1*y)-D^wk&DC!0G0ygb_WVuT0&+Z%kaJ5PDY&-1p`oQ0K=>_8k@t9xe&>XI;b1yoQ zqMr@YMGY^2U293N;5;j=MR791v;Jw`i)^m>uyno&|1K~s)bw1$hJhidyV8%UPQ zro$J>Xi5G=UAkkf;}tXNLQ!UgqJYa7bPee|juxM8+zk5!nk(Tzt7J^8y1Mktvenjn!PoTfU}3ANG6B8r?-w);*=>obdV|SzsIACuow(L zj|HQrs15o6Lm*N&hPJ6g0ew(|oq~(s`iT-YvkO*01UZ_t(w8kdM9wZy-VUAH%8C4c z7>OV#f6~6=ixy?n6Jb7itZ7gxhGf)B4EB@03QkoR4CXut#s6gW;4N(_3Q%A!0QWPv zr6$;hGmpZ^M=q@5?@ZDxswS(UAv3zdUB&LQr215~)X!sRs|xe2@{fw2A#4~58LK5K zyI=#G!LX&WN_=_gU;kuiv1f+))**>lC1e;ez$wtTCISrUo&y(z__Mq4-k5aWz~+5$ zfBw$@C|P)aRIZ-!(cY@#2mY|xU~B4s#!1ERZI{2MC@l%yA&w1jt8Ip%PLqgPrR118 z#$_^XgbxItL2!ybLX64Hj|i-cxFN5qI!%JEwEOZ8wrbDS*T}t!n-utOagk1{6R0xd zoOv@J@}r?1li)p{N*l-vFe3!R_pa%ClF?Xo!d2@SJJd7Qfm8O?-A-7n==r%n;;aU({Cf4AH zuet`dj)r#kfQEL&@0?%Yvc--1(3Dvt@gbC)qf)H^!_*_v{WhH%;}mj!Bmj+taWktk zqkG2BgMR;%W7!q02kNKys6M^N#c|GJ+>5KWkBGvJY@a2-nJ>300rJbWmxhwo$MfZL3DD;w$sn zz7_zta&os$Wu4k*W|cnoe2%*9$QO)Y1Q48FY4m;Qu4m{Fj9v^()t3w0rY|2%NcK~IJnN^;&uj`xe2VKKut|$+ou*=mAu(l;aGF=z}{=Sl%)G~ zs03{$)xqf6zgD3sKUlfCS0#c@E$TLIE;6`l$KQolRGi+g0jth&iZ2$UE~ga*&3Q2R z+yl%dgh%O}lQ6U;0m2I3{DA2ost&x=s%jPz;pvt3$HbM6i6t7R;Nubh>`dwIm5dRd zZKaL!$%m#T!#@gkLZ53`ABjh#mm!OBn`cPW9Td+sGNL7GLU2?!v@MHem5p5@0@+zeh_ei%G_u(!jx zF=YXw=pBh^zz@q#^s@+Gl<}fjNEV4nc6D}xV&U@CODCpZRu?c{4zKnh9G<< z25(2mWSY13QTIm)SDn!v?%x<+u!&$FAg@@dZjuI~Al@JYY~hrZ>Ho+UZA#l(-bnm+ z>VJqj*jc{xiKt%DpNLAp63f!%0{09_n7<_ORE_OSvT9ReK_4eJ{xPix*@50AGOfi; zEAY(XI^mPuRWi0Ic$frNd9qtazQOrB-%Ve5qhtnc$qlDx95OQAFF|{sR#KE1SXMzQ zqK-+Aa#xi~U30{UwD5Rjc-cy`t zHhLqdG}Ks!CY;lj8Gn8WV$g5XN6~`gdW7WnFqf)SF?VjJmjY-ymnb}_UaJm z#Xw~(;tSv*D&7n!fmYE8jbe!yH*tu)UnM@DTsf#z^;6J%se0=Ari? zjUjC;L~M#hkps?&PME8mKbzG1?h@?GaEs+xohibiIH#XReiu435F3xRH~4&l0zm&2 zMlwj*{=m+`5ng3l;BeXV7}+q%3-Oa#`g~7WMw%dj6b;LLO(_hKC^ll@r4<=@`Fe~f zKH0_+Si~oyR^Ck}aW)A55Vj@-Yl+wW*VSe>3zh>a%rxD(h#b>}n-wV%n_h+>0u%xak0ar&7@VXt4LV@`8BaF5clD$o{Q@Fdg~#+SlyQSvYz7$##wy%xRA6- zcHcUa@Vw13!!ZO;sE^uvQ$)~cxj6k{Y<2e^u5TrC1a31~SPtXY?#_47E3Lp{hSjZX zn8ufuYIr4b-m888UhPXqDZ=KXWQbd`;%4$4kf^F$7*-~M6#q5dcIq3{PZG_U?4&>0 zJ4O?kv{qtq>G*K&`o7FgF;MHQ0IGWGW=7Gy@a|}9wQGlW)hvH@C@py2mlWfI4o(MM z9!VsA+^8WIN5{(@>cPF4R}ZWy-ftqvg1lL5L5Fk8)#a{Xm{>xHSE zIM(~#ltbcd`s$>@A(v9$?pDs|1ntVo-r+Ycwl41YqvWt@+~m;}`$m`-fRpSqqXaW1 zJ*>nbbjyc{&y;0%NxXQzhH9fGscUIahiM-=#Iu+7&c|2YkkTI0!q*R-O9wQH{nKjV zOiZiBr`wc30o<6zf1$A=j2%Xh!YV5CZ&xx^l3j)7=1n>PP3|CI8ehf`;uloD8Z&@?#^;c1b>eZ` z8|gM62on|gGjr!KP`Uoq?NHbnpE~U)qO~4A1%*sL5M13nYNb2khJFnz^C)OUn-?%^kl#Y1Eod;8*+GX%5!+Q~tI zC06Q6F3PY{-jI(bJ@XuA3`Z-*u*k3HUff>J8$#Apw=>ep(63pN=ev5-qjrH? zL<#eO+QfpVIR)=jU4p6P^B-;@2w@e8f0|^k0Y+A7FIvES?RU*VwEsNqC*o(#my=Ga z)Qf{ka0c0|=hjDv9w$)9_?_fV0m*EH#;^-D{QswFC^tO;6(&-+F9laqS%eoue6fh* z=uYww!It7%!{Rj(#nyN&Rmr`&Gf40gH-4C1sI_yu#D*H0f6$?R%hEm4`>P)|-^WsO z+eN7KOTu#0y_4LM6uFpEV|Y6O zBB9ysTYEjS?_G+L;3VhkXcd($+5wZk`giUvDNZmfHic;aZRI~3)$=V)FMpQGmCIuC zdw*eX;qTXbbXMB$c>sWnaG!BJCA{@YlR-XkUtYUPmr-Pr?6nBqlm@y;eKO4=Ee!gJ z(IUd(yUa-As0GXeDESVUl0Ti(3KGl|7L7Er*c#I5;{5)Pst(5@{ZRQ>w~6ek*VFFo zT@JAKwhoW~dyQ@B`LkokrY_i3Gs*^neuhmpJMf2f*PDljM3tmXOg`~Mb>Jy)RCQukj4sM?ld>md{(>8$@Q znI&`5SzbXQX%|eCse(|^39l?4A&>r8hgljXat!~E(b6fHj^$5@nfO=f+hl+!_6_?Y zZU6vTxNzdr^CHCm(@5psn$*DQpy0D49o5Q$l~1N<^4U>Q-bW8z>IrH`CbP1F)9=2 zV#Z2^#;CqGx6kz8Z?Q&!;upfvZVX+M1w~F|Jkm8CA z=~-~Ui9W5l4-bZ2Q^0oNTVAU4zzpz!talau>{;e!R5X;6%QT5Aw9z9^%_3vCCFGl< z97z1Y645rH%l4-y_y@m(Y)mPL-Nr=$%2wqsg# zR|XufWX*$}n4(f_Y^W%43|WKXgd8JRhb5U|eSE#6DL2htIli(PMQM*Rc>M>Gyjz$k z+!6b0VUQL;2XzO`r@eBrH_RYkSHnamH(fMXO3Vk{sP2lc`g4GY^nUbI@b#I@BhLMZ zDXOAx9PJ)x;#kstm-QArX7jIriwgNMa)jfFbm<<^-8i(7KVwM>(of4{pAO zNS-aA4Za9-#tqxG8g50_`~QuZSzF?@6Ypyd2s~BeIG@i#ak;OXrXja<4!yx*8+<3u zNG%Qv&g=qX!}7_#1n6RHXV zheK}75ZulW%YJ0iL(3W#>vf7hSy74Kgt*oy@>1RIwrPeg*PJih{RY_7V!$N;sCDqh zSh4llSq|zzw7ryh1UoB)w<=gk8$#s1n*c4;WxR1%k6P+y%UkY`{gBcLJf2OP-{61g zKV}WK%4AXwY(&*Hn|VsGL=He@hp9ZYZkT3@bu3wUy$%ZcZYow&Rn2ykyQ8L^~ zA13b@fBU+zK%^@)XI&Cs`W=#Ba$JSz(bV92I7%bK`lZ%N3lcb6 zvf%HvR4FFFwZAs`JWfOQ-p~mbSq545^;3u$A~O!uj-^mf;c3Kj8RwnROSF=>X(g$n zp}hbIq$R-qb#heCBqRm|v)U9fYUUW)vbs!x#JU7%dw|ba6ycw&eYHZ)^1hie+01|vmhy6)T}xJdB0!VDv_xMP z*R=_>JQNPc#}yp%OG31SVe0U)34U$7@Itfb#DPiL*bHi zA?IJ2)5-dSvnsO=Ab!EA$jq24iq(pzY|rb(SyM(2BWKyLn&+sP0h&qB#0f+GD>0}K zB!~wD1!}XAi})FTi_^ripzchET3lj;rt!30VM1V{3$-Oss(nh)}22eltf0W{JMp91PMmuu9-J!~OLv=vrP z4H8{GgVYLD&$7}i2}54Q>;JMLpbV=E=H<4|QFs$sR9`!>=iN$5 z6K(}a3dDu4+{-=9Mn)&C{Up19?RmHSAy1%%nLNS|QQ=ARuB#Rhh`PEYGU#U5jfOFo zsmzBaWES#8n+bScZU-p)GcMlk0a5m{HQj`kj~vvAaE084|?tA9tQskw!RM zKeSlz$qzj$sklN6lYW353;wixDB(dH$b0cMQ(^~;8fF(6AYOq=ny3vtC9}CF(HI57 z8YhUCmX5VDm?u+_n*>)@5+fw|{No?A!mbg)o^K;6uzLv(RHV4y!`x>naz6*2teT{I5lne}I; ztaMsx(O3r?U~ckP8auNEuSJQE#7nFuoQ?}`7~ z2Ou4Tk;93P>{Fh+wKr{ITjMq~P{(LvOM#-}j5 zIk6Xis3ey`;LA?vn&G1l08}a1naIn{2N{Zi3@TJM4?gtPYBRt{8Jba$O8atZdJ!xQ zyinG&62=-XAn_<&FNqf7SWsaqR~ArPP};1kA8Dr=D7aCuaOg&BGNyH!)5}H&`Al?h;aHZ=cF1F9u6l_#8GQ6N%|DP!_q*Zx4>cE2Y&*VO z1KENl*TRaTh41+faogaLa3S&ynrbJyv=M2*!G~s_!|~CRpF*x(jq1BEuKaRrW8R&p zR?uh)E^<0_T#f)*hsg)|4ZUxWK^>Zfb0Uh2V;Ep=Ih2+zKa&DG%Yh|FT|z48HQJWc z0XitFpR-Nx;tWqGuvQTZZ0gTB9rXG_y={M`=r}YKwA2D>vTeV#^XT=AW(0!9=yi zes!dN@tuy7*b_VTY8q#TPodBX1a2EoZTPPJ>LFCV3$~vUsz>`q7nQZa49lO}ZrFtJ zFnHgSFUYofrj3bq6MsRpIJ{u55M&>UVyw)Qf%zSx%wEP7*HA{5^f}vtTJZ*b$2lAj zk3phy*!i34F15;1{je3XJ3x)=zde@kclqrU_M&5nyA_|=^myEthXMd9V(?F(IgtlB zA+5Zo`x&_X8B9^}!M4eR{3;B2@Cq*!&Ol|z)NNR`)MIN1YeyEmUYSm)r%7{=wsFSP z?Zd;p?_~@Fili9Zm=Dt?e}1YHbaPlnxS%FHkg^uxflMJX*uRZ`5Nph0?9|c&P%N+|XnZzO z$1~Mko6?c~9{S&0@o*rLDWw$#FwjW`(N#}ZU%FrBmC6cCFIn*7uD*Xe;Uc1BYA4`i z(zf;n8g_*2I==g8f4tZ7p$Oks752gc%8+YAYOhmnq*-*pPAv5c{$3PXY-5(tFilNPNSG5q~ zFA1lgonW9-+$pKM)=wIp>-c`-a|>OFTFn_c`LOTNu%_UvR~0UDj)&uu!g%*}Ny&Um zvQ1pZzeFbKa%|FxBmg?U(z4^k!|7&N!3Wqu^G%Y+%2MrK^!Sf)O3VVrYRpIB=9!Wf ztjmMruui7CC}f=lH-CWx;woz`>2A&#FE;BmIob|w0lWB%Ih(Ti`grhTiiQoe^C-Vx z@7auDk{sk;0Q#NKlwu(ka}d)+Zi-p{T2P6ExA-l^ZNMUr%LM4ou~= zAE&$idi#dN*viBsPn1*W~z{_D9lUrk0w^NnRpGap?SA( z+!udaGxD8a7sy3U!TICUIMkctXIk?)4gs-Hz|AUk8>{zClguF5+AN>jS(y*(${=$) zAt`_}KW$}QNT}j9{fJh*_B^hiWwXrEoA&xPLQt%KmF%nJLB@IizPjDep2a%Y{7gVJ zrSmKXA@df)1^Dgeaf%h9YP@S00`1*Kj9Ou9JnA$GL~Gsf$Xe}1Y>asqF>Y8>HK4e0 z2(oeq6jfr(ws55IZNf8-5L&t$E84Q;)K<9Fb~fo0_B+S2|kiGfh?u4~`f2y!RN z;~KFd>`%I1O9A#pnaGW&a76s5vpTAqjgnX^V3F-!{=69pYIo{GU9%qlP`FbK;I&jb_HHwb8}%}v@l)ndx} zEogXh4>Un1g0Wf5WWk1>+155GSdyj*6pe6wO@?AHFu_Vhe_NrBPvRub*GPWVjpJ=w zuT0jbjhTeN)0bJ@S^w@nR3Bg2qC-@blr8UZ?!rAukP~y?(+ecU8%X8?$fo*i0r6z~ zZqqPw@(I{~a`~b{D>6#&q)b~uFMX6S1;E9uG?&58OE~udY^bTvle+<^7Evo1|dNXUBD#W_SYZpA7RAwi9SlU~l>N`PN~y4oek%;%E8^ ztG((&w;o!5M7<->%?!LM38*%Uu*?lU_gUr|GUf#uPqYD(NOuIrEJ=`OV`OsaPme98 z+63>kLQ=0UP%BxQW{a;_!I<_QR}A!v&yp~gk{w@+W%Ws={=XgP#_Y)5CB{DsXqMT zK8$Vqz@DgX176>-y%VYZRE-~hJd3%^gj6xGU;b^x#-pxU7^LzB`ahgCUWtTG7Yu;*f~4=L;dGx^ zs%DWO6JdzGCQyn)_WtTr&tF}X(#s2xFS)N5wD1MxI>uD{z2FFTt}D(b$uQmfJ6_A% zJyDAgcPw)Ul*@}D8?qllgR677@%W5J<5o4%Dxz@#7yEAk#Dzo_x!Fiy+bi+pg6UJc z{(I!C-sc$Q&kDV&1(LY^j9W%M6Nt|DMZzD1gYC5%&5#anmHh9F8-GS!o(^nvDxsuZ zl2N~Ai)k#St2ZfXsoTgWU>`{67c|#4l`dH~5fV>g{ClLTP^?J~AMnXL_>-OPRgaUM z^Ow@?h^2nEv3ywI2u$~hqY_wuUm8_VNeQD9MZsQAw|8E!^{OA75ciJLb93OY7B97S zLsLn&Q)qpS&{EiA1~TW?gB z_y=c-0P|Noe?oLqF+5J`WY63ok|u58aWW#cw4*GEA7`sTH@vGyy>)c*Ew4_`DZTaE z{C(ZeX|fmR)8aa`PrKBeg&4PoqGdKzbB{ zqG4WSG+JxHNyDYngk#uAmAq8eF?zLrFaNk|VctJU?;oVGyBQ>{-&UwN3siG%&Sw## z(Mkdlvs)3T@tWE>>+!2gQ`el~s&AbQywaqCKkyN;*6zyRomZ**SgOu{A3KU;ZY3j0 z-xXlr56|3n9-{_0W&iA=w*)u}ApPVrgH0v&K;RjA<2^PyPT^Iw&zNu$;2|8Fx(Up_ z@)FhlI+fH_u$sI7Yr7WjhiSzQ2+lO&$#NIaw4Hhn=Wi5mt*CD0>eaLmA=L|kzwlX) z*mu44H?wNII1L@FO^XLZs(W^6W<%S3Gn+;T;2@%h2>;xYO5qKgfT44mg3Y9|^LJS{ zQrm|Sv5R&A;4WLE2$O!UTm3h~&;kG4qIy>U+@jLNb3nm2rCnvY@ulpkOBBEa9?!rj z$)Y1&&$VzIpBkaJY2+-jwNjz?YLIuUYpmVdL`GEK*hAq%kCQ*W@@hqxlo%cStO0Iq zS+7ER@{ibn5-aY;Vmi;Y5mQ+}e&q)>Kb?5K=0uNNG2cH9+6gCb0~TZhjtBNFmmM$F;hthRZ@+75XostrP&mmd9ZaIy~Dp z-+2qtLOT9=vu?+4q)A|JY21u`k6o89Y_}^Pu!lEJ3DGw`N}>9|;!hT*geYrK z7O1qj|FfRv8d8EKuU2;lBw0dS8J`2g4dKs;O^rl+z<1|=As(d9BYu8a^Li{IGl~Lh5eby48qYG9%m65Jut~%u*#9uh|8s{l(^p-zc6eb3 ztZ0}3{PdTyQ%A4G#apJ2R4kH!bYF0PeT-oQ5?f*W?ABMfg z7hOnfgZuB+fQ?9wEMN7-#?M<9v}4u9FBOkU%%mfSHk(dWPec<5#{k_WIoNuqVU;>o znO0jNsB(9MJ`isXT}A z?P+Us;nh!v6(O!NBL>!&RiJWU6l+lS%c&J}NQ#IahnUG^i8mXpU#P@!!vC-2#MYp^ z$w#m>Oy)dwYMRj);waAMcvNJp{akCt|AV!}(3m}J4*VtXhadTn4*kMas6;|oFMuuF zZ0dA^ZQ-Uc*)y~5{?U0Xw|wx&JpEkWYFe0WCYxeL^gA7xsZamNFPIB;1orG?dovSz zGqt=wCDewg{`6mCHT$g8>m%!PKO=Nyh5jhe<85_PK6T3Fy7n%!0x|IQ#5r*OTim>q z90P6!G%(#?+=3aAzjS>_Z~b`Kx8sDr8sX%#9t%@Ao-*K#q-AWQm9(pfC`^)^=%X;=e( z(eHpd+Svyh?AlPrL{{fkKglS;98g7n0!;PNQkWHPe=ZEHZiz_1l$Q9(DSV3CL7CLW z>hH*!VB#5^P*}K^yoKn5zLZ$a_o(Q%;y3yH8!_B+w)0m7M(e+Wf7jh9Iz1LvG!N9h z^%WMG3oh~&XgzKn-5?g5LXLJbK+oH%$gH$_{h@#7l}*UytWQY&26+lGn1Es5o-wu7 zcO$Qlybk%#HJ!$zy%@k1pEqC&hK%_bQ4Q{`XOmTPPE{XJmEi5W`epz`f^fY(W>!cc zh$fGWbU=S=HF9-6bn-a6s7zX-mo`%%cQao#u{PGfY$F+stjzFHudiNO(2LvuoVz~x z8d7XAfqCW;BCVV~=qF*p9t%!p|G*k+-nDyXtI<~4>H`Y6RaRo(Crv0fXvMT1Q)?oc z`F`$e9~${W;z&$Vh6C1X(I#3)0on1WMNV4g+NzZ1<_ykp{u4_70C!M<>Cp0CJuSyT z(`Bbv$Xl&$b=cWnE!@%|eR4*<48?@#7_o3@PnyZKfq z4ydfuw{=whCAikj_Dls3)xNBcaAX|rCmKRN*vzjCXO0Yqtt-FMiB@-n%2HL$9dHEm z>yTnB4yFezrq!;T%`$qT1wgx}TbkGV3_L+G>6Ith4rfSoJjSju%cozkvpIOoVxx zt*B_iytRo4EyF+Qk*>u=Yj>|+*7#|jG%X}vds1&bryt5g3KZ$L&r7?cz@^>ZSUY=P z>z)}VGUnBz77s^rt1XatL86VozUV_+;JvThgD`+H|`ezTuPXsvhRshpn>5b1bp_EZ|3 zZRj%gKF_l9{ihOk<|0?peAF#UKEv$t&%i!@t6JBDqvaNsOX3{I#d*nR_Zs~=W9=K0 zJ>e1moVlKo{Zohz-NkE_6!;&R6MzNr#_XO3D zKR}X0z3FZ<^W=oOYT8OZ`0+=(m73Sl2osIzBPwwj>544YBF`ZX^;uwbc%l-Fv-Q5WPK@Tm#e90WB$bw(kyXjozG=NbnIl( zkdXqUMWH9i+TMr= z;74*jD(v}17v(W1Ny*jY^Q-oi%O5Eb$*e`7HfufAfl5cZAhob23Q4n$jmQx(pB~3b z@ypvByygF^?W+T_*tWg_5d;LJLqchglI~CtkP-n2=?3ZUkxpsp5|Hk01f--yK)SoT z9_kwq&r$FB?!E69{_*I{+I#JlzqMv&&v+v3jW}lq_v~a>j|VO%J4w&{xm!7q`)v{2 zza7`1V)$`t9?z#M7$GcDXM4;CV{e&^+u*%sSncbO@>`1-&bhAqB^;v1ubxS0B#}o_ zei#UgqS$chSN*gh_Kv5$eQ2-#wYpQsc9f} zDwompWA~+v%5fYFt44{x)hZ5je&v*C>Ux&zxaM@9?Q%Ma9I_;3PkWvV%w#0XD-q>y za4EY$hltUVN1lgxh!M2ed?On~mq~i?%pQ*=(U0j`KsLmOeYDdW-%#xA3Gdq$et_G0y(ZYpXU-mn`9ZAQR|K zA9K+lz4Rr?;sDT`d)sXxefgz;#!&IS>5H$HWf`3gb>(4&Od+dC&-G$FRy$WUX5liZ zq(wj9CoAEK_Qh%n1Rwm6b$&vuc`*1Bdo_mwR^zJhyw$O630G?!0B#41j~tidZ!W+4 zR|SQB?#bztA;yAKI7FlabQ7mJW^aoxjrJNhR{*17BFk;74T;yCTC;^+MVLp){V){S zac}F(YFAO7FQ~pzQAt#pvb6BZR_!*Z@E44FKe#0|zEKxeS|NP<8#?CaPHfodsM(dI zjOBBRGOUcaHi_M&59O^HG%vQh;aF`KXYBBo2t#9fQ5D2>?vm+M7<3yS26rAX4bPb> z;$s5Yyylsy{EjAV62vepO~-0|!TcikYgrbZ8WpCa6$Fj>WN9zH(Tvn%#1wJ+SZP9H zzD1%}Uu2QgEeuJke(i84nNEQBJ1K{niRIhtmoHVR?`jeZ*sWj7(kE3jLPCBy#d|k= z47!HufDjDK1W6a-@a<&F;)w>_O!&UzEfbD} zqu64I(F0AQh%P30O;;ssNdh@m#GH7D5v)R{GMjkBE5T?i3pK3Ii5Af4i-JEktTZch z*4^2wimNzfbzzO-x~PwBdzV$2W<3NO7_f-aMEmJuvWjrI!@Gj|@ZFSiYM<@zz^z#f zIV$EION|Bf)u=ai8$6;$6p|FeFP0Ar;ts>7Sb86y%96Z^_N7|!TNfSl;@&DF!$I+H zXFCC3b#?4Y=_@rffANOD$KbXSToxr~Zu}&}mR#0I0WbACDi_-kzm^AGm{Ri-;@|Zd zlD`UGRyHHWd36fn*SBTcDOaAQumH~B)xIkm^5rb{CIJ?M&WvS92I_OYDvu2HXAWTu zB?MlAFCW%QkjUxkx`ojwG6}VttBla9pzQA7sNCP=u(NN)PI;1}%#p#h?(FB(ZDCBg z=`R&RWGxdQmRgP8(Fr@#DT84&-o-V!$`wx z(xY^5d(2i7mUL5I2;l3-3=4WLCU#Di3$-ow<;4zg>fCSHd@EDpE<@%1kftjEF)oQR zd8IgoU$o&!5yy1Df$E$Hba9eogWZm}ooDI!j@0eg-o9C(l6q-5c!%@HBYc+Cw9_cx z);_|*9!1m7^3dE9Qvxz$>X$Q|@GMIsy<;LxhzGzO|Tov4*5DkT-w! z;^9Jmlglg}fsNbJsT*Y8fzn$HNBTXMQv7Of*+;DJ0{(nArKKr0ZJDy5ShjMp&*13I zY^*FHs>&Y8&e6G`tn}h@64K{^%!4Lo&CZSu2SYzDOPJv$iy z4R~`$M^HsR+7n)6R7my|fiQV!Wr^23PJYDBDd@CdoIUo;cJIQPu~n%@rn<->N&41p zTcKUwfi0aZjdM3QS_;F@nEGW3dr=BZM4oE-)%}Cu#iQ$Mc?Xq2V1DAm>yTEr$C$6P zBcDB(#weQjU=TvNcH55q0qSkZ(LquVF%3W-9`&B386~~)AT;PbeqEE>;;p{pD$exm zqy&(PrA*yT%VDpwhScIwKE+4tsf^ZJJMM^@Y?u|V0G^Dae ztSa}-DfqBu4eI8pTkH3n{HL4gf`I(%HMzFt@6~M~y7zT*f;qZj)rhZ2c2!P8?Rrc%y$+0Ow78vTK5ZsRgi zB$;BeUY(fl$@0+XQxF&Aqd&yMtTG{FGn%YN64Fva-&iMd0?3IM+7xWKjE$Vg3i8pl z3+$U3zFh@=f#^ffHwP*%pM=^WS#GTNQxqTKrIRLJ9ArG78onFQZ|Eb+aIv%4d}*@t zd=%EhuUu7j1^Ro!^d)m?rb|WJn^S$$(`BJjvL;h$L+n-JYDSJZcs++~N>*Gew!U05 z>^ngkVK|h;&(Hz#6qfM2t{gZHnEF|48~e(N)Ahc+&!YLGJV)2JD8!QUh#b_54a#co z#QQ_HN;=NV)vJ~#Em1Fw!$;MxaOoZPW<44UXDeIC_6?+wAR!LpnNOQ~K^A42fLrhc zy<#tlznCO?FdXX9dwYS8W8swsAJIX;+f>S$7gBhzB2)+f20hIaPrXoTHnyxArZ$Vp z3Y2)gnKAL~@2-#1QhKSYLy*1GwViJl+9F;(&5ysMG$g2&;Ts|BuE@qh(^M_k$wVa@ z)}kxR`br%-H{s`wxq5enjfnA7-IJkxEP~bAg>`s`$6ehU@XbhTURDt}tyTPHe5FCS3__#a?if%wT8Xb8a!(qtFp1$; zt8`})&{EFqStt0~^;x2WHy+Odx$ZW9SBiJROx?+;NDULwWhwIUPG3Qez&>HYz5F=z1ts+4V#H1w z-+*+{^-1FEA=j4$MLjt$g)VAogewPjTDa^Q5v0+@0;~vc3#Y&9$a*1$#nbUVLzRlk ziTiV-txjeSN~x>@26Z%$EC6lr2*q6(&pELc1D-)S;tGb6R3m1Z5~pM%P3)iaqS8)7 zffX_5?XCQhSP~d;FTD^)JHAkqh5Pd`q2fvpEaXNQl$(1Ke%@-g33iv{KQ(>~V!(HN zWwwl>1W%uE7e~#8wNEZPW*H|RztE1eq`3Wcd@SC}jfX&0c_)!PjPz49&Ipd4H2&xd;%l6tzU-4juSBqrHTI6Wc3-DIitbR@?{>2?oo0_PrA>|I z3^EBuKk?7@X! zA5tW+1~9z}co+-c;Ft|U2f^kDnL!rCfwk{V(d)HZ-{Graf&?6HsZTx>9IOtfx`o0@ zRnnByifVn!<^2AERb%H0eAF|gX`JzS;aR-<`Xz}X30$`u)(}XU$BiGDH6O$1csbF& zp=`y$(e(mv&IFVw&8QhZAu!UNsAwRpI8eVNg%q7fTu}3803X8?E_saE6&B7nYXC&Z ztCmCQgNvE^Z?0M;_m{@i3g(a91}H+uDVgNn?pwTIdPK0lL&4w?jftm43vYzZIDzD4 z=)IdJ7Nr~dUD#*?^6Glj^@b}J1hxI0S%<#1iPbI^Z=`j9R@+Bq%>$UYYRB`;;B~=J4)5gF)nLC1TPF zA@&8@k1fMp@1)5e;{co` z4Yl%o(Wl>Y4mpMqvmXo*MqGWZ#rR$pnQuZP$@mKepeC)-J-eDZl@?(bEf-5pFrWLT zxpL1|;D*dP$V`B~gpz0YQiCkFL6o!S8KIr61_9(kLo}hupx;PIm)Vhi3Gk^Mkj3_R zFD}ttQ&Rku4u^GHnLqq(*fM;Cxze+-$(Pgn+L~GZ?h8rBTD+q5hxT;iih#^6Yvw6X z$`QA4SNlB7ac~{T*tuw0H+xZs)_4pvuM1|}%(QN2?fuU|sc89oFyO<*4~*^jkX6cc zmQf>I0X4Q8N%7$r)NFTZ?MF;)p5ekBDVhjqv3N`GfATc<-{aWl8d!&cFe;~eU%HUY z2785NQJqgQ#B4sBcU7<{#0C(SEG6ef6bL;i5ts;K4<(`4eJ!b2prhn2~Y890T>buurkI0}@`C-KL=*-Ob{Gb%t z^|=(IA`{p6S$t6**3C@2;3v_HdG;_Xu2orM zKLPyukcA){@(v>8xJ>)|1 zd+q|eh{R+c(y%k#m)*k_Emb0=r;}n1(GlUV6S?;{I(WlrP-hHEzZ@RAn~;vBcHBC} zK$Gt7FFK-`p;^vaP@cmqdafhJKsTh?1=ApE7SzD7HbrbpBx`%{4siG3hMT_oG~oT0 z=F;#Sz$~%Qu=X*vG~1Gg*M%H&E5&6(DbZ48pejcV>y(0OdR?{d%EOMfP$bz28)T;F zi+fynYCR7$tl7pIphhl;?k(GD(tkMwKfr*kUvdubg05%0L^s%^FniMM+*WPd}ZrH5KDA69bSO5avfotV(?1(*NN`9t*HtB{ue}w z?T%$tj(m~@bP@^-x|L5A7Mjpi;=N4>E`dyLM`&!aZ6!~75>tylcUZ79nY{~GHV{VO zZRR1|*7>%KH({A^aX6m$nI7La$$#*(Ks#KWy20ly{&{Pc#ym`rs zlH9lpo2>JS;|oUNvsD?~s7wmH+sib8FY3FDK67P>_k>~n7;)WAA$(O^K=5CZPyF@z9i+%-mvLPyX&so z*MpkJHJW@lWUN{_=ZtBi_Q+-~XVgoD&W~$obe2l_;)`b-2v!dB30v7V5s)|y^7B&W zz0w*F<1#yyT8p1n9{G_f;xuW$t2w%ZlZOO;Sb?r5AE~i;NQNAkWZzR?zR>LE(%F>q z;q84fb9D#Kv{K}2sYbf_Q#+ass_e+!m@tcRe`Y4UKwBm$226 zoxFs*RsLws`5+nwy@FrWQ1Ho95f}dtM*VY07I#(MU90rt{RZinB@Ui6Ou&SS+m5Fr z=59{!v{vQ~3+HfypT7tw5vSQ_moK(|64%_oz=#A4-_k%Nwr{cOlx7s;4=`G5TR=auGgbVe+jTU2z##49k17x@(LnWggWY z0_jR^3Iz)b{>o(@Dkz$o2N^H-eK!*Yqrbk_@etns*BeRj9oT;~ z>uea1E*mlNwT^cpUD2uLEO$}IH@?syUFd6q7(8(i`kgy%X#%%xtVZ$gSTE@1!nh-I zJKb8FMhI9eG|1rJrDOFXa3ahhz9_Oq&(V7aQ@Bewf_LAwj`VF_lM5@d26Wi}x?N zab(sd(A}dd%PCln;MgSL74@O9>2gyNSGH-&uEdW)so*1(@Nr^foX#TzbnwgU%B*yk zYCmPgJhM!*9SG13Aw|n5&X+P%^_y0lE?-j~$F&jNU=xnWbg= zVO{vA2~dKmE~daE@$_gOz|ee)Ep@nF+Qpc6of+jLE$Yeu_51w5EO3n8-9j#_pz>)(jg8&#nmnSDx$L3b--|CZKMQrpei?CS^*izO4@|4tuU z)*!8*2YuMky@g$)kKkJUnrZpBspq35mN?^(Kyw@dk8^J3<267J?uf|OuapR>?_DWQ z-X&BH|NE4sa3bf(XX^a?irsn0MUCia&-VwYo9f&oKf~n+eM<3?A9!k9@C0pRC=pAm z<^a!aIH*xCr@OhKa*9&cgk`E;o+Ijgny~QY9dYmUa_*NQW1U>KFXcb%+CP7sp`S>e z^30Pa?Own=y{~3I0&HTcqg9|7RejBIz_@Xhw=Ga*eR6jX2-BTBrhW! zh`RVDH>ZJ5`v@vP?>Q_{HoS}&yD_y<7^C2R_Z^ukl|>-aRI55Fy_ZW3h7tJ{_FG{q z#nM85N5&0#)nw3E?uKBjXpE*V9s5*N@T**ILtgRwZ61H4!5&)68w|D<(8Qx_Pq9ZZ zGzg-DV3wApvue4}XFS)gded<0(eu~-&HIv13IgLkJ_~wR_7zSZS6Cr{EvAAzZ9*~* zo@HxHXc5?nsjd60JCU*eE3NW`zmLbxm_a5GIgLR?Kc z=YWf*Vc2v_pt!2Hb0M_BT&9}y+ALj@8w&6#{oNaEJ(Zd1y}i%n<3gcV#-GD(-p*VS zPBQflBSSzl4a1d}|DIg@$#a^qL(6zWZ~Xo+z{2z(_5O8$gzk{oRH*N%*lloMhSl_( zVUps!BA-b##VH%&s=EWL^LD77MUgv(L?HfJ$qWnI^-mv`_%N2v^Bd&bb7+)&xm<;O+k-YtQ=cxOZD)L5vZY&+p z^9A>9R<0NmPhg{Aesi9F3{k*CnGG6U1p|2vA(FC8y6l5t&MIlE$&mcbkh#Y}5?Ufo zAuW81dE9P?I15G1tI{8rcXyo1hZHYmY}b7@g4P@BTE-|}7bLXTgs-g9NjXax_LAyf>+A$eG=p=-v!Vhr1^U!jp6{FuA|h zh;G0C)m-8IM_BO)y>Ifp3-_Wk$nMrV;Ln?|MSS34*XDWrL`oQbFvj6?iu_Zcc5rb)v?*c8K1`egWl^6^tvV-kv*3mvNgvjzOo^xmt(0`%v8BBWK$IOC~ z=ub#wTeESI*;CT72)RH)Pg1+AA8}O+UnCWj2fxy~I=hj@J{r;sUuY8>%NpkgRW<({ zc14nXMJ(D2`ino)lS<#`Tz2wcJ6hWDoWOHmHG7=`Mkl;Eh4UKfF=kq*%o+~6Bs^tP z+oJEZC0AUshI@%9zkwF6>)J{vCiBoCa@Zg5%OVuxVWUYV&ri*Q&C<52T|xhn^o(K2 z;lRH2SU&2}#Nrn3PC`d6Pv3~Byx>Z>T}06qq-#dxkw@8LlBEv|$0iWd&RMxSs&|)2 zh&z2zAi8QZHkJ}GHc`TGfOwbFN9qCUB)n}H70STv^~j?X346u!EKC>PPVplV@)Gwi zuwxtfA0qM6Z)L4q6@%%-tS^sN2hilgFiBPPz}=t(sT>_NkTX%di0{P#Abxq=`PQ%5 z*F?jFthFri0`)wu1OUiAmcK8f!S%5&H`rd*)SIE$rJ0~CxkZ2HQc5>r8l95Ze-u5n zhSOu&mSi3|;~tkBQGr7xlsJs=hHa9fqXgNB8pD;0!brL^2iZ|4Sc*Q%WPLg5L)x6@ zA~p-g;`f@KS6e&xzpn4VRPI4Hb-r8{ylOGVlSdTt1Z~X-08e2#%prcoBhH6iaqz;- z-`5e!J zhW>qHd~GuVaBrH`dhBJIupKw{c*d9Q5R9)CQnv^1vgxo}eR-i;)vJ*l{y}~6?2}PU zOV#=lkAThUucXjh7q3wztNR}qteaAI!W@{?L!**EmyM03zzPg~#^m!5(`Kn=d=j3^GdUvY5_gJZFxixeqSjp?rV^VWGS^yO7YAzV-(h0|w3qyA6ulr}g zxRXhP&ZD$sDs2M($yxbPhTlTslNnJmy>wg}9#!k$;+18;`F?O;)SVfgjSd_Ig?Uxo zz4mjo??LQJE|syrJteL1vc9XeufXXgscI$_(~AYa8hv?d#vvx$ZUb*ot-zPB4f3Afq_iIDtX{xkkeiruiuSU$NL{Q?ku4(b?WPf{;u>mUz^$)Ev zf*Q(O_P@59JSOxo&phKkVLB;uRwNcN;SbEY|Li59QTy_%Xz!v?BEP4&u9i)>5Wx1W zd&dkB^V|$XJ(2(=8?64!P^)&kw_UV)*C3=LAud&X@3jvObCFQ)`BBNmoC(imv*0_-5aW>5+bewO!gugp*iRe`=ATg=0S}ZK-%IU&(%GEJmlRpLP_^mitbW@*e3#LIDrI!zfccYz zk>pwemMYy;&%~Nt;lS=k&n=p&2f=iC(1|qCWLh!Yo+@+mqBzX{{>L>q1!EuEco$jT zThN{*NY6#~(6-x>QJcYZ6Gbk@^)41%(&u*tyP=P?hUgCzVIk#qxdM2=fy8>7fP!-1 zDw;$4Lx~vT9g0Nr5C-uW_$#R8T&bs<+-l)dnulx_l*LaSlwYX2%zWb9yW|ld+LL8m z{OIDyA!>Ri&>*9Sklx~P)se|XXFfptfK829f;+<^jyJ_5Y>4)1zgtUpX2YT5p+o@u zO_QP55sVEGS5vpCkI{nGU=t@=hbT^?`7pWVDY$F84kj2k6PC?)nP<;`ePQSvBr*Nb z&hv@qv4dlOT0y}|K>)V_apxy``{V`%gXefeW42F8Q4sDYcEB^-=Q&Nn{{(x2mU94W ztseOR^~$Z36I_K1$=nG;iGUC?)G3WicvcSfN(EFJa9?_oGyl?S4xrmBj7l(~MM727! z371Z!Z^7d7F=)T3_zZ3VU#*sx7^gp-9z!S=aycN~fR?jE^h*ugGE+kxcW?!8KTyAc zmx;F7c)UQg6V+Lqe}#|MaK4)rZ=`e#bTBp?YdF72b8C4VPrtPV_oKt@`X*E3%8+C$ zpk`Y&mZeTw*dtnf66}-kOXeiEAY|>lOA0}xxHDwo_r)L9m-WEcJ*81tW9h9ABRm0S z_Z9fB&SVk8^ElfQm=nJn2kcje22WYw)>BA|ri<5iDn?}Jva(zf|ox0zFOE#SQ&7vcG zOrRgGgN>Mq@%>)g+XN0lkFe#%g^XmP&~oj$9eLH`>Rz2<7#1+A*aKVG8ckJgNDG?F z^x_=XA;;YN*gaju$d2rQkoh(0eJ=YcT#BJnA7o}96Sq7|k%G^!GYIYt9@&fJ527v; z`H&)|TuzxN3oGxb^k zV~n=%{LAn$j|Aei{BwKaVZus*GLl2kP4ajjm<)_C$%Lu;g*Gyg!kYwtT;&k0LPDFG z^+gbm`r6-Bo9a2de(~IWBn?QaPI}&u$ysPNIeE74{%~IU(*88>$cw^=WMp^4P}9So&rk4<~Qv3HpkB{ zjYsrw%Dr{eO;H}bw%JP>1e{0BaTbYu=r=70Fl|)Xee*F^che1pk@0S;M>;ZuBX3k9 zSq1;ljs(Mwlz-D=f4#De51-S*Zruc7kff{tUej;teJf45LpTk88-q=)RTkYOea|hT zHeX$0N_{SSGN)NV`9yCUn|GGQ`bIOzqi7NcL_1J37+;r*BLIyTU`NI4Vp{>{wf-Q? zF<<8$Ul{38vJzVAH#O!nf_L<;T=*wJw$J$5o)+^JUohI@a?j01`83@?v8d8e>?Fd4^g%=9sqIsjd4P8tyetE0`m0OarPt0Vp*ES zI}ZvX$q^ft*|wEa3Ij{LvrXUg9(=M^X&{`3JI=rw2Heoo=NxzxP*K;4t$D6uQI(9a z%26?IY#izk3yLu*%$c(1MDikG_;M?!m}p6<5tHXC7DGlJ7QaL5EPTSz`S^>QM!>{oqq_gQZLJ1~5IaL|-N06B@a@^`;_67^qnR-=Y<4|y zVwQ;72-ol|zA9-XD#h|L+b%B$YrfvrcU4gfeQu!L+YuZG!5wbN{*~Y4WmMotY%t4h z)@TV?6lba0bhy7KN>25kx~Ok;0AcH5ani{y&XuN{moM-X?pq4&PX)>5CJpM0e8Nue z6GK}j2#}EfjGl8Zs2CTEwMRzzy$lfxYiCZe2c1Oft(#UtV@)JAAd&E0PhKeMFc(}= z)C<<0A!Y|EH6b^ccsCF36%8p%S8ht>%Y~H?T?PgJNsUZ_3gpR^alkXG$zp-UB*vOs zPL|h0P2|bK+oeb{k4NHlp|0$zhRJg3a{3d4ZRo7)0w`7|Jdq{bK98ztqfq4l8sXq4 za>atEKAlV1^I7CzS;vv2?8xQgdhgvH&HV)PR3M zF&96+wC&^h?v-lJ>U!w@iwp5oc8nh*L#f5GQFhP2A0h*Q9k^j>GL;YhglH`$c5Y1C zJUx69BeHLUAhqWHLJ^lG)|UJlw+zq1%TEkW@$(-wT%I3oTkIM}xzB7ea6xkC<|h!d z`>ZYPELQ3k^y0+D$$xdo8){jw zy@YcBT!w%PY{8?W1B(*y$+cH$m#10OkeT->_W9d3!wDzUPL!#%!LvVJHRXtC$e#)A%>Z~Fj*o3P?i@@+`4LSeJ~XXw+n;`A zHbDo~dD3PARY`cvv--T;BdRazbT-ggYHib|?lj@N^L!2O&}r=SQNI%_vpy4NLzsg7 zws?MR)F5e%n#!Y>(p9k?8%WwLv5S0|8SBm^EphBHa@|C|xDC#;n?bKnKh7)SpKrd6 zB0mH;2=;M(csGiL#?OUC)Q#v5=6ohbc!9d+wxmO1Y2#O0llA{QC zbPK`6lM}h$MlV05_N>H;plR&;I#=@#@>L@lWUvrH^J$OMUI#4g{y zhzu08ybO0z*NAEmoldu0Fp3?S7!ttLT!nmVoGpYbGp`m@mAqmX>g4W6zFcHikYDVz za8%2*d!4!lFvV{$?8Z;zpbzaWGAD))F7SU>z=<1NIUmWm`w`U@dU_^hpaHmq1OtG2 zgTvwZL^q`^Lw@H$+o0awCp$sj&HJba2=Ah7504i%(d?3J4JkJ-Qc|am5~K@xf=}CB zl5Bc=FI=pc-@0^71T%ooRu*bJ7NYj%di-jaF$`n;7#fJ<^Wkc&W|udPj}3TuCK6Dl zdMHKA4%NBGSh~|Vz2$|#fuKPEF`uQ+G7Z8>sZ$dvy*@{oZJawF-i)XmFH3>ChtP2RWr;GlzQ8q!`f$qoB{4R`3 z6AgZ;bC4(5lT%h>doc$ibqriaggc0XB4_A3UInQcsvrDo8kU!ba$igU35u@uC$}Ao zxJPP7S~7CFPd9O0Zw(#gej$eK*h7k(W){hU51yK^d;>_08!MPi^~1{qbM^+>m(hG< z!oaHK%9_I5`IYEvE zuj;B8MU(J}M%yX#RoDU4i#7Wyu8G{s+RMm6{;7OYNFceqkAmz9DMA7KhI+a*p;)3V zFBNEhQX4v_qk;i5L3S0o5*f2;0&II`>H15Ey&TMN&GC3v z8a9s=u30P*)WJ;073MPgo*YEAZ0TAy*sI``PlDtj-;76;3D1T9s{h(A_;)ZW zQMAp+U=w!m?HuS_FXt?b`%>q5ST^554T-VP(Dzy`CW*+7#}4VjBE{0qWr*LH!dEfW z&D^hWC|mkGpB=9+BmOs;fJ5JFnUaV|Ze)^16=A6bT6Cgm!?kxM0)ljs?1@0R0Z?!Z zlPfzB9vY6DrSPT;4*e~78iZxh0Uca!8RKQ=&1w`+wDC!QlZdBVKw0ml%d7+Jjnr`> zfeu7&zb)l+GrOTp+SM0AG z$`dT`!|8zQp6_Fj<1hXMk0N8_K=ZiWXuOD~4RXYz=$wz{=}#dYx#EBAOdgnb|7QN9|C)gR=)iwxl5d(x>F0}RvcGCPm_gl3 z%7s6%)gJ*GlTP+WB7qwHV@Lv5F>{3yS1}pA`-_MES*3;lsM44JsL_>NKSL7uhnNJt z465)SLh?7A|1l)f|Mv3#&dCl$z)vqf3^#&9B~0hB7BGqd)604|P^sZVbD$5(ji{JR zetKZkgFj^wS8yKNXI9KO*8y{rpk5N$cszW|qO2Zm@Ye|p(w!OScA$TylSa#=@oQf5 zmt#$x3e;$224HUT7coYT+5R5moFLQ<(%_xLK{FG<-sGKZds=LxA<$|_d;`~kuGdF5 z==p?V@NUpPVV0hGn#grx2fBv3wuTb@LhjjM?%BAB2fh8y>m%;$74K~aW@@??jXunvE z<9fB9Uip1(&}azGJqQGU8SVP$7pnkL(^po5`DwL3=~B~HQqzA~P5k=kN9#*vY*1&=+W=TeSX0$u%s})1bl8>AYG+`B{&v_TIQUn+ z>_xKiKxwYZ(Eq{Y=3o2)T(5K!3_qOh{j1IF!NI?{OKKV!RQWm*;Ja~&j-F2s@u$Z% z{+!=`uE$8nJYfbW`=eUp)uA6B1j{fpx-nlj8CPi{F%4!Kc;c$&7(D|DU|r9(2f(vG zIt(z@Z(-P954%b8M{equxZp{S>yGEj^q*i8uSRiPL#y8Yl?>0olRekX)m0udy6Iny z>bb6;|6T^*N{Ig?!{bLZL6779GK0KD;7E*I%VWK39kP#WGdc7OZ+bg$`Ig7x`Y*BC zXuGeMpOuucxZ5T1Gpw@wwKaOuXoB2guCmDo3m_(#l6U@;h5HwG84Iw70Dpd@TT1}* z(%V#qzr%Kxz=iuI*3xpo5AMw=v+-tshb7jMGj}qFW7Ch&$v)1^?Bt!5<>Hws ze~~Mm6F#2vM>ff0F)%H?{jaD%2QvuWv;XyE!dK3UIz12drT$V%s3kNq2K>23zw4Dl z{#g0SUR{1a>?OQNV7Vytw^Ben^HK=OEW%B|&i+ZiA~RFo0Pp{pst+0rG|E+;%Gb8X zKkbSC3tzJQt*%4?gnmH&|Azd3PqkLukqPA#0j2nfUFcXM%6j0>^}@ilV5ENtwk|3U zI`_Jp_Q#2_`W%DtOOW)$lluEoO8n?-{*erF`){ehpS%gL3?p<^L*;i!tb#bKNdAIF znx1P>e$JfKvPwCUOMewSnAC6}w)U^LM#QNaZa+t*;sr z8a17s$G^mE+|1H(_O8Bcwc`^BxfG*C(F2A2> z9G=age5@w85(=So-Cx~@%&io-)(3RdK!T?wWvh71TDSrvj zt90f3;A{UA#r}y5vb({!|1otW6ts)fb=}5d0GO6M|A31tQT_&#|1VS!#guh=sKF=! zeq22wULn{YFc$HLT))Fu{BJM@!c@d>DE6=9Us3FDDv%x`2Il$_xY*wy_c!?m^$!@6 z{R1tohX0LX|1&D^Urq*LOevI8|CcEF4aTlfjQJ0_{y?$TU*hvBTbZv=4EP(U{)PS< zjQ!83zoS^spC|@0yFoDk1i61h{y(RJD7GZL82@iktcTMI_zhnFfHBTLV65kN82cCU zZ#ebeQGsy%tCoq=>JJzL3-)g?26Foa#{Sg^`FD+&|2y1g`y~LcVCpw4 zVbX8@BgBw}KmWXL0;r z-M}!Y=l@`kr84H!vM{D^N0n>%QpxO@SXqoNxoxec-$hP~xwF9JN5kme$ni>4&zawl2E&^l_q=#ya1cHjRRGjNIu)ka0mz~-v=wrK7L?iR(#6XE9Ufm$Q1^JIytfm-G~>Z^b4%E+IKi=RQDhUZeRl;b@uu(a?+_IDW5%#c#^ml-%jLUqXlAVQ#L{9`~C8)aCE%PKyiIx&%Vg@=&Vtno=Ee| zPXzaU@Ynj|ixPlHW8V)RHwtwd(yV7?TR)OJ<@$Z@F8>ZkxCdo%o#SD_!NSSNi9X-A zX|&#D4C&=PHP+@Cai=}H$fU{6Mx4=3AEHI}N2k;5jt`L&A?#Y)Yd{wN+Q&V|i(Q*3 z=I(jwDSe3@fm6)3k)gV&*Ih}FI^n0%XNHrnk54*TVm5$D4ORx(sn$KQLnId0!WD0-|+OW|ACloI{UZ zV+7ro-gR9APU~S?rB7gR&lfk;rPR}%8qUn@LJtO4cQtwsGZM!dfWwQ7jke3zCVaVO zhkN_$>cH3-`2U}un6S`a7#(z)e3>w|n>lJ@ukqMiTWJqGR2W$=+1+^M#1noly-9TB ze00g}bh&PQIx{gSNs5xilZBk$a9~=|c4+COSwTFtVF!UQxZ2z8%&h7Rc?|}yokeZ# zS~@9REEtuHxH^|9)t$B->})NHneYDBn|R4?r7onFNqjBJV#ULI|-ukW6k^Bv=%_Jf+7HTbi`la|BXRZAP!vNthSGJw)_W48=GxxhqKN{TEuK~dR#RZ92!&E!DF3(3My;;Deyx47Az(d6x1E4 zEWSsIB@f*QVPUWT^~4MH_VvHQ<^30aoZ<`UhW>F1_1*H1Q>X8wZca%Cb0J(!3~8Nq zLI@8DX8SSnOE5n4a`-|p$%8ARY^UBOt}hhS9yBZzF1YH?KX2V~?u0YAVTJRAp#7L9 z6M_$O5(1vX*MA`n4TE{>Zy{fWEXys!LP1e6LO~(_q)>bq?6`2sP{M1WbJQ&9OToeKz)ASO hO@;d@+g4*vuEuI?+iL8j4H`GL&54~%@}_s6@5lFR)|z#$ znS=Y#?&x_pm;dggqRe|Jj5lxIz`n5*_Rxs^SONU~EF&XIgn#?`^}9E3P+vbx9ZVFR z9KJd;n>aX`F?rb82E~qA_pqP@8uZ=S57)-C!}fitI5pl3RfgZZEr)#9*cdKD8N9U^lh_$BPpEo9vV*|mzFY_!C&Qh%u%n5eL(wbL`*XWw@)5#-Z;g-e}nTT9w`S8 zIPS2CU*b+;e9*vHab(p+4URwUSG|>;kCS$a%Gl;EFL%hm=aN^XFtd?P9U`Y420vfJ zkh~4e`2j_fcrl1SVem9gCLBY8&B=MQ_{h9Ao4(d$aOA~x*AF=~dYlsit$>MMzz<$J zzLlpD;I?ZM$miHTFK2_}eSpiLswo;sZ!JlSKhc=W+7g?)?Yr1eczI6VZSrBGnNtJl zEYAUuDZICT+oKjAg-xN-Qp$54g&`JwoBwQHwyi(`+y|EaN}%Z~4b$QJ0T>XPFe zw*FEr?=W^hWvDT7dZ?y%a#+@~EHroY*jB4KaY7}(*VS~Kr2&pU{xmvww5AnLOh1d* z@ns73NLu*iA)jcL-s{Rcdv)T)o^S8PYR%Kl{B|ubzKdNUX?3@KezxcO@O0SvHc|gd zA)rhjL!o@-xk>f;#uH+veF^Mgb|9n=CmhW*-aDUF3M?1)Co3$iJY;2$WnG`}wJAJQ zKkkS=x}PJTkMr$$t@1I$t*~5(n2-}W^d51=eK_r&KVKoY^JquPZrZqAIty^OUne*U zwj^7ZgMv`)qu1J!ZOaA1$Wfdc&q+b%m%sEbg+AEz#-1;yWaHaZ5d$7Z8T0%@fn0F} z?8ZU_v<~C~ILce4RphI*#ekEc07{k5C*)PxInU%kBNR$3lZ|kVDFF{IE4JU*x}4;z z^0({PvI_g(J%m?!xULfZgeFf5c=RxQkZ3nLVf!*0PmX^t<&8YYc)%{kN$1wr^4gWgP~`{4o9{{At@Th_(;%;^JZjxO6AN9RSVjFIAQDnx-8XD0Kjqkqj>;A) zYuYitpHFFZm>pf~JEWH5GwC6m2By<@PTF=y3=l0&!dIr$omYFm?j3oz>W+^RsPu4G z(%LZ+W7&+B5=Uo090f;xGUFRf}Ioe zbEi%Y+Hf`t` z9Ofcc+MGau9*Z-$)zu=#x}|h@#p@E{r6N?t)yCLjAjEKhoUmLqmoSt{D8XH{B~?hC zNd&B(RS|1izJz_lg&7yXj1b2tJjsA6C63D}fsgabl6Y#ZKzBd!>P+9qk+*8JQ6(V} z{ap1HBTvdMlnRt7W^y?DDeu#o@^O*UCEQ(9k9QjEiRCGy=)dC zXr4Bheg|CoYk}vTsmC=HD1liUyj%^tY#9I#3Y@&>X@4u@LN;fUogB{%&R3TzdO!U6jRi}b~A3upWIJvhR%W=I;N%Mi1526x&_W^i| z`_2g|=M2fYD-|w;@EQ-df4rNeDu-Br0CJ0N=0|YQR2Df-!YfaMD}X)$=fx_RGspkOV~` zg~bupF^??$z`hq$yz}29*3fNUu^pDN@Sb*!A)_K+!X1{L!BK3cF8A5$6dhsv$M-D6 z7Q-RM0OCbn#c9OaQDhK)MN@%VyZww03#fYBZ0w++sSpa4(y9Qc!$NYIiZik)qx2na zH-E|e;THeH%-!foi{+C;Z7TA7L;DYqaCh)c56FGHgDpyKyM;QXiPN1d(!S<{q{{iX zg_)L>GQ3PYWQy$CNg64PreAObr@~Q9cZiV$r+NunN^8Xgo?3IC)f|!yh$N3lONcd& zP7Sm7^1VERo&+R;XV_FYs1?~w)k5?lCR%JIN&hnWf#qw$xFj>JiP+mb%PL9$IZjCA zKb zrxG{u4J=|OgjXl}MQqicZGKgX>1N!e(43}C4KWhW$hjIOah-BHv2N)LS@w@XBy0Jo z1hi28*i2eabc!f7kZ9@qdT|BG^_=h_j3ozuFKG}?>EE&l6BzzPt3Ks7hsXOwUNAiM zxu%Ojqg&5;#b(fC$ZKVGAO$gi13rG*`D zCbRlvED8iL%+FZsLmmWoLSt__L65WK9l%ah-_PW}#!hp#`n~J$i+_BNSJWuu7_gyF_`KBEXk0 zQ*nf=P`kHlWwwp$afX{vPC5i>><)bMaYw>_y3yRc4)z7^^6qSF|1xp@j0kkH*cVr; z86U7lbePE=xKy|8Lut;7#Z?+JpNs7W-ZVHL^cN7x2CSF2b6Ep(>WC0zLaK!t-Yyo|a;Ml8o^HCG3B~ zCdyP4;GNLVSmQjpCdeRCuQ9sIYG~EwJe>+4Y!C1@gX}~-zx^3lc36b(QOB?I2-I(d zDy&$q`83~^-2u8~ZR=do?6tUUw>WdQ`4P!XtULJG`N0xhf^((SJ180GwlDYiX_aw$ zGqtx;zb7sTz})|F#?V}i)>X}Tb@T-IjArh)k!jd`U|{_L5a@X(g}Pv>%4k8pC=*TGM3f2IhKtP-8p z>XT01>Qpw0sxgqTz`T@$n^GBavbR>c}OWeQFcRvQoFKb5{r`Z=W zcY)AqnBq1c_=e`82m4sL|^w`0~s`adI=&m8iTJbdBvtcd2B{C<|cj+ub*d4cD6~&=# zmshW-8O+SD9)L>|zLS@=+~EMBy{mhE+JO83@R!kw-bU~4_&%5$6ACfRrpNX5aP)J% zg?s-nwchDL)5*Sp5Wt*%J+*ZMHhg4HZjpMOoUh#=y?^Y^sU+o}ijZPevI|Avc8g`P zhb1iT4Wg8G5ftAgsCifn({;|2W72Z&XjsS9h=t89Z7M;nV5PUtOEb6p!S?-g?amJZ zhOSL&9$Qx=Do{Q}Z9fk~1og$K@0w8+zKA*~&XT^iG2&{?Gd>&fWwKhP4lyxgOtk$i zYFgY8C5ZWoGOthG#{O4F4o0PCH*hxxv*jFixn0>haF=4_!)YQt*VF3XXm98|T|PQVWW2Sccny$Ex;Q$Y?Fmeft{Rnampd z#R^*d0;ne!DN1f!f)q0Fuj3(Us$gLW278McE^#OAy={msb#C-}j|7 zDLi-J9T}V7=Q-t+Rwl@uB)FI(H#@e6S2>O@@<3W3Ejdx&sJO9Q@e_vDXNoyeI!v7~ z27XbR=ep8)f=!1aV^Mr};8bXox5}!=P4sBnQz(w$H|#k?wC15xCu!-|*9PCRRZbz! z7lQ3_OeET7r4ISB4%lVNxFnP_0MY=Z1c^Pj61hNXXR;F29?kLvGAg4n!q z7r7%la2%d$bsduE=AJsTkg0%2j|>O3X(va%oSOoJPL`n749^PpukSJ?xEc;a zJB>*UGz_iJb|{6H+9n^Z`AAqV5f?ue9hHbOQ(Sf<&$p)CAKFBFR2d|=@@KbYt)>Jl zehf858FUSm4pCqHIEIq(V#~`814%y^AOGF8KQ0!c2*m#Lb;~O@ zzm3%mDLFQ!Ts}jLT^%#0c7|$6%|x^-X&3G~=usryXm5@C^=72!w~ALF>00+$K9fbp zPd6ZAHcN_i&jRM$5UQ*1l51*Aoczvct#}m|^@-UkGIJvG#by>~8uPR1F0KnS0(0bM zi9SjQD?Z#%4q4x_bEyaV8B6&A(Y_jotJAywLi?!xiwWKb=WxttDe$;{j{U-c%Efno9j=V9z8I15h}1&g@xWdf4MdFYEY!>@j%qDp;r#itCT<4H+h=> zFnYmXDx!+oZztnaT(V=}MSj(rEzgAm^D@Twz~a&-xfx98+tayxwQH5XQZfOcoS+Zl zO?~TPhPvJQVZZ{R{G9O8T&Hi%=%urrtD4 zn@d54s&KHYs1T5oc}YteuZO~<#9Axz)NU=wgL;h{Ev$spI@|B3`xFx+f>~R?=j46B zUUMOrA3T>UvWMPpI}+bb>YMqSAK9}Y(iL+4>@0a>VYhelhUvg2YStOIl9s^0ts;&aWQ@^fFCqKjnYiw6@FZiv{ zL8&Qdye{N|L;xMVLX&>dAgVd?&SGEM3>BXZ#V+G>^OV$+ya&v`DB+8lu9B$)m=E>s zVDG+FM%Jw0G9C4=sBec6XG2N#{4jxtJ`$)_Pa=+&7}&`Oz0*NKVPBi$OgXHVWog6g zp~(LJpG6}MwZqJP0&=!m+AXZ-f^TK*Sl*>{0$rfB`)1^hQ5e&rM`;j^M@=*Gmd2rh z>e*{?z8+)paeAVMX!B$AXY_Fis*b&;0sb_bI6-eAF)u}_f1H{it<)hl!e+5A2Xh2B z(|hpTp6E5={|fa(#WdS<&@@|-TV$h;Ts znJgK{d^I7j)5D2%F^I?yyB{1bu1dFIqn_%#x*?PLIXEytRlBMp1KZUyfN=9%*-Oe@ z#TOXMl&xZ^^GD1)O(Z?z&)Wa#E?@>Rt@u?M71ph?i^_F5Ew0A><5cCv7V{(eijR(i zuR&#mwRgus>t50kj5#m=^!Fhkg}GXb^Aoy1VUZalO}O8HEXh9Bkca;ChL3QWacmq( zlx|#-kr-BKa)EsuuXrxzeL0w}0$TjjUsM~?R?owE5y`_*X;ZH-v&5*I-F9w+k;MEcot7&c$I8T8KAicV(p*uQQ%X9 zNVMoz9x`8ZfGSgTEPO!*Kj_|%;uUEnC>FIC#P(T3zz>&qko~E8Unf=j{0*)7QN)%M@r2zMa##jG#LXA@kTP zwhs-PQ5GRj#{vQ&ok!{^#?9rG?D>IuGaRehQGzp!eQc3ud0yQmKAkcpK(YPyseoc6 z(q3_jD9nmzu7F2LO+mGo`^CXFp3Tum_R@kVoSp!n9JCt>`lJ?%UEXw`XK(7liLy9? zx}t(S6)sGi-CsV_#(!%+z?HIidR9U@)ZE6gbbA>@`nb zE{w@$#OErWWo|O#C73=hIiz3@!2s-eBO!TY#NpvkPMX{^T%qA2*3}altQ1$!j*>rU zv<3jI%;%D8wLozk92t8d9(4aJtNq&hvK!MxrUu!$eB!~%3; zW3K(|RDj4tIJjh=PK;q-v7YD7LzA(sk+{(sQ#0n%kaXhDQG7l6R?t8kLsO;P9~n-e zy+1dsc>F(n6H=kCi2z7zfQVAP^08?ew?PV6$(-;0y zg6Jo1bL}g(>Y+gYEJN3AL?PDl!*`};m1~zY1FhzWPnY}b|D|MqPCdIKs#M@aUZy5u73hx!B==I^Lrh3qg zS$7A|tjPDRUJ9V3hx1wighU}`94Zb=M*8(VvPsC7*HfZ>WC72b_NA_)(g_Xd_YX$b zkUNSfc3ZB^XZCo2dphuS|I@O?r0Y(^9Gb0)Ad;LuazH3iv1oHp)YpDt15qcO4ix@3 z2T3hUqwl6Si1x=1y6$;!lxDcuH#KMEM&_0xoe(N59$Zu#O3fwLwQPK#{N<@n=gUGN zagnP%yos73wUKAd_!=faqjotYFT#4I;Fvr@&d~sCX*)OVU{V~y=cNyT+jZoP~h)s_;oYQ^y!p0SNM z0-rT!*XmW>J4cG87HY>N*D9X5=DeBT2#K7(``RF&#dw;`C$J~1g)C;?DLhN=v>z+3 zTSNhi{ZYz>tKfJKJMXDE=`yDR<{yTA)iWXeZcP(EZcvxy$+HQ^%N)erelh zf4!=&1IcCpAz|O=s~{^}>*ZYDh;vB+28_n(tVd6uTN`f!3`>)Okw(b5M#}(6L&Eit34g>kpdUijOI$D*4s$D$0T4(of;3 zhz(nFm&y{~-m0qqOMKOL^~&nd<^m%TXgRO>0%bYz!5#ksxh4MMZ6X3&wY9gYV<3#D zmU`>*49G)x#5z4JyvA6kWr%HmSvBz|cVd=JwT>N+5f z7^6qL4;tLUU+J{9Oj-lrV<7?YGoCX)8i{{SojL%X#OFPacM?1(?+nTCmcM+m`qno)jKmror%N|b4kaFGc)mf_EkF7GRJ*ErU-3nT z5mTbVg^Pcl}5qgNdk{yT1WX_xN2t1H?Ozn|H3`r_LVv+>oU z_==P&cNmUq|5Li&^`CMOAXZCtppW9Bi&P@~We02y?AtUBtomqHsdrVaU95V=wPwLMTD{H7*|xP0)CZ_>|WvVN0j@m4hp`ooTvVw>+~E2$BW zw$wTnwA2bWiN09ZLm!zDt#(5ltZLT(%9U2Hv?o?dp<0Nebex~Knn_lj3KpRmt0I`f zxOp*TWB+n}6!6U@?4>RIxMIQ2&M{N_5R&%^HObqjS zlV~7A=bwOMWH^dv{ES<9MCnh-lO3!-ziWA;aw4-%E0EsTpZ>}zFjy79h?d^8%y+&K zSpkl`bZ#D4G@1}-9#%5CMY3)Kybr%m@yEPRX1kemnS+&s*F3q47W;yP>WX%xEWr*_ z{!F){&s4BH{U=y4(OekHyyrQujD7yr>T4%mWvUg?q2Bp`byy8<*`0-wJ+bC5P4(Yt zo-yC#MXzMo`ag4|em1nM*}_~k?j-Rg80P_sV6h9%@?#RLcChSKv9gNSvI4DH|CMRp ze$CQBe~XgAKPe`*Ra6CtE=d#eOuspCys2v=sr2c;iow@nS;j#KhOY*iCK52Ljn*%p z*xw?zqZFSE!+ZQ9{pF^|*KIAl8zC;H%XM?)u>oyW8R>$Q z^MLRV<7>kcALu=TAC3^!Yg*F6)JE*~6E!s+MF?HYR>|XLhxifMF`;<_v2yMibke?N znN6gwy#HCs5GkeQ5v1+a4jkB{&2xIK@2|dwV~D+=wpk~GgGz0oJQqMY}1_6_=bEd&O zzS!24=>eg=*k@S6u{nMHHjUBDbZCKp<2B-HI-|#c7CU}3+PDRv+a1P~@tcK}8Q8Vy zARG0iT3~8O6&gDjL?xb_%hRCF^|;d?RdB)(29b!F`w0_kKA7o_$b^hT6AZ6riBU*_ z9+->W(3`^db@P#GKjsLc{4e&rt8gt*{$9?)r;UVaTN8bQ zK|%!%TmjuEn$FM@@|FbVcXT%lU)BiZKuUc?e^FO;^b0A z^IJpGj~uj*WOYAt0_pvyE3wQzD_j4J{pk#f^RfqI550uf=3Ioqn0CT_Z|F8i;{L-< zBQ4que+!z8KO_vV;=>N-UCqp7oB6U@|E3(0K%l^ztcr(+mBz4_(djn%MpqC)<=NZ4 zdKZ4cm5=8CyIjD;5Dq~sg{#M{;LE2N4T)ZEH*e;E8 z1$LYCY~yp042*yaZ3@s>YRcTsR>+t%6}0Rf2HADNBm}#miS*?1 zb1+3#VajhaUu+`cnW*a-sS`e$cMUnzz~$ji9+~3b^lfBurYzlf2z_@&^-V2(y$f;>^p({wTQq{qw1XFyUuhWHBLB?=3A7ybXxhPJDB6O6bVF;J zku*ocMD5Kh5pC!Pk&iWW8}<2*0hCFqOxr?sh{u<6$|k|cKW>Ig-*VD`&(4E>DF#*S z@Q$cNo-1Y_aRX==_&B zovE1F;pp!S)1aRF+*$~AuN!?ar)IVxzl^;)xI;msPIQ*Q>5j^Tu9T|(t&Znmn4qr- zM0n%WX(=iqr6_o3iR76R*}yyVgt_uQ3Ry}RR3yl$DtXp79~#)!v0oBB^7j9G|_er!mO*JUyLPzYa_S(T+HJwr}4Q{=llP_I&$QiI(9tllgVRhKitx zJX}_KFP;5&yExJdb)NMtr%bb_piL@X1St;twjh0?GqPlgsQ6y})TqfjL*}WqqDi!T zC8F6BR$6gXTAX8V%QMAt$gutgNM!2a^Jlo>^K4Y8moxI&Vk2r)lr{~(!exSLd4^|3 z_U+Z&Mo)m9f>?P!lOrX;b{EKN>U@n|KgI2|z;%Y}I^6e=x9IV}(iBAEDk~UORUy^x zDn$qy8p1*FtCg)lGCs09l-d;8=5Lb+NLptmvJHYXmu>5CKcU<@^$A#lQRU}Uey6Dy zk)@*g|3QtlC!0pR7Zw4+SKR`&-*xh-@eAp51@h`eFpuF>d+bB$4%d1eiMmcGSZLrszLNVl{CyG){r{W(29Y zC5^kV_ebiQsF{RB0v#N$=W^fNlhE?PFU9E$$}zSzW;3FOzq^GgJZSr6TJ=zH6}0qm z5{=N-CBOox$o!N;u(&C}S)IZ}7ZME04&K8?0awXZX&f=@DB1c$(p9gwtRb0|M)m0Z zxXBK_TL<{2RX6(Z!%V{qgc_bC&6`AI{8i>J`gk($R>huV%b zqo5ruILo$8t?x~nvZDD!Vx==PPH6C^Im>fAn$f;Kk+)@SY1rE9&f&f)t5?W#vG}As8*7WTeWmz(nvH#W4fPrI#vCY_Nc~8P<5+(WMSo&82{h+P;C$*+d7-{fMg`XF>wMFy55aTS z+71`_)L-MO_Z{o(M?lh@E`&hW^6XOQ!HZqXIn;G z722+%&8oNacyQpO`mC?av|@Mo@Q{Ued<_U-$|mqXX#>e!HU}uyAW~KYB<;17LK*YH zIPxS09!-jAc%+DM_WL+bPFY4mkxJ%&+n+*F`bvj8(T2{~0M7i#c=FRI-A}m@8lmU* z{S}g#V5{JIRq@l|v_F-`W2IO`VW;|GIZK)TgiUzVA*Ubfl2!YbdKAv!AW|EJt~Fz# zSqbocKp6bSMn1^jBx0`57TrMg>t9vIm{6^yPku@>ALR#*Gj<_HcfD)@ll1Ypx9m^a z4z5LaaH%LcUV_B2p3<{Lc+8_Jx5T zffBUEziwzr^r?~Ki$C*Ww_iU58kui#ZI4sVO?B#eUcf}_jxrB&TS=DUg~Ib$*!4lF zRq`&?T>^)kMZuEH#J(7CYfbarrgk({srD{$cz7;`iU=KP-$988L1G2hE(B&<@o{?d z-amcV)DrmAdYl?aIol~y-wnLg!_+Aj`sorvr`t9+Z`f*}8uTB&G6T`tkecP%Z__sp zuN_Qe1J{ z_M8@{IDS8m%;L4db7>s#92V*_zpsrR<7xGVKfPhEh5%(ABo{bjypwQfyc`8={zImr zBV+-rJYl;*$=pOn5721M_Mazz+(>DMbjBx9#xw8lroht0lm6Ew9}<`p%0~H?ur9p% zb?j3x=MLRQPD~O>e83x#!tNw<`3dZ!LwU+vO@uJYZ}lUDl;x3vb>-dt`rDK%R2Wr2 zxg#;)x_rPN8#mxsmMGT+_8Je2Gs(8S%K2T1k<62qzkIfL)C(FM)UOpHP^SnYFec*H z)FtRO>wE(d-Kp!-u`YUvpv!(e7f&nlS8WWz;OEzSH><#BEB3#aNO@%S$^HEh>HNwnD&?37 zWJNwg%>-)>o-sbxvHMv0aW++j1Vul&XmwGl0BXB#`fS2clOr=F;+*aXtmxSURDi6t zUtn`7Ri zNbx43#fp{aCMz8lZ~5wD;E*ix`syD^lZc+j?n-p0UR{F?H99vE=-Y$D+_l5faWQ^a zu$|RYZGn3fjMUd`8B|}C1Dc)E4YGU#@T~={Mw^pq^2)|uujF2Fzdlf=p`?m`2rEKY znXM4XzQbIKyDAT)aMX(#aNl#(#WeafS40|`BZmI3y}Bq$6k~hHMUyKpPxYA6-=%fk zD-Jg?CEDdo-^TpfLWi86-TrLYt2 zPIB%ouEeT&6xFNL)`A%4#ob#!HCCd0ls+as6r1y_p9XfhkOCD{TyGVY*LqRmqb0pz z7`Hg#eA_;n*N8JFW>c4!J+zcQmPVU7?1(x~_h%GEE`5OqWu&Yo%86%{&z$UmYg->` zA6qK>OL+D4Zvf0TeXitY^C_spwY+8 zatK+dbXHoRd2OI;6C#!4bWb$pQy$a!?Pq7&HmzwvSHtiIf!`wl!k%d{aE`!Bn{GHUGt>cRLMGg(}II8FU{+Y@A77 zFR)i|i7Ef_O0w0ZNA^SLK2=tk=PBUt?D$E|M4WSCStw!iJfbZ_*3XhY@jO4DOr_r{ zT=7iJH4`j1ARNl`?q)OaOERZ%vjYAXk`b{i_)ge~65X8&`E@(7FfG`(ojCShr&Br& zLNUhP)rDDgP;vbF)vd)ZD<_9?2AD0SIu?lWGL80W@yl$A$Z)Y*rsJYaWyYV}u}RO5 zTB-bqKNLs~C8%EWJ9ac@B|pS;!oE^l{tfo`S_h=BJ_xCAO$&QMv;$mbi_|GkKAQUL z!PICUNmHHgFyY0Da&MO|cusVT+ic~gRvyaWH?(PUdU4;_tdxKX@*W1>igSLkG+E`b z^Q5Gf%3!jXWNYR5%#cAAa0|RFlb&}u8{_y?5zpx~20lJdy}QAo-j3a0 zn9gp;B(n0A8pj7$(5N1f0g@4^1I~goaQP)2=3bQlD-BsNk{<>V9V}*`diWY(_q| z*l1nF34;g<&c#2XP$sr>5VatFauzC><4-f%@+*`4=ZC?ZY0;FonyD-;a01r<3+N8ag=jUXm^4eO_!}n?z=59!DrkR>>79&3j z@}2S7QA=^dbmj!p`77&1%uS4}V<#TI1{{!ISJldlvmf)njAsb?Ez&CEpz(T3) zrh({ct+>3$DGH|8owJT_Lxz#DNf+;`L`9T}bpmj=dL>wrV!E#=%`^&M zMwTVHyJpWUEQ?zZN6l0dwi|c{DLI6}Z=zE4MI62nPG>9bik+-PUhv#%oibra7%AC5 ztD!&x8wbd{9agz-Q+rDRPLDo|_UDRzij_Odshp3G+bd!-#VbEj6fIAG*~`1{^U<60 z!j=S0(enra@4@T&N?j2*Nc=l0>k(r#>o1nP3qI&IwY>epERfHZa&bD3II*iobJ1G+ zWiQRee2ya5Hg8YTIuoW6)OCGEmOo#{bsj7riMCIp;f2pLQc=|bZ{3to`CbE*SEtuk zx*!0tMPKOe=(m>c0TX+Ajhy2wR2&if`O7M?+vm?vSDzhn9E+P~a_SrLRDX(^V&P(( zMUYkcSm>jJ|h&4tlG{GkJ#Jyt&FatMFg3{{t6z5f5tkSVtahZZ! zy&{@cxqJGsXJ&dj6}IYJud%Z?{v2!unK$Dco^QkgGEKxVS;2nZ8q0Xiq>Z&z}0kIpVzGn_y6Z?}vT(bgxIx zPYQ2P?j1)oP^wyYC$X^(oGu6Z61D|RxB6DmO)RjkbWadt?N36-?xkRhnHV2MwL1E| zjm%#nh7MnQwey8quXvxUnyPeow|;T!iSZ4JHq;=jzyBOMf95gf6b0N{k4xRY07i#w*7GwbW1vYWK;H{ z)Po1s6$XFTRV^tcQ*?vVtX#@U1pwukl@S z4Ep;Ye_AJnEnU}uyBdln)=y6zq92XFAK(UIreC?T4^;PiR zlv>LS8%T;JJpdXmRRbM+bob3`^JBnT>`!GVR>9bbiA+6zNj!Ft)H+~Pem2E6N7Xo_x&Sy{|J+#OWoXY9ng)4%;o3f1C$%O{v!?v2p*NN}(-sc)?Ty_B zAoRv*bub#40!fk!VZ5G+^T;%;g+O>rl)yPu$1HwGo|SDSN~ec8(iiX-z259mqim&{ z=RKH&-z?4n(5|T#`w`~$-$2>FEiCN0L-W>HyY!`~kN@b0e|-*XsSUd@t+`&Z5uJT@ z<}GoCR>seZAF@~ZG45NdS=rU#ipJ&gTm+M~Nf2m7LBbk=WJQrtTeW*aMh1uzCQ?Xt z@JQ|2%c4n_M2x4lDHUcf7~#SFFMaED3S&bVO>c#q%(>k9jm^30Ck*C!!pxrw43i7d zljoj!y{h}w=~&z46g?mBuF%z9lw7enL!=IPy(Jx1R04L^ZMw4# zdxL*cZyD|KU8mQxO*CfvZQb-WN=*{%(LPBUN5>P9axgvKiUIc+B3+)ogKTVmR*Y~d zxxM~$qe;EuYzeRQE|XzIN{OLISn@oTovhJSgX~??$L8nEs@rr9w>_51zOP>-J~Di8 zv%`v;)Hj$%l2%Zt!8H7X;b)mAhRCCWC9cIQg&W%{DcbFyD|MKJsf8i09a3YUdMRx~ z|1*R3AH@WiQU5WNil&o*^%C3YpUX$Aa~?4NXd+w4fsHsC+95WR%#b-o#y>%`yo)fU zAQ1_b3j2DAy*k(PMo>D!buh>3GgV?+$!sPsDHclM=`+8I)bYn2&3GkmMvnc-c-OPb z>8b?UE9~E8xWCydqH!NZE2pKX({vcPh|SWnI|Kt*+rRjV0hkKSnWdd%nCm<_E_wL^ zv>q`!l+?apF}n6va}iAl9@-ChPPlTz|10gg&pFrUo>OJL#OaU} z$AGt38f4c`8Pe(_=lfjKvdWdD)yHdj;9gQ<)Q)ZZb=u6?ju1HoTF6Z&Q?%TNFa~C* zfjF^*1&P;_g2e>|C|UR;+OA)(2aK^FzBkgY@YfAJ;dZhHTc%In-C)HGpJs8V>XC=O zQDLve0{}0o-jpW%!POt@R7;1kUuS1nL*zwnxOCrn&iPT6u9@kX$0L?+@ubh-8SBHb z_X9eGrQ{HVC%Z@+N9bn)84)|L_=oEq{{5xRR|_t{;%jk+B}DZLG`#WUgdTK-!^4T-BUA*|~Y0+#nc zj!flS-g_~y?$DBn&Zxgvdx#FYE#(mX@y&=ZEFq;16>K(hfuBaV-XvjghYUY%^I`(v zP78+)|Hni0wFRJcTzx)}o=}O>Y``p!IMS+4#ja4&my*BT?z@?yuoKBWT8oOk5CYOZ z<2SZ)gH$>-3pqaeer9^zfz^QHt;4)zwSX5UJEnpe*zdkNU_mIq$aceBUZv{ZTZjH_7zbw^bymoF zqw%+{$h4fK6u2^2<##4TV@23*VkT4yS07pj%YGmVU{+yLJB}MFT(uYt5TQU_jj{3D z*u6pPko#6SMx_x_we9bt-xE?1IE6zETWpsVa4Q~o@f;rGfJeLo&sEtIq3}6vcLk)` zROM(3u&ZXN?yhcJ*^I}1wKG1vRWECPyt{FW=z-qC2a63W-j&#-7}k!`N>#5l6P1iI zb3#ce*uF{3D2l6vcHy{zYN^Z`8CN+d;H{RXo-zy9-BrRhc%BkcRHh8=b@~{dNRBk% z56+z4bh!gr#x0RvoTsx`9JgtFVNbnaq`UtUc&@XI^>)&upXA@sej?UZA-&anYbz=@ zpXBxfYtzH2&*yaaOmY2}5)X2iC+OHXW0t&&*lSg9d_qbKI!8g)+$I zT@Xg^H+<8jg5TUVz}oX87Lx}DzlSz06V;#~!Ud1)yp)fWV>qTO|M=;OOj z7p%QEhcnxwN4^x9+cf2H1oVQJ2*z8i0xUw)<~Zo?2eH`FtP7yh8?q{H^=TkCOKjsP ztBJccjA{ArbbiUizn%erYp&3I&v_;)%g60IQ;J+2r6psn%Qndw@@={Y@}e11Lkz+7 zS>GBsB{ImYJaV|@v7h($GEip+zf!!edW*xjO%~b*<8+ZPEGslzZ@b1U=cF=ZV`(d) zE=wCw9w@s-`O#dofTGVd<2dw<+bv42$qHQ-SqE0Kb~`{jg*fJ(f_;NfC1=*+3(IGo zIpr~!)P_fo;264f7etY6k>KIQeAa;^(hu?%7B=c>P#*YaWP!`rmccw-v29dCxqRM0 zoFmWau^a~~JCN87;F)1&q+Ednbd7_~JJg|JcMRC6KH&bQHZ;WIuf?e`Us zbAix)iiU@_vmU;+BXUzAY*F=yDxL7femLWWB8|B_KedWpun4IdT83u|W_(_<;S{yj&^kIs8Zx0xijsAQVbu$d=f=Vr~m z?pE^=%d8wcOEr>~77M!O5VFD-(fnKy(Fhe_n;eyix#!5?-C2cqcSqGX=eZ(12Zm>U z2KQ|rbOBqIwG58w2%ColU*0_ZMcm;bS2z8`8abkUlwE_8rCFVB z*aEl5B5*b#Eb8;N>0*tHx6vgS?xKTN$|&_j-SNMSN@exOY^!-dHg@3;-;k+Cl8ssW z_$@i4#+fG`;)9Q%B@m`-RcFlI3w?sht4Xn-DJ^vn-)oBX%2Y)z{9)oxszMc=CeL*> z=yUsV=2<_gTNd6NN0(dHy#|cTjmoTQmf(lp;HrJIKJ-kWd!Egw&%d&#yN9U4jIP_} zJ)WHz7rj(UBDb(NVOl(ft2SR;2lttbyb*ZX`02(Mzi}h;UUg|+JCuFVXL;D;^jbyN zD{3Zb8U4yx_c8`@VJqAI(ET^!Z#eA6H!PY5wv^cFvG(kQ4^S+PF(!{Joec4b z!=;_A(XcA2;B{ShMnwTwVwmv5cTS>k8iHtzrN9hZR*+r2nt+?0L`L>p+GyYfUo&uA zV)(I;wOd@&cbQ|b=kh0dKUd0zQP1=5zOn$q7gH- z9n-_NsicO^et>5Y(Ha2jWyuh{Q7oJkI{qfEcqOA|pzE7u2G!z5Sh7cvOD>E)u2b7^OkTb=s)`92DAr1Dq#;8(qKOhRjmELC8B+*>q4H>;U7D9*RV z<>s}AbQ`!QinfQO@ZG9&3sw3XGsVx+g%EA52oG5a{3Htc$MufzXSX6JWUXV}$)+W7 z6|h}I9_o@4^~tw>_Eq4spN`?^3!=3^gv4f(IVlG5J`s&9OH-?zy>@-!@phH`-^rj0C1r}ez4AM9*Zf80v6uGJE86zMfT z15w6Tcdc?DNpq7lh)HB6TY=B0 zEpKzZM?F>vK6d7ML2hMVn^K2ZCT*Y;(h@4!aTr|l{aMH6xGW*`;EiroZXlyhrRn_0F z)oWovy38zLHx_qnL-A}H-f0g|+;`{P%*-%T;^<%YCZJ{BG?QQHHfEjSsQcFBM8LXC zK^iH2C+DD|UB0vBhB<5LJivw=&SOKuEW+qyKNG+onh-zE?z1;cPbO9#<+Q`-W2Ymj z{JeG(15fSsE4*@jdqnU;mW7Rk=TVY~wxqt>ZbbRYk2YP%rcl+V>X7L`CZUx%j`!q( zelGJ4mP2*Ox>hb=HrBD4c)*K{ny7&jDfuSB#y7r%p^!-h@A3P%8bJLi;%Pd*=lVhJ zCQ)~P_}AJb&Tlx8rSxI&kOBFOfMnx-_0ibJozXynjKsmJf~B!sS$D7d+7IlNJX!w2 z-srkal!w`GThzi;Sw6yor?LvgIA1C>^qBMSW6vpc7q#nY#}B{V;?Gt5R2)!IH1_Fe zP|{CCtx6 zg z=~gLN2|nzS7PqbkdScOE7UuG~Otm7_YpaFn2(d;pdiqDO#2QEm`yA6C6&fGT-4cx-Juz zwb?lGMgE0@d1~VC6+s^UuQKmd$9Dznk@5gPT5Tm@p5DsRuDrijtusfB-i zUada~4^qc4s(j*(3}jIoErPXAV+`I00H1C(Z4+ZN)7~s&AY4OTL4!gZu=m<=HBT$_G*x2zdTa&b} z#p2@N)jBP#^(9%EfFh?nwfG*EY}-5KH1o5*n5{OvVJbXJPj6ao`6%%FAa`Hu0XnAC zab#rV74iE=#fq-?JTVpp8tZc)ruyM%_m2?kM_gv`%l~KcG}~+S3b(_ zq9MTUtW~8&lEh|$7mPmmLa-eWX9PaXE=0Up+FaQ_V{K z?W>@x?QOQb@G+LSQ~7y$3Rpc$iJ6&r`M6MdtbbU={J7-0WlhajI@;rvm#kq2!xiyQm#fl7NVc7#-_h^L zv+7iJ2Sot50B)Nsv)ZTV;J8#B+0gcWrHE&HQ|$e`VpZgY=4$?w?^$9v=iNF8dZmxR z8(}qd(vH2shZJ9ukF24Tq4*13FC$GP@euWEBqPTeSXdF9`myva9@|>2 z_}WPkVcE}eMXo7^mVe-d+sw-}kRJH?1R=oNgGQh86ZuvVTUoV%b;NX$?|mNbt|EN- zk+?_u!s(5zPr?oIO^HbEgrrM`xVBk6sFYVb!HIV9eC2Vp|puZan?R9ebIZh_?`L}e%i44adX39M!qpyW_?_d|bT^th_ zr>U%?31WV+5f1Oj>gM!tNU?DMAXSulBMHmb)F)Tb-NAr2wDfjJyNbTu*>75|-5IF6 z&dD@#h*6IdRtjJ}{qUAF@ypqA_Fi)M z7xu#b7e}|fSmecc<4EZXMv}Zt8{i(rbh;em$E@u68QEQ1O#PaATv|OlJU(VydHXS; zpnXpHx5$rX=!2#E0Ice0i&Gsua^Ch$FEQji4Az9{=(#~_Y#Hi3?(bXmMH2!P)!?uH zP2-joU%H4#Z{3rWe7;D#r#*b_=a;1`l$S=+_9|Dh`<{>x;h18$L}Z!LNte?TEf#V~ zL%ph@JMIb{1BrS$v5Ddxm{fwvn_A3sN83*Q6}b48yQ7v*N&X#tlcRj+j@*jvU1dap+xV+>tV^^XbT}WRmn|J} z5Zs^Ym3)#h^k^U)L-l8U>Skyo`jU}LV$qIS;b+Z$J8lA2w<+IR8E$TBJ$1sPo~n8- z1OX#$e_+J*r>q;nxXj^#RH6ec;e_yP5{k+RKzut5!c?B27`SzO+HVOwa;C{pK60e{ zE^yKyD`aJ{6KUWva4?F>8KANiBx0W3@$WD^X3=2Y7QNx2%xvI&>7X=D~OAcgUAT?&+8pr8+Z)xgNl3F1a0t*P> zn;V1*eXy}TtOaIt;@-TP?wplSY=^u`JJwBH#N@x}WkKJ2pqrKK4GypvQ<(PBai7)5 zaC4UxRY3Plw~p>F-Sy*i&jAfk_fLV0Syh!XnDm9D+pZ)jcZ4g#dR0~0xmma0E5u|Z z_UG)k^C8^u0#21bQ9o7w6HC%EzT_Rxlg0rdqlRNWh|{X_TES4<4pddS zl1Sbzh^h%KJT{=v2&fb6ye6fhxuN|!Mqivf;s+u%6IR#F!&L`J++l6g!oDa(%FHj^ zmBjJOHK}da#3+vmw`z%)xtN^2nDu(DJ2b!tv^qBTXIClEvR2>s=d@mv+ILNSfx5L@ zD+2j?YrA!~Hc3#|nTZuU)g-mP;TgH*P9jX)^g$nw;_}#z&n@5mU{~5wR!X8w2g%3D zDFudPNCek3%Q~~Ib#gU|vYD3R$zS)#;P;xvt`iV3n=oWd)IgCY>lLt3V_g^xd9&dzx_dGCd%^dnXqcB^`AXYL=ryM>rMzoQ;DSBHLW`N!_le~I ztroLCag^d0KBMm&nK_ONDdO4|jR=VH4v*m_d>Gz|5sEl`Hgd2))-+>eFDB*6-Ro|x zLxdd7Z!ZjM++2){Pn`W=Bb){pkEG>EMRq(~)Mox3M&j>^{~fXDfW0zTrltGHgq!az zez@4gvLwQ0k~VvGab~jQvt_9ViDNpl;A1ifAW7lLQ@J{`+c-!WaDox4VuF*A;3k_~ z2`Q_pBN1yBP!LdWv@(SmB@#<2`Qk;_tKO7U+Wh<_bmr;v%18XfM`I*Fug>-TfR6}B zPx^XOKE*6QG$E;Z{9GERe>|(@<*3!`anpe(FW+z;k34QimDj~gQ&<&7DJgU&78ujKc=qZWdZL%p|JciwZ;s6Z5P zv)&d`48!eg5esf5Ij7Bw*HfnPY+9nz%3P6dOA$GiS`yWFY&A+U?nK;9BG}m{Thne8 zQD%BIxo9%>QI8^J0liA3U_1K&E2&anpL_Y}IcTE3#_LMZM1760O2A_R&k6JXAaNlM zZNHBHyhn0)@ol;aRru6-U%aM4E$VuyPoDNqjIJAvgKYHq2C^~f0gDBHJmTK&BWIPd zja8D$-lw`7hOe0$^HYAjoNDM{q#%3F`qm;A4)s(0u*INwGY^M#6pH((QTo3JJ$kAsf6x?ZmiCOg50vy%r7*QoVIz3LFl4hHGclybiqYLx8RRLsP)sne!cZf?;MbEW1p^ zYs>E>%!748UR@XKJG}dL5E&u#t1|KHhD4-={$4UuP-fN(qc_R6 zb<7K)Ka~?j8b$O^V`$4GvkFTWzb;@Y9TqmI0H!yu-cW+qSxr)2U~s1=&kT9WmuE9n z45a{qPo?iau-G~3F`lTjH2xM9H!|VA^PcsPgsxnRTi+=66YDr2O-I{m1ejTjRDgGN z9wa^Hf2&~;ob5NNSy@^=Px<|&N9~7iEJ;DU%gICBjH2p0Xw4?=tdc)64c9lubfRT- z1l@YtP0ahS-p3NdE>B{v;;2f9`7i76*J$hjsj&NB3w};MdWnzd#t-Jr8wq%F5>opV z$kGus5;F`mhpiNJS6;x!8XA0Ube+IFjVAgb1UJxr%#jp9T_qNl^;@=KKVH+eGkn6` zfm!pd@aW<%$BHPg9hpkRFF&lc^?P9J>!>CyB<>o(>LHGNz+rEZsk5Pqm(1evCUB*bQ*D@;pF?l{ z!hcH5OlPCp1`uLEbAOjWp$GD;^bxslxAi>&cGYZG-2eo?eISZs)-RFwn}noD|<4L_E3@g`6v3 zjp%and8t~bIVdERAN`s^g{4Tgtlq^lZ*C3_74K}E{Tv)RaGV_II8KoS>~}e=%(ah@ zI~P7j*bjbo9Ds({ZiJuvy2`DvYoN*mJ#WM?Y`k272p<2)uu7Vbzr?*L=&}XKY^r1LlWjD>AVx9fE&s})P z=DPsk$+7FC{>y`At3|jhB6#aSne_9Hx-y?Jzt4vO(q11W%p!^>(cGlV zxBCDZHabGS)3PoNEY{_z;HK@v@bjYuFtIds!Sl<&7zo}({KThEndp9%SK}w%Y1tv9 zD({lPZ!C4H>B8hEM+;zPsqF$sGp{o@!;BUdVwGUCKtI(A_Wb++UjX6Hp59ZNSp2Mc zk4G^luaMyjEIQV8(R;>OE6CoJl;yxBo})0)C$a z!odVnq_wAEE>-})Pw|^mOe;wXhDFwcIS=8yylxO^=)X=x_DX^6#vt8}^}lM(?_;@V zM*tMu;9ETKI!Pm2UR@nKOQhhM0}Y*-rLOA+KMtBWLNXEGV&!Je4mRI?}k@lm})=OSfc**L5BL^fhV25#CqO^4w~H zM__MaoZr2Xh~@^IA?bJl{Fi z0E|I1vV+)dme63+Sg7cP7lc%tLB8JHl$ZpX`W}hQUX(YYQG_@p2IyfyDqBr?jFO!u zqA|9?QUR_-Jl9K<04;03lT1jp$n1KWai@L^zY=o9XsE(#t}U(f)$8k^YRhM{ZTdzL`08M7D(7&V32UK-DYX% zLgLp#6K7(%9&8hvgAWHq2xvlfU_Qg&Ja0pDcfcR!oP_Bv1ydd>*H8I9APbX-#$Spz z9}pS`-bDTh1?dmisTPA=peUNx9U-0J61#Ya#j`DV85aQl3>U#i)WAu72Z0G%&EkJjaGFCedog_qcW95C@2|K(N%B`*E_eJ#Tr@A^0^s~TFqr=l7mxpnOT*ve z0{kUlNdG-x&T;vV@$$sy-*5pg1k8W%B8UqZS!92~#V?1K?@@GbJ{D;FdBNlao_PG* z;NaK*_~Ym#S}*JTM+h}8L--E}BK;=>fepbY{}n=LtpAtLf;!<+Df-*U@&O|Y_)nqr zhZoC2f=!undPwUe5RpbTPbyn)t{2D1&v`M5uy@hF_dBQ#! zGGY_98~v(k_t|3GU86WTXzdO0xzkv&q4MHpyHSip<o`l771 z#((1mV+W~~|7o&B_Zpq#YVrpx&mkQZ5@Nk!hd?}aoz3HH#Z_6GqwLyjhk$XOdruZ- z*)>`fu-<2W6(V}wV2bc=0zB+@&Ic!X6AfBy!0j1G_Mr8!lB+1UE?N&j&38pT85rZY zWhh*=v@ic+*t-OT4Jx#M({`ea3Tp1TFXSeWRb4Opf_4=?y9VkD;G}YZ&iMNw8E%iN zL+5o`v2NI$9{0OoSwR7xxNherKXC!@zwreK`03Ptt#UxTYj8jp0+#@nKe6_A3PCGB zRsMS&c0&HuQ)7RVUua2gg67gB|Bn2$tGM8-|F9ka%`btHADqGI(gA9j3>4hoONSFC z%1_WJG5taQztINuh2LdgOkU!}i7(bb8bEzQ>|6j%by@q6kTlZsHm=r0Se*jT#!9{GkMbOPd8O_$avi`P> zlLOsiUM=_7DLZjJ3L0}ictST(*fMhIN{&i&fwf<>Bk4l5*2NwRDc^Eegl?i}n03OJ z8F}o?i+5c<-Z<3_s?KBU_60Z6+9G0#9}L$fIcHsZ@PA8-*iwO&z=B40r;ron6*PFW zRRZ^ZIhVe}i8J9Ax6Y~e>3QhzW_>P7vA~}856n@~Ckp3kc!}GTcB)du3 z_9K!@2D2M)_SR@f5!)=av}P*+PB_TFv6MXoEmX%s>>Uk~fxo3CMhSZe*{L`1+u0{( zo?Ni$qx8#=@CO+^N@&x)rL2!Z$QI0&ORM4vWka z*}*sSn=uAQ0e%fj<4+!k1a1UU8p32V@ED`>zyCRGDY=O`c=$g^2c^i~-TTL52VYu} z{k;&N?`Z#LDJc9O!~Ub<|E2eAP~h(;``e_l>fIdu4pLUCHyU|jfi3qDNOjDUaiE(M zKlV)uSYliPZ&^q=76bt#WJaU^%qU=eV=Tco?kUwP{u~$d zKGcq1R8C^|9*Gq?kCIY$+hlOgzEE`k&MK&t=al;K3tIq8BH&@{;Er=n1z+M6*goeJ z|0Pa=?O&WCx!%q``AajXm@d$Y4BVX02kU|#q4Oa!06?~r{h}-RCDr624KgXe{Tv9= z^%q;AK>}@`&* z{!MhthD+Fj?Gsis1IPRRO?dUx5CH@ z0gE4a@JX=;KzJ{i1#O?Z+2fL%!S;DB!nuSl*gnt85|{D?w0+`>QMC%%==`Y@QUNU| z>!`nEs=!Obo@Wdwx|gJSf`54Gvb6bPO1~ro^!`mc`|rd4+oAue_gr|A|1R0|TMFi> zo+S3vf92Hlh1djRbLvuAy~rt$ zQkSfPw$CXQb^%)eq~a{NZC(0qQ;-zu;(zwR_j5$8@|Hm*>?Fv>^AQpGVxp zjkr0XLo8w)l~N++9`TBrHR6@?o-@z*z@YB-{`8_@K8GqD>&8~Cz4JGwr|hs1bD>mnd{H zG9Caks}q`)3R(CuylO<--jMB}d{#3xB2zss@W!IT*vg~Xe6#ZGh#0df=iy#n4G z@759lTLb9P$N^nEUr~C(h^-`&g~ zKGGmt9f}_rb?WEdUiP-78vnY*J3Bgz$ha3j+cq83=8)ZV^l^V)v+A9R90WgU&rCjl zdKBwHV?LJ{{>DbVh>hYP``8)s zpq{bvkiMCTojrT=BD){t=tn`E`=8Odmt}ic1h;1-a}Rg(Z#kyu?WKF~Y35(6>OwVG z?X4!e3LN8ay;tRE9{svjHEuAJ>KM=5#8@D?X1#5xlYJ|G&8k1iamy|>?{4F9k>s}(-35nE z2Zr1ezCy|NB!+)lW7Kdr^Bj)^y4H4F5>9# z+tqo4Md00>J0+n@dfP$eKaa{@99y6q#15rsmx;eZxU-yY8)+~N= z3vnz~?S+ZNflOp&OdH~;eWg+aNi2QD$7|#Cdb8Cp07!Xh`t+oQr7fR3(4P%{pzLsd z(6%%B{Sl)UdqV9J(HM6rB1wrOWIYKe=o#D}O{)GleVAFDj(@xicxK_RjIB6VD5|_T zPCK4C=rPP!gp?f&9_%eHIaWdxkJs6ivmUO8&a&bknOBvTvHiSe;apYfTqEy||8Yx~ zTiJM@{N0w>L+2NV52`UfGw(q3Acgb1CI*an5dX@kz?7+$t!j(`;y&-b{fLF}UONcy zrLQR?h7iHSL%*h+PaS>@;pD$i&gkjWU3X&IVNQ2##r{0q^*v7FY}fsG4&>k8vJSP0 ze|Xw6C!PRiF0?J4jO4H1Xa>J@efH<#ni-0gKy@41XF37jc>(Uql{VBX;CGzQ|6E*g zTtj6NC{Oh|B@n=}c!owL5OPBgDi&Pus{#AsfnU%DkNf@S0wd^m<%*hxjp19U4T z3ImG^cm4_P&^1sIlYc0BBGIX0hC~8bn1E1`MCuc3K71!sAOSzktqy1AJ$d@F?uq+%;^1H(ueM8g*rw4l}NPw!BE}4TUwH5jRx02JJLs2USR7@^9z9cu7yuFU_|117P3M72#~A*^LhYoDWj{YV66gr3O! zMRT!_YQLfxFeBRjJZYb5#6CQlSg8T3o#Q(l9BNG!fJlg0ZG4Jq#tn&Y{Ea{dC(aZ? zC8!fHdb4842In$(eE!@>b^5q?!}b3SSa%23^%3c>30V(FZ*qVSA8HjL;uzhr<5r=e zfw(luTE=Jf;8kuk=atID`@rptRkJoewaFNU3U`y+0oUyaG${1dG0AMGl9$V4TVo7j z!35eR$ErK=mEe$?3V%|X;-Il|Dz>+)66&|&Gn{3-tfsW~$4iB~rmHtQ!Py$ zOx{EXDb0AT*8Mm7bCbDBBX$%jYc4iRfd9@!D|HumJl5;8J^mFO=I@!Ub-SHqvxyZK z7TW6-w;K*u*6S=Y%2f5c@cz$s)|dc?fXCR`+1*yqZ@stLJeQNiQ(*NH?Owq2W(atZ ziM7_yH5Rjpr+>LrP@e}XPg^J^PzIk9YZO%X&&8eeJlxbxhGX?I*4LgD1~SEgCac~p zKAFDVPR#yW&O*FO8|L%pYlxL=@mJ^>bc}u?<{dfk-V4iMAwi6hw;$hZ7Xyhrjjwqh zi&Q3FXF#spbx(KV!&!Y}SIgmM{cGrHfYI=4rrsX~@g60&#gnM6fKywdFanR4eBiJ%{p!OO5w33<ohW^z!Ric|nUpN$Je;1Apznbq7dW^){#rzPRQuDUZ7X*Ye{*RJ?ga z{=YkuscZ{*y5O}JE`3oZd#rTju6I^

7MoRjxX*%fprFHlC1Np^M_9!?M z)~ZpEid=igY=6|MJsI)wM&B{VWs`ZIq@Eq>y(wX4g)5~)Y#6yF4Qg4Sgc+K`f6}?k zqva`k-lq>j>O1Y+*$PJjTHlW67DR@_x$fv+4dYawy2fswLy1%SZ=kE($#$+X1uqIQ z??t+u7@z}vo02!EWH01Nk}scZsk&`!XE7x-sg~LYAZ@K=0oe;>zS(Ed@ke+h<(Zht zkw3hX(q0LDTFf3ln3I>+QrPxT7|k<{9x^W1#U{d|PJDn@6(nUKayNYp>gtK(>PhRN z&52b6kyB(yFl=Vs9nB>jN*({l6=tWn7eEFGcs3863$!Hf4MAZRb=|SwX^!)WI_%tW z5$5t-J@Fc)zyFBRtBtEjx4Y~G7+N`VwSJ)uDTy*WSyzq=44*9fKJ6m?|l0^r$Mur}KmM>w7w{I#B zOOw&SpZy@>$Fsz(V|ejPs0!C=%%dP<=Fsw6O9&#sXjSp(ruZ$Ah;OE*gR3p|N{1oM zkItfEr6j~)?H{3hF0sE7stD}lh z_4{I4XQgpY%EFye8o9F19|f>m_SD~yj*gP$g=cQ z7^?=}dLTzNy;mif6}DRNQpx4{lDJ{uB#o9FPzUVNo4w3jb@P2|)~a-kBP;%i5jw08|B0};J^*c;4%_YtS z^A~n6nhl5|Rs8_-2gxXW&H!^71!w<#M=?s7V^HrB4S@`{k)wD-4~Qgp1hV+h4NBl3c~tPf ze9$fiT~;X%UvAJreZWp%sB6bkm+oz=vbXiIv=OiS2~sfI0U!LMIU5TERe9+ptQ~Pq z&qYWjMnLMUUUP?>3{fzK(Qj2Rl9L#&AXl$W!InpB(1R*%&~#Rl|F<{5Nh?pS=|)Gb zX|Hr&y=iZ!3CL=Ze_CQyKW?I9eU&!m`E9DDR`t!fc&Dc#k}m1ZSRHdX2jJA3eETvr zE`Wp&anIWlWb4r}paBzf<%h}w3a7 z8C?e(tff!u9}zSKRtPEeV=-to%E&!sYbEq!Uv!wI9OkZ*^Lbp2+gn;*sbfA0hR|I{ zC%8ufr1;-z84eCQXNNw6K3dZfk zw7skD*X{h#S)|M7lN=;4;p9%~Y_zM?u6Vn-+@l>uH*isE>3}TJR zg#4ULjIL4;gQawAp3^#ePhWphI^*)h|E@^@@;mKmmJXEq$mvvS)ubL}rg0k3GtO(# zIn?>O&^f5yG<_sqQIt1Z_75-VO~Oofx@2nxPxykolZUlT@phKgb)RWN z))LsrdY}LZkgNEkut-2{;SVlurO18AIXA5KDbxC{wV4wfVCwKv(?rodIZ3N2eeXLB zq(Xnf4?Fi4lr04L_|1o9FzYv0)YCAAA0ewgg^Q38Z8fEF5EF1|=<4bHBw498WOnQp zSkb$>M`aw+t2+f_wi`XaC|GKz4u=enC(Rhv)#32r@Z^SI$SB_lxMv{y+#{A+R5&>Jfr2Me=Z`BG@SSI9m zk#~S(emybDC^^iPjb|c?JdezkEOc&F8o*!<4o8CNeOtME7S(UiuF!`{uwrXQp@o3Q z_>QvjQ1+#)7ma3hWkzPZur!pC_WPco5ZA$11`pS3g`>8Gg#^1r2hYxVXb?{QGu2ys zE#I5Jx-i{Y1n}$!>NJ8c**zW8(DrO@MSg2`LvS0-7<)6mcyqASpGjtX_M-cyfq%=a zHZr1QWvhsYx%EhjsQ>IIHo%dE(;9WIQS$o3om%ODD9<9|&By@0um;=5yuO$MjT#1H zb)0zLKzSTMgnsVR0VvvSM<%AkR&j`Bc#iL-T8Hga z>(AM-iRXYc;~^cbIjF8|=zI7b$|B2L-4FpGYV6?rasjmb&nMolWRrXZ*S4y5)P}cY z_(&&>{@^4E4L<>!%xG{Imf_l%?8pqhtic#Qs?L2ee~}82=A!)=*H}oJXNLR{g7w#C zzLkD*;D2u4d>qxI^VYUexmTKJr_MHkJC>@?tnOV7?=?W6ZKHQQ<9=9Ms`R?oqh&D# zk)?QedBQUS+d3~meEV1eF8>?P6*0Q=K|_GUl;TuqfWc+_Th@=CoO!1debGI}t=yOC z&0MoSN;rmlmZWrAU%NC`agS>k7jQJ2yn+4aP5=U&R$!Y_0ZvG?oJqE6@R)XbL1J3{ zjd||iSV2@zHcyPfmGuvl?+3we5VG_n6+vM_ljG^+23MC>juB& zMj4P&YH*^Sm}pO?XqA}9CO-xB)fl8H(%nd&6zE!fVz+-$3<=>64fz+4i2yW-7@hI+ z9_Kk7Cw5AU0gc0h%6i)uAD(*!;(SigRIhB@_M!V|szJSbxS>@k8-+Co*+Ul1{4^R6 zHfKI#L<79P3unm(UKe&6_wr;l0_^8%4vPs(yc9g)FV@3c2HSEM#t{T&Dj8E&_vt;5 zJMII_iJy?(Y>_5rM7k<;%i|TfXcL|qHECd2wWtB(TgZulg zJmR=XcJEN!Nmw#m(W|*7tt>11T;korrPYd!Dq{a!dZNE9J~KWWuBu9Gx0$4?&P8Lw zwj57}=Qc?HFvsXQGvCwIZ#MH2ta$YEk6hOnHL+lu7ku9M|JOA8lc<`vt z5wOYKdoC}#9f{b0SO)Y?os$NnDg2p%{X3`OMjVOf9da2%CN82#EKHO0-{%qCCW7l< zGD7znH~BX#Ro1560!dq2uuxz*`tqJnP!zNfF40TuwK}2Fss)ok;2x zhuK4`bTfeBVu8fL+CY}fF%q2%VPx+*6o!^w5pCHlHZr$Z+yvNfWrG43FFhuy8Q_d2@90Lv_2jKyKW$8ac5I(!YA;EYU?)9vR{7R#gYL3T@KYA92(^4IOUu z4*bfoppCZ}_DJKP)MDLu3AlT}ngX?mAI5>)fyx4*Q zl7qAo+owXJSnmfKyJVP?Rae<$89tkxrRymr)ISXI*+A64*SqP8F0}s02dYM%TF8#6Ia96hS7Bhfy-fo~(oz5<~?)!{AF zBlNPll-YT~;vzMx36ijQQ1;Qhj7IiP@h%|bdITv(#eFpsW}#Y}q*i`5hQx^@g7t8L z4Y>5?scd~p_4oNNLJd_=18;OOR<1vq)jL&L`T1TK7u`c4ZNy4bVPyKHZHPqmSKBlqhj+^0c9CVqb$ z`t2+rV8%DFS%xjJ(~{f%TKS}eSuJhQNM_r8(ImwQ0g-}Vu6YNBpF^CD41&+ic{1+; zW?WW?LPjPo1(nwepSMI#$>9uju)zS8n~_Z4X!2zUQJV=+LrtbOBc(VA@abHAyO- zMD_-zoiMfG5N|Yb9ulG63(iPmwr`vrR%Yl9diGy@+YDP@gL~5!&MEB~fYNl|-u+2+ zwo;FaJ#7R;qbR5&grm&}Dn?)?vLP18mziBqLGSkPNK%MtkNZ z4Ffd1`c`XIGzhLb0!(tU|E0z|xCsFUfM*gt`g_QcC7Gn(Cajyx>7IRa%%R}h5s~En z^*vJT&-b*0Uq6s^b-fhQ%DLcYEbIi33SU}+?6g9%+LYw~$XhL>i;z)NX5%oB?de9) zp*d*$J;+n}N34>?PAA-i3zp5tH`rr1xn-e$+(-{4tqs%{%z=cq#l4yC4%9~~5c^e1 z9fAz7QycyM^&}Q6m8HlVonOv>JxM>+E>f%Kl(Kjc@9fcrn-jl-v&Pul&HB_1D_8id z?xz_Nf5ZZz<0~?;gnmWm<~{mQU-GQFQ=Bd&xuogU+lRi-mIlAzOBZ@l)7c%s#qESR z16DpM^-Q7_9nMYy{t!ffkO9uE&6WM^2fw|d?03`}R*+(_w3*m{(phJEikBEmw(Zzjimf1`)Xk zLJ;GnmMT!gw0l#Q6u6cB*!eN4;q&*!;d}%dk8T8d@s_C6+VX+%+|o!FMkcC(_9A1_ zT4rUMJ#Q^R&wM^Q9{8-!)wymmcH9n-Q(I@OBX%#z2vYj)ch#n@dQQoPXM0qG9UC%+ zb7?>m7!6@clbbsiP4+K`eVSW=cZO@T;uIMrPNFOO;PK$7PlV16Vb*64T5dpN^M1eF z`5pM|5N8Hw)Ai+SF$X|#_}8zUSO3g&W`U1zoPUB1KT^U7Tgvb0A91T4d~QtLHp^)d z__sEGb7!Ny8+>GJ5oj%od|fjecmSS!dgR5Dii8GnQ>gZ=uJySog43Uf>o;34H;9Nb zL=EBwr}9ZgFKS_bc12JI*HFf#pjN#y)+!EszFXK*IrM7C6{|FH6D zAz~z~+Q}6_aYTd2P;Q`h+RtQwE#Q5iN*PtXU^1S6kZ*dG(mpx`q;w zR?DY~8Bh=M>X6U7&Y^H89VMKz)X#HTw~kkflum36R9jO4C>0|UxEuH5q6=v*+o!_Q zrvfd?OPiL(&3FI1gi}H>x+V_xB|K^$I)Ee@N1dgNcCOBq&kK7ut&-OrZvEry9E$Y^ z*zN7(GOnv}e$6JA>JD_%`U%?{)r4J@ol0%TNMBn^jfO0Z`!ai&?0UnD(nYMkOi5mG z4$Z|l^TDh|6NhrnKGaL85?=D@*y&P+$a4F@XBiLg3M! zLpk^BGBr@JbkTg^By!*tRbKd z%v&SMniD96*mCsiYvV*h`;<&cE_`YW<+|aqap{9CVHZ(;GU~wS^WQolXTN1Z$m7&D zOuBRNN%HbFDu2kqT^85Ta0lfmf@&3a1>RO<>%n~$z3krQq$xX*8Ap#KfSK2*&+e3m z8a0mmkI3?ME;k5o^2N>_+5ajG^fx1kOi_E)RFLFE24qk7QjZ zSK$*K^=K&~vlOKO5hn zMwP;B)47~T)Ns7oS_6S<9Y$R4c0Jl&RnC!zxz&=7&XlacKj+>%cj!gb{IVua(;Bf; z?+{;+bMSbUEY?udr^d1WNnZ^}2)-a!DQg+ncd^=}eox&)!?Xo(czxAjRN zE6AcZp`g-EQhfD>9#lm1`SmIwpYf7KF+#Sg;- z@`6CQ0cR)Y!I;z?Dn<1l87O0A-;duI=JDC~G1gS;=NcK-ci2g>mLDK~YTEbO&haT- ztg?4qWb0EV3LVvb34z#kOU6LXXS^Z-8{5lV55<49oG=%3qS<*xxIxCX_p8G? zH`6p7-HQ(Ze5fHuTXbtZcsR@Kfa<`0kQ1Y>sudy?o*gf3*k!3Y^T^n&d8I}-T1rZ> zE}T27!j*aFor1=|v))aI1Wx9A;b4iAnX~UsPvL-w*cX!FKQ+YqAhGVWFaIS9LPo=S zLHzHc|A~>T;w)dR5nQe4jlv1VVQ>s#Lwa+Q+Kf54nf+irv)8PE2|aIKkn#pv7-M91 zPuCgI8n(bQPqplI!lhn$I5t3M+H{O$yIv8FrG+{3rHmYl)zn2S9bqf&+~#4|CR{ok zn#G3z{ibs?R(MMLK1=YijyqLo&t7`lkj|n!7*5$9`PicUdlIruutrN&cdiXBMRLNx zTc_i`ev@Ns-+&eX-N$CAv1071v-B){v6$w|wz{P!==Y^xj%DmrIwFPoLGkW@J((xQ zH~8H#JZFzwM@BZd!vmzTmBFy{KiOcTEc1*U3{G;6;E7VmX!YXx@BN@GKxFY8^wmv3 zgqdL{j(-Tr;#Q;;`b|73?&|lSUHZi@KUyOoSON5*5rpC)2B~##M4_Ix=pyF+trA5- zH6cdADpdh|v9j3Kp>0R8ej$Q1mNt)dEdp#6ziB$7Gft$1I?+FAyqWh}pU@Wait`&k zxnJRABA92bWE!UY!i7ine)%m96a4qGpo4YsMeX80i|(B95H2vo9;7eQ|2dxJGgga; z08o)Z!>|eEsv8$QQ7arxiMl0PjVqWMTR)$iN7S1j5_YhHS@Kdh z)J{rk^md^oNVW1QWn*yCm5~<7Ez^PdTEWfk@W1_VlDn%vOY&?_cJs_@7hWB=n7|GhMFR8ABw*y{_HHZ2O5G7EF>O6{_gWWB-;O&QdipSzz&J-54GN@ zkIWdc6L>cWK3=Mob3{S(e?^E}*(y%If+Kr=drX<88 zkW0=r-FS+mkm!vjcO2YHrk?p7dy#1#72=4Gqaq?Xt;T0uMDiN~fyPxH00xyRko_*% zpHnV`U`YyHc|D3?7uNotRsYnzdO~^J(GxS@i3i`IL@2dx-O=hdneqqeZcL=|iPS^n zoTJ35xlHS0!l*m321BVj^UKSyiq}UPW!| zpbJLaium=3*V7w7t$uHSgU*e#3U$tMQ+7}FHs!&1L3J|pc~UN8{?o;AfH^#oEVpb+ zr<|i_-WN%gcP(>qyx&VS1+RcS$6OMBolOe6jZjL24tkt8-Ce!~CleLe5T z``$19+538GopDupq!1mvwql@7!4vKLrbwIxKrj7;EMKZSdCXakz+5suY%#FEd<`5_ zr5Ha}tgKTfOcjgs4o4G`l^XUQT0ON0;sUc>j znVDCa>&JNVfB1K&bDP62m*LCljOH*pb-0$FnH{~aRQaDkjFg{;ojfta%>3?-kiTl+ z$GjlD$qMara`L5Co!H^5NzMQI(HAarrG}{qM(TR!BEML4(D1M6X!H^RB*RIE>@sk& z$YFd`)@72+EPn@JCeJ6Sl;C50e(=A{6l<0`HusvHy#Mk&XTNb&soan;a_ z6z=19=nn!^d^;DD69L7Vo9iBn~~%UWIc zs#OwX&?x+mW@qTfL;Mxr(VZ;?nHE^U=(>={el;I1LJ-cWi=EyXg{KCqe(uENIW|e1 zT>5jK+rCYlJj0uU>7|Ytlu-*Yj;^C{sHS*gOGVnCD$6B|ka~SiveG}sGaYOwt8!Tt z*gksJEsZWToLg*kXf~9qC{2;9Md?!yvT@~20xo(N z0V}c5@z|^nj|#pnIsh|h-ojonlkzVpXPU$*$rIBgaHFtGWjK7066UhYSPV*6q43WB zBKKba5a<0!jSMus8~>0?2T=?beO>f-;ODK}ncYO-)qHRrnwawSuu7ejF=be7Orkwn zf36)Nm-Svzh-HI(S(py_HP8;o^Tp+o3rN%dpaIN3okqZ#Ag_w2IEFb7+IJ_dqz%Uv z-+N4BT0_8nZuzj!!V*8^_lvk;CYWSW6rB8@Gs)SJUVU@9jYu$ZN4`q_Rf8y9`kwtI zL`toce#015qXxBL!jM^nq0j#`#w4$%&4Hp&&HY#PFvAfmb!30nm;y0%q=XTG`h(f6 zLNP=Sso=9&3fvNU1gdENG(vaEvXeiCLf<^`FE{%uwS+t-6|g9!bhuGNccej{t=C@M)Pn4P>}P#WguBz;g>-*Ew$MrKW8caD9u8`4Q}oan$ta})d>zhq-ZLSu_4J@jA7 zmE4RZHEP8T-D)BYu+c_PGE?9p4)80x`S>$uJUDx6Kg!k?!11>e>r;V@EqJ=(3F98a z=ZjOymenck>MHS|_kAlwi?yMf55t7w@!QbB^HTlDrxQZidB{rsh%$PPeuP;p4NIsf_#=YYUgTJ}eC5C^p{Y2E#AY_=YofUQ^suNEYDxFvv zNQKKrRS=VaI@s6(6WvUb!-x=)k?gQ+;E*O(W1-(ht$_YtU2p>W0#ff)dEN`Cz)^3i z<|taP1)SZBYhLxE4m_4~!yfsn(roi?HqyYd-_@oe#-x*|SQSxeP3I z(Rfr|g}`5B6D>z~Aq6nz%r@ossv6a#G2g%x0Ov^(szA5waOfB_yvj9?Grjg8R%$Jb zguh*8R**E>Oq8SrkHgkikaTehB)O9kmC4xk*w>bXUqns+Tlkl{jf5MNwctch9T&e_C=7@vs zZZ?bHw!8EX>paVKm#AMW|WlDO8acDM^g;W{fASF6yfcV>%(NR{BrwyBzl0M=5 z^v*_nvlPo^f-GzwN*GQt#JCUiKIB9zIccy(y-e~wkzPE65;1jOJgHj^oNHB$g8t54 zSMrk}KJr*|-!8~?EY-bG!HNmE2o_Ne^7k@}Wsg?<*)p9Mo^d;Px``+~DE7A>8pWG; z&|DeVeLvoucPvuXO|W{H!F-sQ$Z{J0z^|lclx6j*yNat{YR1eiqtkq9w^ zX2-q4wo~Kp=bnr>%a1~FkI7j5-S;=x5ie7xyO&oz&83E=17RHHT)}DcTBN;X{bAM zAJuz?Z4Rn*i8m^nLt=BK{ACG>z&tZ@vnDs$ku2B+8o>itBmKqu^{cc86g0g5G-q0l ziWie9y)NMkIk8+xoNhN$H(@2v>mW2O_!iUm8S$aSIVH;x)5?f`ZEW<3hxWF2|F41o z58t|N#r?cvh$6^_ANnCm|BjH$`k}RpwnYRHJr2nVXjn$D!iS`049DQg<;snkzp(^l zoNWrkN2FbC>q&~wEZlR3jIGp|H^Z0H&q|*RY}=b3-7tE)bVo){>tZb_$YKnZ+SPeZ zp!!c+%1cMnh<>w7J=Nn3ZUm~#?y!%1KuX|JBsdp5T8qMj19#w+CK&Ub5O*p>dfWB! z#Ngf0nx5bsjXNQcL1Y&(;HCCcyDJCS=O;x!GQ3wO857wUKjP~6R)us_e$qT945%U& z%;X${ar;51RZPqHuv1et#$+4Cw}@4+ONX3_I9MJP`Y&b5Y%#Nx9QM!F&TbmSqy2Yl zF(&9#^K*6vL?P_kLCWBfXO1->czxC1`0xhIA$>&OZ;jBlAnr=e!hqU10rh>N`Gk+* z;J8@x@eOC^(c;D0j?`RgMNAgHvPS*yu)eZy*iV}tfjAeR_QQxy56K2Zy+ArbFGeAw z-b?RP-gnDjbETa2*k>0PFKT{-GV{lJuP70XmBPJOET!OI>H;uC8YH%UHaR3)*t*}0 zw*)!3J(Y%<0g!lSnTW7@#x#&d8zRfMJrP`=Bu$Cfy=>cTuDDpYlB^KR!jGe>st{0q zDst_shCd6@d(oy=lyC-oqVi6u4GfI`6IB?$V3(IXQklSBGUK`h505RHF!9o9_7TfY z$ll%IMJa-n8cXetoIUF{B>d|;@!?I0Sz_Y1pTrWa0xGysR5+B@*v?FYe{Uxy{DN_d z)!mmk-_Jxm@|}K`LFF6i7t*MHr!p2_t7{0J*hBaGxN=C7(SDFaTfa8(utBh0YA>jv zDr(0={b&4c8+5q&xtec8FwXDB_s!_sce9>#$PPu?*sXU8Gn(19QE_YxdZ)_gT&Dmr zSYx)1*6L||mym1Cc&D%!MBbw5Rn-R))}gf7cVWk8Qe0Y5y6o)id+xBPJYDIp9)e+W z)lM8p|n!XX{dE-ITB^D==%EIv_zA7VtQTTcR?M_SVSDMB~uSvC>@C z%4YdNX>ajf=bRbIpB8%NnV3R12((dqzGpBU1W%5u{Yq0eu*)&z(t_WZIhBXe+##fN zcH7L(3H?ag@tvW-zc8mbiYKObh-5Oayct>wF{T;aX)8%W-tqJE%k3B9wHdu@c!-}+)DkTKVqD|Md@YYRcCke zcbfXPgA;6}xYf8(hpD<;?_-s5#f-eGd>52hynMlc#GL&vI)1qgYI0FooF>87#v;&- z;Wcl}pt@YerJL!FKsi^D#8CSxTfCd2F5&Lw>Qyf#-g-y{N@vx{^u?T4v?jB1@6j>;P3&>=BrwV3mZa+I+>%i*J9wn^SGOlM{|v4vT7AKEQ-bIFrz>MX>!i3%hb|1aUg!Q% zS~^P>#2QCO+7u~W^%b}PVZl3Q2$Mol4;(Ja3$JM_=_>;Cobg zNrJPvHjeG&Q1^hZRiR;caRklf`kgT*LH-jJOk?(-nw#6(7b6~Z>CUEs_l9fNiTb2m zDy7QunFp?!A6*VsaardiZw(Psp23sweL3q{A1Jg8z#+=pUM3hl7vsl@1|qfmww#HY z;q7S;zN@*RuyEIY7VT1AG*%A!$rq1b?q0Yk-@z4w8E#R3K{@05M7hzMIOHOKvLqv` zN_yyjoJn&;jDkjJL|Dg&v7u5X(M>IlDNZ4yAcEPL9ST1i9g-aw9_P;(qD@7a8!oGZ zBn*=WP-|fSOOJaGsB5e5>W%bQzeo8@UyGE$jX<|ee{~64ML;7@#di7SjNp$BeRlgi zrShvXHPKV7CBdnd$Ct$L%8+;%?ut)L*glS&r0guCCzt(+I}&W|vJN-ZlL(u_C7Z^w zJ8B#I2RUbbeQzP8c~x`P&EY^z*2mMF|PP68Y9g|GigMLi*O`+p8w?fc2AU$ z<2@^<=@vFyu8n82d{dr=eU(QY@LXi7hK`5k*?gat{LGtM(aI+Ijf`}Fv}~Q41*t&d zedwboN1{z}?PKV2b8d4)95*?b0U9`@i5j*be$*c5Z$MOt)?l`njg& z7)h4f(TWj-rF+^q?&==O>7IUNcp5_G{Lq!>?qOgo^`Sf^`s#p042Qnh&9rj0=(xI` zF=7tv78U0^mS_b$Z73NM!Tn}~C~RuJ%J9&)NhdWt3+gD1C*}#mU!sI;e~&U|_>mK( zX?}>RW>aY*bzXXf*uRaHir$atl8F+1gl)||JO3@q zp0TNUDdPPL#wQ-(1^jKSF5^D06X6x{d(sZvZ&uCAWxqMqaZ+h#HnwVOC$Y(_vsbcDc!S5+nmnv-A#lMw7Tc)l_LdxXFdmrNOdDyPb62SjJjc#% zw^{ATUE31X<$5oV)5eY~vs2wQ1bkn+G@pGiCL@kT`aIj7auu~C7Ww!`?5uE^!*s{2 z(p1ZFH36yIWo@08vZ5!$6^VF<_by^)phG64eyYEaFnyX`dq_G@PELQYH3i7by)tYE z_(8po|KF^{IQ2x!U46R4yT5khjVtEmeit-6`jh&F(=mW`aLd#1qG$Lj*V?Yz=)i#x z2G?E-q8WX)S4=0`Ikk~*U0Ds>ce~&Xpge90bHUQp;pRC!a*EtK%)z%i?aSgyqqOgP zPikwDkw1!FGMYWj+&*m(zY5ui9d=1?%v8B=1e)TDaNpMbPJ|deIloB0(_34qyGNoh zxv4)mxT_1gs(1`Z?cyvkiF#zZ?m8OHDDES*VBqi=nZ$DyxO_9luy-CCo6WbI4?Wq2W zv7i49nol_(a;I~1siXIpfe=p3!KEwMSX1BW3{(lyleokCCL`BnMB>maQc5_D!UybiTqkQdbcq(DNZwt+MR1hmc9f4s8mW z^3deyoT>0IP7H6n9)k)e=&U3uIFbw?UFY`#uF>n;0#_~4W-WNf15J4$ZHxT}nL0YHx zf-s|HrDPeX8)KD(<#1!-1451|9jF=;e9qsec$0-oZvL6j)VDxySOYXII&7Mc6Cp}O z3sI~d<2oAjo23(ZP;<bT*I-M%qUfwVvDU5*r9m1_&0N*r!fiEdOSeowuZK9-A94q4mcTT6ZN z#EMo_U@#uyA*N|D=Tx%=F{~wh|1A1nyOl@0Cg-KdSmgcxh=cY{nzFXXeT4IUnC5ej zRMB(gz*K8wX6X_}h}-Q48!)YZlC%T#T#5Zf1imO#ZJWPJyo;~=>cK}uoXl5tE(<5f zNYaGo!C5#@gz8s!k~YLIos)msnLp1vub`OQs%|IDLaV?xBs`tP6ju)1IzkkD^gbhS z;MH3BCLba9u^T^z9pcdA1_Bp7Fi*~D(fL@LFf(DG969zkQrb%yt&CUma+favh14HM z#6lunEZQ>D8dT;p60&0cULp#l@V;n65!*hN-q4fAU%rp(b_QO`<_+bUW5+R98*KHJ zNP+W41X~Bt$f3otEGTc`j{NusP~Y*inKShAM1WyigDd^x0=p@ZvPDTg+Gqnpg4~Wp z8Tlu1%9XPc*q!+2-Nu$G;M>Sl27JHTlnMlH?H~FAFgK&s3rEC^4q|MpiHerpaRh^Q zsQp7kP(9;mIV5!aP@!T`sLt$Ht-jV zweqW=S%WGgumaNxe-{?V@J1DHfqmtXHqRpXA+d5gPn$G;^S!d^4BSkkWRDn|rQkFS zZxgK)F+&a_*9U#m@Y0&QE|`W zU+^r?D#TE(=b7Sd{FG?z`z5=zgB@ zo9NfJZsGok$q6}<*E{}r$}N)dqZV~?@O$-fMG0@P>N*Unvw(cZ{ch6DiCW_mjoYf{ z+BDyjXcsmTW>440 zuI0CWkbh61IQA47`QnrQP19CecH!x1&W?Q3qOfd~lTsuGGC2;HB*qo87LnIvoN`$mTCrq8ct7iFxRDt8GQyS0U(j{{S25Yx2G4s8w{?Ygq6W zz!d;Ph>ZDwj=|xc+ra_EJ4U@xJ((UX zY95Qql$z#c_6amJiw8|z^B*Jb_F@kGN@&JCunzguDulAQknu4bHih)lXxEH%iE|2F zu{_w57i&w^sV;)m)q9VN#cB|+CvmWSu)v%?>76qB@^VRW|LcSECz}YtOX^!5!o^gM z;F7wV#|EJ?hy>j4+ABg;q3itBFLZuaObcTB;w=Y4(Zj~dfwwXr)0G$XF&N!XyXm?a z1#$LTaRiW@yF~+eN*73z$Cv@<>a^S~HXj{tr76%b>y+YD2}ZNf(WgEjy$!`BRVPf8 zA0Y&9TzRlYWW9zAV-boPir`z1w03g9i8f7FqzVgo;FK)qq#?^?B|*H3#Q z>rghE$8J<4Ay`sfvknb@D=^WqdU6wSDl(Dl;g?p4hxy}*91n+>r|}DtkhkIRBN;SY z^|<05;tvfIRVa6WL$lh?xiN#9%;lkuD9|`7;b(yTFQ>Rdu*#5hN0llu=9IX~?bI`D zv^lm(*EQvOZsn0{pW`X*Hx@0HaYvf(FuUnosOU*n>W&wbQ$1VYzy=ejIlYo2e4zoyJVU)(LE*Ow95&ok&EA$g4Za+`y!u-wpe5fA)F zg&7U>%)@ZGOvzgV6|%Jnnjt?%dcdp;TW-8@r;p1DTl)z5xXfB(Rf}3yH?KpcMEXke zklx!`97M^*Tt@_}rtx1>y&Z`da z@w|Py@O)JJ<>zl&Sa9q!UKXDDKgPa=j`DH1Y0SO;xXMqv_?*?-4r2+|> zAv=6YCPmZNi2Y9#GHg%LAz!Q`jC?7uxnYMA_*9%pHQ`&^@J!p-7E@4oongROMYR}b z#Yd29-O5F4-HDiUm$Hb9HVMf1u>r&xLL?*8|LR3Ewy;ppJ#%e{Uvggrk#*s+oUTw_ zV|28L$7Udf{LoF}54sQA>2P|SqUdf8z2)R!s-{jw*S}3=qFif%9@B=WStw4IGtcv_ zCjK2tQk$TvqT$;!ODAH@Ad@|!Ms{)c@n>&qeV99;U)k6c8+d`jm6!+|3#Rs2qJEDL zL|62N+TOoxTYsg?kqwk(tKh~BAw;(H#xRu(6c~o;xTmF8IQfH*aH{jIh`0?o1n5ZE6yKo!`U3eR4}=!X zFm6?b`wK}q#l<}ezKYWdzB_oc!On>zo7fJs-Zj+cBfa%3Ou5BAdMM`Or~uJ2lHNnk z+iv+do!`dK)<>3O&tz_w`JY_=*ki6PGf)?9X!^X>AFwa0S~gkf8`~4z-Hq945*E~U zXOY<4kO;O=-(VSyyQSw)J0F_gnBk=zNVD7}01`Yo2l8mvI{mq`?Lac7l1L>YtFToiR0?NT^y z5ng9hOF&lR{OYI7Z|$5|@M7n`Jgb8L3T;usY7Wu-u;^+#5-o14$|~iH>$?~c>6zlj z6nolVb}8)F?;c%|RNTI%0d6y#I<9q=#I=a!C9iAWq)ZI9PLE6Km76~jR;9OsW`H*+ z7liQL9f$c1aaR)?Hyj?6khyZ@^NJJ#wBr=xwfb(eWh<5`lg2J_hq4tVF|wR|keiK;@!l=WSy$9D!)c9rUenIB6XAhaz$*ssGAH3W^w_v*(!dkwLQUn&; z7ZuS|rcCbSKTn*QUeYw%Q8P)qQ%A#sRykut z3SHI7iryD|^&VfP^woruz*k4bPbx`El852%l;&RGXIOJ<1Wq*Hc!XFibZ6)eEgn;E zPJ&e?U9a~CS1N05q%T}E1_7vat_m+}ZG?eF=Onx^f`#u>JT*#4PT2M|1aHADXu|(t zj$iS_V(&Lyg?m6@`Io`*#J6;92QKn}ZThGwrKoH%u*$Q&XPE; zxVohjY@5J%R>dPX_%hKq!gxS5stZP8)_+Zckw0Zro0i)?lbA*>wK z-$x3DF;+dF1Im{V#xnt%cooQ+a>`|#q+;MzK8xL(60Rn`QLO~qpdy`Yo8lcaYGF!k;i4OgR4%N+opWVLp=9!UdskA3IYWC(W!4uXQm z)wG;OgSnOXLmQ?avjy1a^6%T1+p$$D;p>+}%|@1oI?YZOdY0OF?#rC;7nP+rcl2o!7WUVX|GE)<;+B#URbg!IIIf$`}>p8|SP4y*X zRtL}%;A+yOo9YP5TVN&gn ze*DH#$Kh~8EDW4v`vSw~VMTT0Sb8utfrl=rut78p)g$|(`)tli4vZL!c#Ezq;?r1> z2gc;3B5!4IIfD>W6Avg&skZ&w@t8tu!(#ilF)7$zBC!tT2lLOlK?-G`hpTvkfG-N9 zB*f%syFSCs;^`W}3 znu8BK<*?1i=Q^Y+p0M=ac_tcgHzBUsmXVjup^WDdZ79L;dC3D{8oZ09e+g!R0Xz%7 z2ris9e|dj)If3IC_jPD);^@ru^(s+tickMQqW&gAtp=a#Okt{YVRM_!bK16x0-|`KXj9*=}k{z{rd}jVq-ub0P4If69NxV!= zv0e8(0ny^e8_1tWLe>iMZ*WGJJ4!ZIjd)3|PgAaSDk!Emh|Z}R4@MZvC1){x3#u%} zo_GygQUbDH=i~QYe|}?Z>=Cq}qb{FkZ*QCW$rGfvfcl!NdUZTX#_H=r&w*Se@tL4T znBz4fiWO?X;k##k5_3Fe@Rw*xE_eGrC)N){vXLsgd21oZ{A-nvhaLK)kVmh$M^n-I z30+RJ_Pdvbip4T_Fr?g3FUh~5U&ufbMIypGz3OhU~D>+IAPthZ*Eb7 z06NtND09bmV4`O|V@M+$-g9UxX6W%N-zwUqR6#=TUx77#X726I5x8@h1cWR!U#4O6?h>u;68TB7N_gXWIPi>a;#Fl8ED( z)hmwOAt}4>*CVVmCy(4(ANrlhy*9T1wr9iabjL+XweesGfi$lD50ktX+Yn3&7xhjW zX)5A|qDst~n{{W=Q;jnRs2OlW2@@}ad+?@FvYW_dZ^yT~t{Z-0auyWMvwzy1(JiG* zu<(Laa7CPfs~dTz$3NK)`GeHrBRnBJ8xgrpXg`Xo5V)CFBk>->!w#;27mU`@fa|sp z7eTI{O6I2rZ6(^-7^(OCzdwTiXsJ^udq7!$Rwvt;6K!(rt^lJ7%cPIbugzDnL^ zXVHraPyciXqA{_Sy64y#=@_-}#?gAO#1f%ST#vCDR%r|g!kC!ISv#x4qZmaNL$H^j zvKxk^GG1n-Q>|62#-A{0?uCr>Fm^0BAJFT8ZM$y z#m1%v_(^myy%8bSVE)RcaXP)U_jGfnL~@1kP0f1tK4)RFhGG~Emz_`K7Ws2~ESM`B z!bBOm3uY+|nMNU$2< zHv3sAg!z_aOZ+TL5mhKvE(jy`1fm}p-EXII1I@Qt6vORo=TW{t{Am+{NVB_Lqul%Q z?gf>bV8vZUakC>mK|0PE^YPT-VNJ29SAgQ?+OC^6SN#C=s=~6-GCo%CfQzHUA=OKd zp{d7p8aa)(K5P@Qs0EN27sxXlg)CJ<2HZ?^5lhlO2KhBtA<0xjTrg>BY{w#AN!Ufv zAf;Sxe{Fc<+9dAvr9c}mX-4jR1WR5gQdy^un54yzvJu0g-W%bCN+E~YD)^#+KL7$K zr94V>bV#pZj?-h_y7*meiKsf}=FCa06tdRzgky4WSMSL;$u*;^pRehK4)l>IQRa_d zicm5{n%TMQ6fln=n4QN_%C!(lfdDJIU*{-%(>R(dQAqS|A0;VD6NA4XK(gCp*!plP zc_I5D^HjL9=H2rAkElItE%M!Z!Q;TK#I5#^Oitl<(AY4LyIHcY;SjyUm{%qlzda>g z2M)kBw#7u){Z=~n0z_BH`sD?d82aVGuLoj{>vL3wYmM|KG6(_tdLn)Jv`S5PAS_pwboL%a*R$1VJ6(vJ|7h!L4nk;oJvLNZ39~DWFQN_bEbEw> zKfbaX{pjp%_&`5KkC^Rsb^8x0y_N^0R|IT_5xI@3=vR6_(BjbdMJY|yO=0(#5O`8j zaP>iqlf?=MIlhtw1sppCSyNACS856Rr)hRwnt5g8PtlVf3;wvVN`Gi>;1(;P1n!Or zr-cYM^1LxB2x2M@=U+VBMA87}tz?7~caD)+#)XrfEDV0ozPVnUiFZY-RM5OXFqlT8 zOOdJ2U&kBW>spQC&XA;1Y;x>uc|Pv32BpAjqfw4jOgXditz39)cNDH+Vhm*VqN>#aQ?onlGd@{fEB6r-zpZNNk~ zkY5KZ;^8Dm1?v$wE%#K*K_S;9M-8jtF1<+c6#y^WB|N8`cU)Q6Q-xG?Q3LNXeYniN>@)7}>Z&F9L0Y zpMBvfGpVh|Me!=*( zSdL0Ck|eQp3#E)%xPs8ZaZ$@j5%5hr-PN!(CCv1B@k-ZjZ-70*20@treO_o9pIO49 zb7m01p7X~t;w;3qTKTq?%^NeRB`cSdvNDX*N4Guk9>8A6UcEH8GMi1zZNwpu+)wrv zN(z?KBD|ayqoy}AzG5DO8=zKKR@0!71E=^wO~gbAp$5!aAC}!K0~vZ>GtNxfg`15> zv0N>m8AUV(2F+IT;*clogLgh1JZu#zKtx$!#zH$`J=m1r)jGiesQbj$8k7nf7c(xC zN_9-(W41=(R^#3{NNXVZq=W?U09*R<(CEX^;tFlKK~NHvue)7LjGzIbw9XU^;Ksy)#iW6Bo+X}$clyb}S%PiaQ5 zgWB8bs2-8`36fsH%2(hoPI#)*DeR6TO-l6HU-tw9NwxCr!2AbSR zx@UW25gv2Oy+9Caca>vX|Li$}*n53RqU1A}+JGzihk_n`FH6dBL&c&6nE(r&21cic zW9G?Mx3JFYu3h5+nyqbYpUYHlKfflGG%yjd0XX?3yl}op*o|S~ST{zOMZHf-NOB3L z>pF0|L`9tj3#KTQG#nE-to#vSSAh@u*1Rv$EA?{JH7S!?ucoy_8v?CL0dwCj2XS;h zVxeOfH}9e{w}?7f12*LOjo2Q|sF_gO@b1X=Y~oZ_8x)KT%B$;@8zV1r@B-_LI}UO}M!Qr$LC zp4?NnJw;QW&#%73;M)$1*zs^9oxt$F>13f2K@GL1iQn_xmwz&`P3x*UnNBDZJS>wX ze+ZN3OYsg@e_H!h+%dOOu$=BYpHrDBJnFe(vUQ_h5&@dk^o~j7 z>-$Em^i3g@5h8{F-O+U-j2O#=N1V```UJYs^{GRAV~uLXA$M%=m`U$hNAlNqivnv5 z2;o~pmADH+J<<&3HQ|3YF9uS&c)Akuv0cUDy5gw-#odEp z74xPy>ZV?2R^w5G_c^v%t;rk+I9c7iHpBZkAx>Nvkza4ovjrK@6)00lH;sunj|TRJ z6=frAknj!5OynsN)6FFNS&`3)rJ3sej%Kh&f{!Rrq8(^g17&H+RGz#Y3gsYcV8^95 z!#&b27nND#+X?v~e>1ydBq)(5x=2+!mbt62ux8PNUVJQI#Yn}We}xtuui3a+$h3hB z)>_%WOUg=$2E2BRvF6c@dDg%*e76wg?T57k9*>hLN^-ug#%^RmgwSkZ-O|TuZ~YeZ zpqtj_q9{vFB@KIsSsEgbm}1#Mggv8wKfo7SVoEM#B_&q~F3 z#N&j<=hnVK*shb@ss(w4g0&i%%iIu@@%C)=9deN}(Hu!y%=*%Sw~5m9om271c| zH($rqjBm~mu(R`#nB>~+(;vq%xnGhHBItW$Cs-x_iS6~}P%*roIu6>M;W-%fvR40_ zVDrj00B^CK?WB(7d3a@tcKAs?Sa5O5^@n_POPv-T)ZrF~=a{O$zsxA<)>ZHof|Zy#n8ai{)U`gv^-ZD>kH^vNu4H>N zw_{J5N-rX`DHJ!I3VZo{=k`|C*EwMyW*O;YsA?H4M zp5q&G2mYX{)FU5yv_;VW$bu{*blJ>Bim5`l_IDagOHNOhp+&KHcruk%i)!QqFjjG< zz;L%Kuel0v_y|*iea+N#-0{5wS8_9T?3!Cl-BWyt-EgDsbfqMI%0F3xk+Wxg)EB-I zDI|3FagoRwDjg5&1d?L_z?;ch5&z;isKN{7Th`<~t4q;SE^l&g)LAu|=7u%^rORva zJox44c~i^J;(Iw$mD?3{ZwY31Q8^rLgzdslm>k(!#;B8mX6 zZd;Aa$8}AO@WfS3csEbtr zE&Ox34eKq0;wy@eB&YlkYgWe)!raTY+Sjr6NZ+D9CwP#4*=BP2g@aR zlT*@q`K*tPVfq{Z(Y|I7?1hP(Y%7jd$1eC6G&yORzZ{8Hk;VDf!S~U-B16>}E;)}m ztx2&PO~Yr*mP}`uw{~AbMwsl;<@7hSJzf1pat6Hp;O2Vp{aan;5wD)0Qtr>Ko-On2 z)o!k#LrlAw%uSY`nr*$vdPZ#ylatZ-N)C_vV&4U{0tjN)>~eFMg16LHGQn*Q6O_1j zU*m`y>*=-yW`yVh`rf!hf!#`Sr3tS>cf!l1C-6mP;cx?loj42t{PmikT=0gWxf z5XHedc4!1fs{!Jjyzz#GSnOTc{3i_V?|FpS7r7J)9@dYp%3RKy+=2B{|Zkweq0!|w*hUWwysk?)js5yUj3T%62t!TwA6cx&gN}0dNM$& zym-{?ddn_0r!-2q({TNov=d|Mdk@7&MuOQGHwL*)4N8$7TaVwhUwP>_6nd)k>P>g) ztq6Lo;6ghhb*}MfB9&BiRw%QP<-vtJkij=D}A~X($}|o)CTq7 z@I-ONYSxt_?v)u)Me3Ci$=mAFEG9V^J)@rgRBbn6>^#h+As|skYP4|z*{{}#!$RqO z|19I4K`Yw^Jm)kp8>Db&Mb*NVLtzA44PmpAoy@dGLg~mtoYO=PE=oNg_vWxDX2UK3 zBLdZLF<0`~DjaF4EZM>97WGVg&e;mz1y{1aUq{uH_7&iuNO?KXtKVdJ&j+_^_4bGw#x;`OL`8Xy^P44F!5EhN zQX=Yp?Wn!}ar2h8y}qN*=tK}vGoQOL*aHxs8N#`Z2mN2K7@#> zMo`Th*KW1VYQN2CK`gkEyGgxFEdF(-FBU_TkP;qY_nST3QUMNt;0*7p@el79%ZekH zTewrn37wclf8b28vx?JlZORn9A_)aqN|*KAU*%oPIy!u9t?ZzHRg8^q7&0j4ZYljf zuF^a+*}y42^E@(ho+mfUI_f!rhfe{zZsoaSY9>i@T({(s zVnHoSf55oE)TLI+pt`+;MV2TM=sDA;jDkW@k^Dq^ZtY)j+DKF0P=Kd1%QRLy|9Bc8 zo|)XXNt3ETpsgc1Fot>Zh8&N@oL22f0X}9aN&@{Eu~G^R}@ z_Lk~va%AUEB0nr^an8NJT&pz60Dz_;gP-}mT3xU2sk1s*M806Zj5h3fRXYWGf!02m ze9WrrWsR1=WgB%kOkYcMwtJ5q5bZR>SfG9lx)VkL6^t3B+o;!`6dGb##9Wx*JcY{U*XQ%hm=1hRcpA`D_K;4of#wxBDi((3otf2a5WBv`%44C8)G4YDIcqGpQ*|H0u?JA@QIKYiL{#Q zJ7Eh#rT)S}gN>wyFJ5x_>Z&E<>HOK7vrWsQ5@hgbzsGv{RT!lzGko?E4n}%AW7%x_ zqgI>>@(94mo&UR2{Ii``ESGD?x?=17$s+{iU^)nVBkN}rK5^h{85olY2@JL-45X** z0>?a`UradIu-q}R#)ZW^^hyRO$8+jVUIp`Lsx>rwFy@DKV#U|pOSqzm%_aKPzylDi zP44Il#PJ>OESfQSlLc?TidxEqU_a_=o4L#kt2R0j2}EszVg zAwoB+%%D_@>8luL)yyr&5D7zel{aG@(da_=?{#1XL|e}oG^w_ZVuY;-B)7lnd)Yyh z?hy5TlIFFdgpPVSR&CC5XLb;AE!5n-VMzMwVf6~(L(W$|84h0+PNcp%&H-Pfw!av( z&$eLW=1#jO5)JpS9Moh-mBX-`v9~s>Usk!lny4XBV;>$DYAUu@wIa?j z0=tArvFGDNx!seM1PUJ{^3`@Gw9km5y#!TIA~XN65l=VtGi$0N{~K!J)`jNiHe~17 zQ|(ftgs%yuQ(8g=w@Lw0SKe|m(mNAx>8-xgZNuy3SNLA~yn-=S_EI9<2VerV#aV}` z>6_dhVROkoh|IVu7og&9J(Ry#$v$lpng#jk z6O;3?@ogLZWvxjJdm6${cR2zSy&KnOSibmrHPv}mKiu}v{Qfv`Flu()sIOZuTpvfKHxs++ucVMhgKf_H)jj^Ek)iBuiWeNe-igHyQ6BRaL|9YPa;b+|=DR zvl#FrK`2bG)4YvMGW%dB_mFRP3O|UIy9T7+ii&t#j6O$lELf2~O85A3*6P^+tWmhy zIo*)*j6G`jk#gZnV&~3x$?Qe-Lr&{XbsPns8$uX0tWim>V3s}gIYPamTJ%v8aOS*K z;+y#HM6)LS68Vhe6{MW`txYc<&(oTeX5)r*Q^yzOe3D;hAd&I(+6g*T7@<#ZNuI)h z1(LHmj(){fy7dN=rkkVc^{akQ%}~!aVo$$uyz>YRThOmhD{9kU@_6g#c487*L|Waf z=CX{v|Z|DesVIrU9kD0*y|`d-= z%pm`QvA`=1SHkeYHJdxqcL08s$6b7$FLc#i-us9%YNdUhKsDucQvst-^Z6yUF*Bs3x+u6d(o~k%s0edwo12#yFAxkf zrJWa!0$0AHfH@YFlk-8j|99x3OC(1t#r4u^o7zP@hZ}ROTQr;xe1E^bj!vTU72tUy z{sNAEZC9!o3^rmAzGK8SW+5z76wU|u{ujkS-tkJlC6E;Hdod947nnOi&77c$OHbgC zhkeK3{OCKH!?ow|Rlj$|`0M$!0bYJ?=JZ_gx69tgf!-2YoxnM&UTO1!AAYaJhbkar zFR5{F{14Ui&W|oqip>(V3ax1hE#{|Y=SRO;F0z3t;&hQ}d2I$bc2hSUr+z9PZVtje z=)8-yfwn8dEy=K!_}>?w0KEq;aN(AJUT(^5^?CD~@GodFe+Xy#A$*88L}&v%`Wdr9 z-kJcO+5m=&{uaXbG5~-dUUV+)cex>Nup3x}ut06${SSWq@5?@2*pvl#B2<*Lgrdx` z;YYs(%<d8Xut4)Q5+;th-!7h12SMP*hc=K?YG7G zu)sEW1?}SUy(@oRg{v$Dm!SAVvxe!voDzb$jjDaV_#fQBmlSxaIZlCJ8~hFqaHoY( zi2jxguoeo?CBN(fY5#EPKHPDX=dkggG6OXMB4G4?B--$~qzk}5&vE4YHNS@oPWwlu zfF_?;fGdC0=3yq9-?4+&mG2Fmh<}_0O*`%DDeun`8*I7X932vXoqpc&;R1l$$bGr+ zGZ)&U32i{{=a}C{wmBah;FU1iB2WN7ap756?2|pHEqF5Jd_;lQx$wq0Rmw#jY9Kd% z69!K@olisXoC?5}gi|?vFY`Zj0N_gehdRi|iw@g=pQJETbY=|71q#|i$)Q-FfBH`9w!>Kcf9LufWfIC+GxP)0LQF9;U#}&kK+3m0^^g(Tn<7 zPB$nEdKd}5CoPld$rnoJUHP9V!qhud&GJZ8-|W0p!($`cYbWV{ExzC1DtNPbf+c@#g{0Jumx-I)P;XUD>yAW_g>TM$!IKz~uF1R2EP5USthx>bO3M>H?w z_JMLCzsv0vo9PX|00`xV#dLw;n7{lnmI$iOa^8sGHvPs6z^}j+{dZ@ps4Rr`X4O*sk0hk2GLVU>r=v?2@o%;m8Qf9eD5M~hYQ%>1Ecm^ZuN>~MLhVCTmJ(yocxzw!GA>pF6!KuKq1^A(|>u?^HBSVv)5<9$rtq5IfS44m@lTz< z3T_&H6tjVe{p<~38CIr%F8j6e?4SPl5n=%B^Y9o){biFtVHl~(zjDLLe?_AA@5}^c z{qm*2U%vb^tAYQF8BYBxtN)?&AHMv{;$J!sv@ggnq+cKx&;{Q7$0_{-xtD%v-X$SBRc8>n3|)Jf{x{^}{w>4+9DM$a zaqX8sZCXh91G;|ahBL#-f9ZAeuSmeDfB7=uFJDR(0Ka$S|BM+<{VNdvQ2GyF{$}wX zI)4QOH(xBKWB+gN68;U>w89|^D@shgPYK}zo9>MKg8g5~HKrloaQot>kjd1wH{>si zK}kO*u5(`CkDfZ_v~d03dH=+K-*wiRfr(N4?hg1uKj$J)-SR*BUe9q8BT_TZ&|4yT zpz!X7#aegQTa{j!ilEty-M6d-+}1kAAJBQ`n{-G8xVf#PNFiox-1A*f8sW4?ll75F zzed06NvY<~Ya${xB5B=isNB!|WW=9^dN-txr|Ih-7mcUw?j5epckcQDyYstaP+;75 zcB`QNm}{ZCxe@BvyLZ+!;j?YK-M!lb%&$V*COuucO4tQ@n$lTv)FHpxs5Q?%PX=B{nDV%PCJ`@#Ci}c|AQtb3-hq1B?2w zoLE?vy7ypIr~2x6o`K(qUW{Mft;7DI6Z6-xrNEke#BuYB7B1~Yd0J)3-vd=}MH z#}<5^@pU4vE{OI@)11I84r?=R3A%R5^g%8+`=nY&wh_LZze_Iu;FRtdkihag36*|x za=OvZPxYyv(8_0iI&ObJC@{UhdHM+l*7cuXM(fu1(IgJNkY=0rFbcrUdSY zx7)#4P@|N0t@pk)AQGm{4&+BW%IvN=MXvU&eO~kPgEV}sHaj@&*{%Qf)*N$rB<)1r z15#ek)?72;=piEmEtx#o-aGK{$g9%7zfZ#~c(j)W6`eT!8fjw&L}gH)+B~}?=mp@) zz-qkB9vrWZjD*_N8%#DdiNlIk=eL~lde4qGcvj|@c5%OD?AI?tWvKiPnnqXm>uHY9 zj?BybDr?0~N2aGCwb0dVK(e-e3j813)=Tj}N#UYCqr&2=IzMonS6UTrvViwod zqbG8Q3)8@l-jL!oC7>Z7bkHIo5Q1WU{P9OzNDK<6r-jq-FVgR30SE|X8psG&eh`3v z`v(-FC-Qj{Cw>mczYx0~PL3212A(75)VPU=M1=fHbG^7lokbJ`1Xf-I1nl1zL6nY4 z)Qq6GSimWQ97!`iF)D)01TL9W=aNe y!TxWFMW!y?6(CbI5&{DGAIz7N66-@K6R9JyE~Iitk|XUWB`QZUp(#FwQ~p2j8qInD delta 30154 zcmY&G8Sxg( ztfcR$xIjq4xLx1dH^HU@*G^;gN!-XoVa?}ic8s%AGnw(c5#<*_jRPagx-Mi4^daOt z?`~n?Y$2At{N5geU;FU=-PN)$l@^sdWgDa4a9rlKs!B;Bx!GrJ66QF`vJ#m3BhgOQ zni2l$DnRP z*L*BGii@#jHBs9p*_v1V+Dxx-F!+geMMyB!$(HOi6Ir@Q7amb43%>_%O!v}@3LOvh znV;e6`lNzr3+1~V_9O8WoArPky#_d{8WGrO`7vBt@}O>Liv-y%*L4gU&$!cp3EW&<#O2*nu$NDp4 z@jMvZKEHH0)VfVzRG2lOCNO1xSS~&MWB5SZ@AAi|1H1z~E`v^59~Uw+g#)n-b9zQD z%@{@mg&g4O4`+Y8la4XJG60Yw*zO=XhAf|9&e6l=@ncCKDrOMBV!z0GWX~h)OJE)C zsLGIXI}Y}4DJ+$uyAv<-5VZbibzgn6A$4=@t|hi|ciRJl7ka-L%Dp;8fKO)DZv&4l zw5yTEIaVD%C8{1DS`2SZrL1i#-DWv^iZ(R^Pp&9|QBgJw+xkRZAgzV(Zu$3cAyOUI zi8?LBwZ|HKNwrI&zdG_~Gxy4UGILYbS4lnfUPiiGv5e3MT^m_DWbDx&SF0dK>b|?Pu1yDMsp_m*^}BJ7^FGQYZ6$T?uOmk2oq=|}AI58e+xP&3$Wxz~ zHE#%)OY_LwBc>>T7iM^ReVt6v;OHYN0^K5LSA{R|uHrrJ*vd`N zU5+^Ig?@(+oPjfK(btuPC&`or8$-0aGUgk+H1W;-e?rYFT0p*+zBe3YN*7-ZCfBFZ zv`T#CtF4{&!UoIN-a;`OtBhL?htqMdK56ok?F?Jp4L{zmV}MJ4N@Pn-jF5K;tZTsP zijJcX@(ckVEfZmFxLbQ6W`Exar3*8v$ipq{xHO1RDfj)|GW~emqo-T4F0DIG8eOMj z@^_Y_h#!pzTfE;=KFlDxAq2kvkpG(;-od`>#<4_~+Kzy9(ybrNtEZavfdGy7$7t+(a(mF>yx+2E_5$Nl__AXL`e$F(we zSq&U{mh?`P>`O+_Ize6*-F1NWom1S>Z;=;Q$Oy>6#8cjaTQfdB&h1MPkk!ur=N|OCM`bh5Pv+59@OIA&csFiaxyenEeMxC{P{_m3&6mYL-nhQ) z2fDCvC>G#&o1Nx#wS*(p7csWHE01oNn@rI&oyl^aEbsChRWy8+b2WP=m_agj3Q_3f zdbMY<=1eNf3NAjJVCTOS^)gLNa31sY5q5$J7AMO*yYqh2&UahAQLugjdk8a5KK6J3 zetbF#&<^8YmN|%}Ky1MTA?bs>X>vdFtF2OZM@1=|1|OLT@jJrBbN11J#bQnhi_)Ju z+ovt2YfvMFLX@f15yffG7X1LncfE9^{V9mtIAB z5ui8X-d(Jo5JkL}q7BSf!c`G;=)|x37ogL_E!4X=u|q~VpLUm<$4RlGBJlK2jkEVV zB?}kFFgag5f02*K9Su4*%X%>Vm=zjj!lTmH)>FoJoy)*EJU~g(iHZarKkx=NI|>QI z@8o#S0||vs7*~sA;W?O|>D==%+`3ec#SVPCVY1oqU;Y-!p@PPI3O%{%1qy8UYcleW zrux6f>HU7qJ=VR)&`!TrlDVdkCEo!`d#+`y<3#IaDZn%@SRUI&3|8E#>+Ct5H~D`V z%d&6vMxlQMHs@ueH_cayQi^G_rK7vVenA=BmrVI^MRF_J0^liaxdg0$!u?sDwBZk z57>_%S|J{fANb+c0K8n(5h*SVWHM)wyJM@=XF(i*-$PnIdC=U-0B<4^UI`5f^J?G= zqU2CXiY;hQF$&lpU{9b|8hT(yodL6W{KVYk6!FV;$a~>rAk~~lMdCE^VOS>D_N|3h zt)+Z-6P4jqJe$pMcop+k$RXWjhF{?~9~zZVVHdDPJ-&kj5J$%6$xs-+{J%e@!4}7c z$bsTvDxnUKbfFGUuax4=^5+nnPv=@%2%7me;h8?oCz86pi*rHn3O&^ED$MT9{UQ4( zrw2BAY70TvXS?uhbe+=;fAU~qe8Y!K{=2u{Z~WMWss@HKlMES2)Eqf#Pd5nJs71*d8wMog~CDs;RdF~t9?Rnu6N-DHSalf zD1-eUYEM;;uaG9zkp(j8VFK=el{&MxRF|2DsL1cS?M=EjOdR%2-so#1tp2k2)-N^L zqSr}2!WlqK&sv{Fb+*N?(pl#mCzCMWwK&y9i4FWu;4c2`m8i3{R)Rk5+75!g5wX3Q z&Y~2NyS>TnXXHg#40rKpIz+07&QTI~AHQz}H4zJ!)%jbt6$_0XtoZ()0sHMfI<*?YoINpiyD?9>7Xr?i6a9!`UG*T-3cZWm@%(~x?d z{MFe#P%2b<6P)2k@`1ZZooMxAr@+F&mi$@K^~W)QU`I^~N@BE6f)>~Nn`A0jQFs0G zlQa?2eEv7*ctWKbCtnXkkRe z8;J0G`y`d$+bn+;be=WKdT5$!#fU`Nx8(-n=G{q8X68~QW1o0U_G~0LzUc6dEQIp@ z=W!P4XQwsTVbFQDD<*O4h7}rO?Amk`*lc|OX_lcTk4z`nz!YAWmsxwH#UZ-;F*E55!UO~uw z)C$OZ)g7+DpLd@N47`AU*0lJ;ef>xCPv7rm%^gpLpWWJk)N5O`OijTzVNxY8LWr`J z&O$cdeIYY$Jl6`+^Ay{DW$nB!rnVkp7H^nfWjE|f(oL=vs-0SWAy2cPgr@xAkGz~G zXpSM@mre0htd}7sPnB3AH~6o(4B+`iq8Qm|+~>c@;P_iL$8S};U)DG-(;`pZ6k(mq z|C1Itm)}wmwY^KbrhUTxEp6Y(&kr|Fm-&CVx05X_MN7g8mA7A;G@`4r!kpxd(& zwRN@UT?}z3`?L1N9}S&~xBQ%crpOJ9IznA6Mb%TlPRaI=md&4-vS*9s|1Dr@>5_1% zc|!-SS>(uex$KEeh55?7;#ahbZI#dyw55R${x!36Z!-?9xmP)EFL1&Hpu@!@ff>++ zj3vShV(RCA@u6Iu#5{4MXyH;)X~M_TH^Ln^ghZh>Kt9ZxOqSXei1(|q@fqy3w+H3P z%(q`xw=#hXwWfE&E$SbomZ^VF0wQ!qA!yU$MahUpa<@MaK36zj)l!f zm-(DzRFkT1fs7Xlr>5EnL9qi3l(?<}9l1X%yC4O_-Ba{_BEzccfl9^DB7n+}1StFQdX~uVfM z?sL$!U!P84x)>_BNMjF2QJwwv5I=w1o&`v7Z<4&2tgl}7RDhL4cELd^Iz3pk92wfw z7_ah&jMfYP>D%h-(WrYB(E8M9Nz5j$NkPT5XxtUmV+yiml#81JP}Jj;&|b&0)uJk1eRMRM5| zbbi~Azc`^)2tDpv)pS65x;+8y=;?M|++m6Odh{1<%$|cbZ^w)TvMjqvC%B3~F?{K8 zw`spx3wV*O{{55DtS83(JJs> z|GD%u=sYXVQl39b;QsD1swjazxw8;VVM(ACh&v%W&9EK6K%su4X-}&5!>R%TlM&*) zEYv@;e~Zd!+~B9UAQ~|qdLng4+mn)9zDd7#3n+N@Vt(E8u#qPahq&FFw*|tiCgW7$ zKEyH9I^cshsLcT@ISkY81??S>5gR2^g}tXZ+Nsi-^4>m-u1<9c->dhUKh@KTj+3HB zwvO+#kshPiE&hK*!hNDLBe0y83bEVFj+)MB-8fu!jUHo)@7jxlshG%|lo}houLiDc zb-wj9dUq>(sY3eC{V7iWobBsfv$v6*K( zj1|9I88KBIVi+{9k6^B-@sLn6K^m!`{`3P1Pu++5x@MW+l z}Km@VlDVYoFQsc z*vlZ+Gs*=DizVcFCQNm!5C5<^JixPvxqJbtqZYiu+Wv_3iOSg^7W8Rge3MxS5OB>L+F zLd;txAF2iR1h#GiRHV?FafVbO;QFnI)M}{iz-9R$YWoWuFo5?ajDK7jMq6Pbam%Y$ zc)En~92ff6ZOlZlA+IMd_4>)u25E7faCjTo!iLO9rBkbq--y?d)BcYcyQCTFava}8 zd0gN>Vayj51P1b3K642@J!7q)^cTjwy)BL7atA%!3Q^cM|9Ne>apNFrlXv`6Hh45m zkgzujT*b#Q&_uQMMy88-@*4`NbCU`}7vq{F@2uL;w?Yhr|E8_P&J1ihj%wN-JZlpJ zHZcpIE;+^r?4Eo^`E`;20jHa7@(d-5pM!p#AiEIL7n2-El}Y*>3!*wX%=ER;eAaO- zuORfR#?=4p0@|ldZ9sReu2Cs`0#oTnejzQCo}=gOOSUq=Sh&$7jq_p}8I z)-BXM$5)`AUXNULY|yZuK%^AywxQ42o3%-TpTFmH`u)>pTr@LU z+0x~!@^i2|G3U;F)zxpt?8O!9`^=d zHSx~g><7>%-==3w{C?*LjNX6fO65(y{b?Ua_qbz!pElvPQ~x98gPo)-$#rW({xht^ z6vsD|iPuw`E0*(%P4ZAE7todSmVI!9--T&9Ugxuo)N|^8Xjs){cwXQ*W$oc%`hZCXP6tgp7;=KFaNnTkfd0>MDCM)+qXV6q)MDk%%@JbKbi&dZv$l+K#ml zDR@o6C40Ta^>bPdnv@s)Ch=LKnrwz>c~bNgFY;{rP0_x`an^zfY4ZW62yRp&doR0PlLjYbbnYva%P^Ddr<)Gf=c98GF!2X)GC5N6 zyKWV!?hS}6M@+AuV(Zd9h@jj3_a#Tl0{-|)7_$5``7)YuwEJxL@K_1|h3S$G zg2D#dEil1PT&@GIo3_rbo;h&R%i_=yRO1$g($d*C^Y#bl6Hu?!oSf@eQ`9dj0%|SD zBcq)A`0z!tp;$hPr2ZJDI@4eNVYTU7Lh`t0C;XmGo}1#U|Jeyvl;kuG7i=Fm8USoy z{huz+3$A=}=GQgWuL~Jk7)Qh6Q)PmpbF%4D>rJNHDs2q~!`Is9JQ4gA%md-Ab}0;-_2 z^_gP-5dX46e_?AvTnb|Lbj*23vTD+yk_SuifFqwn*NEt<|F`vtwaIk{4_nqX9_Xj? zopMMury}D*C2~8>1_~J5DC?@HSn0TG(_dhNTW2%Q#-TtDtt&M~1F^PzOjWBvda|{0 z!y)a0TX(EctslT?(7>H_Psy(HSwTuc48L+@UuuE$W;*R0rfT=fnkGxLDqp=ol*{%+ zAON>m8gngWWBxh1#=)dsz%#91j4=bh=Q@_djybjzZ7WrkSd1&nG^tRyapff%qMRh_ z5KMj2`#ujg!k$;NUXOoZKgqijZxW6n7Dx54-eFr6MY{%0Xi;om9EBzm1^1{m$7`6f z)v$_h;uZ*r8p3rURnS{?f^nOa52>X?W&&GO6MP->mV9xwjBhEKR`ge@iABcO^OX&m*Txp$cpBtAU%E)v7 z_2$qLYaT>@jY2$)P z#}(tsdAQ5Wxs8WD*ob&U|Gm@@O6U>lIhXe#Q49%!NTn};xJpTZdGF2bnrF?y{e>I7qbVti3-wQYUlhegc zg{kF77^ zW15|Q$jlsD?X34=C(XWZB)mxmwJEa%LKNLx>WTB0#ejJye0&CuDo2~&_O+2#M5L_wesInZO z!NX6Nkl)ejk~GVT|dX5269Ubj%Y zD+CHO7a*_ZKfz3jl4?Ml`=<}z2{@DOPpRp%%OIpY#jork*to0siHLfYWFt&#FVgLkmeP#eWUwem(XkN z!PhrKTk@B{+##yR8&MI{)&1{Ku!Pk6N@vlR9>t{>%?>M z)$?yj9f)JED+=?GgI;J|7|M&j?ZfC-s~P!XBo^>Aae^=SPnw@x z^}u#WBs6+^?r*Cj^)wcnHaH?bLu)W+mTH+&_@qQkh$FU>(@I7a01yV78(xlW za>Z%6Q(+_FTjOnZf0`kI4%$)Co|>};jdekv>csb$jX6jt1Tk?~J~=sw(t3r(AmHUr zU{2}KMec*~JG)Jp#h!H?FG zgbd;t#(pg8dz)haiEt2v)QBLZW3M1uU^4w>}Ci@Cny#l*meT{mKRXE*Xv z(&UDb$^Zs-1|YXG{9Q=qWImLdc1-Ki!hk_iqFYd@52DA$E@f7QdtK zWS}j7x(O;PO{l1QHcpq4Ydv~hv5HdTJvp+gT>*#8&NE+DJX^vrc|B9X4H-Xr=0SX^ zZ&0xw>4aRp`g`{F_iNzYx8v=!?*=UExKUcrol0ARjIV8nx}B+yqo`pXa^)P7LYt`~ z$v`!KnOo_`WZO~^#)|XU`lovbr89Lt(%5oz3F`q^xm5^{L3`I+m4`K53{aR_4D&S` z-DmnH8J!^|RyWh>-8Uw#%|crlDb9gY?PC^0)7-pD=5=`Zp9Yd(UW8afoXENAM`LGnZ_&shxe*#GdQRY>Aj*Lk>qWl(1BCqPd z%P6)KitD7ij5UtoZSciqvTinxfo{aX$Ewo&Qm~i!6mIwdAJ2yyvOQUDYVfXsmm46* ziqwKM^CY=$Tn8YJ=p$s`K{eC7eLcM1368o+ItQA)CSzRofI$Ogqk~0A_04yq>1lRP zo5t?yoa-)%hPT*+M3&_28dgHrztkK5ug#yWQg6JF=YH20IP}C0$KOVcw`+J`SKvD#EPJ;i~a((#v9%72*3>x2M5a3UL9hsdx)H$jWlsj1m zz8&l0?FK|z*=VYQbT=BvE=@3Z;dOt2Q_B)px4PSJj-n+MHa?e)i>pW4a8q~>Fx7qw z$vvH3I8!~f@d@cVd?bCkw*CGld?D!8p^{qk^oMCk=jVBJNjjjaoT^6ExI-l6`%@rq zX~D+7DPX24o5@}Y_dgTr$m(w6y|}GWZR(aWb0es*H!iF3K!+IU>P__53zv8zy0J~9 zs|p2yY1TdFp|5v#r*4GGYC`^{4n5GKr^8=CA&gZGa`Y!Av3RlI=M&xCJa|{06{`hK zc7n&33jmI^#aJ|9V|o~Wlh;6gaf5Zl2lJF1;a#>kKnOM|K~N2rGOno$EV}|}CZImC zxgU!w&Bgl(h#}bVcXD*X38Rp$*Zh&&xOD@s_0yn1phD1&?L(KhTCT>O^gAK;}=8%>DsbV3Od2XQN@Y={dtdacLDDZ{qe~tBn=Yk_&jDx#kp! zfW+IfQQJd2Jp`ZY2Ia`8c0QWH9Zg0>rk4hdZt88!WlIx^jz&rys3je=_uuFla=u<; zXf0pS z*kO{&T!z|=XVpQc2S3;kW+x1piPg380FiBuP^m#RI@JGFLCORmc{*r@Ry~J1=V}zl zml$+lH}Orfa$wgKH%uO7Nb04iWehZlR9D0@EUL+K$6$c#O1#e0i^;6xE<2UfE(W8* zQu!hzATCEx|0zn{!rbdKeh!9QYhA(?o4rLWbS0OizZkl7sD+@6jPjJJ83RHtgUzI` zK83}lL+R}Cr%P5+c|7~Q9Xq%%wil;_?J3Sr*wYt&I#ejt;%cQ5DS!a5U zwxy}bIkASxNGkWYaYU z9fP;sw~6mLi0{NVSZP@nD6?X+y?+&Y4-euOqqs59@Sc#tfdw@^92O#sLRyF?r ztdP4P&kxNAZs0igd9uQd@EHcovbJYY)UZ87a8A80H&-7z&3^&KIkD`tx%>BOm9S=)hvP-i+ z*pt)#Yf)nejVKx?JE&euFNolq(-CM+of+-Iv>0%9he(Ky-a^8 zPjSne>}4q%Uxv8>Cc95FR%Z@YtYB^9 z;z0}bz=X_gagi(qRxvfhs5Gw|tGDa%lp(x9q-E$7wrOJdB~>juZWAQdQ~lf*Sz3)U z?Ip0^l%iH~6{=d62B}^ne5Wdw3v`uM;A@jE@?*NvKidPd~WfauQLyXy#z?1PkVMlY5XUJ-$!3dv0-Gag7 za43g2?(5%E|7-XD(KlfTskGK;?fzxmmB*hw$(5~wdd32J@Zq?Pu2%@bZ~uM{37|zy z=5-gAN2O*d{BgTuONmn4`K?o|3dh$%Ih zdd%otiibSbH4L(R58({IvRnH`45FFP>n8+!)QbOu=iaP*F*IGPox@$_37&!seFtBN zeZw1^a&*>lsb;NB;na25X)klFM89b_tyP`dyK@BTvOMGfrbTpZixKVo4*>!w?fb{1 z2&F1O^pc-bZpEWheKs+rLh7or*3p;Gy~2=C;+EY4gHjG&+*I3-79d#Xsf#-b;rp z0Tmy#db6xsyW5FNe9MR*5ifdj0#!QJb;(eM;}P~E+wc~sUh#eS?%#Z zV?55wKSI;bdpORW>D%^E?=tht+E88-M1?Vr`Ih{_%Z)QjGrgl6veBk)<_lW>d52PZ zgwOUxa3~r=m~?j!c*_-Pa#FHtwQ0pUa$erz#D1bnY&(xKF6R6jlm&nvflPUj6t;o6C)JBC>tsrpkiU$acEDYb|6@YBiGh~v6pH}evWsbqQD#s?fo z#D6hdOz0q@tG1GX7w-!D(Wi?sfGZ<6h5v1*Qu2a{iu$XLB;Po3gSS*+qU+l5wllk+ z?!)f@TfMX5!mH8bp{c~T24oef9J-3kk{^VN)HdEJJ6~mAk4g-96JaCJbN1(2|El8C=VGgR{&qI2k{V3`d0ka7U|iO` zhV~UlnHdF}v+NhKQL&MeEW+}F2I@RYgfR7^y8`p2iH3NhWS#75#E2j?*Idak>)E8y5*8hlT8qs zG@fX+Kw?$b{L69%(c!>u|AwAq(dfa*Ste%Jt~8OFJ=9?vEC+K*pny1XltUmuX}~g( zB3rBv^h)i zR&}YbW5^!mm=V>vDxzUHn;a6lVnt5=rPLE2u9JlbG5K#Wn=#*C&BdCg4NY@F>fp*#NTp#5vJ-#WAby2tEY?e4Cw`nC4ds+f@j zF_;g&KzXSi=~KJMBiY9Eu%y%}_i~D6FYn{ZMx!6Y~BXv zu-n~AJ4gx#K<&@VhC(fNh|U+y6*?s3`DBva`;1jBTKcwLYx?kwHbD&do?R^di-7Jg zv(FdT7Us+|BmE*s-s0lnxA7#(_->5)nx=hqJjD)@Ouctllr)o97)ybky3RR$Cb$LO z zexssw=7ZZ|UsFkksix@JvUBEF^M(8*+H=i*T*y1{R$&-LZJQN;pYM|x7o=sG%+vR( zrc&JuZ=iK84r^HD*(zMLlv3@FAoQ!VhH9+zT;*Aj{jak?Ozt!*-ynL^p5dYC!tv)* zNdbh67s@TJY^Zw%e40^rl=fjWfl3)FFnL`2G;|;(zB}ySl|+)DqBW2!5U8z2!71&` zM=C~VvZ+yG(`c)T>P!`mj!rk7Sa3wqz5j;KwCtId4w8G8pO_^Q6%AdPMXuP2sdk@J zj`6M7`q-6PxCXiIbP$?*Cp1}LjBeC->!ZIS=lM-P0IiZ4aOF(7(y;xBtgu9-AA^>7 zDc`1yPZNXh#x|B>F17LY(JYfS`fYrHHe0LphnS|hjmL-=NAKOCB+&S;P@I`6g7=~wqj(p zuP=a6WlDfq8Y%3##{q=XI!7AGrH=3$HU=q%?bka@+%A&bbB{-mCj7}*q!&8fL;8W8 zzf`GnS3^4y?o~Pnu&{gqUvU=5doJYD@o41~0bAQ;wQBX#x+)Jk~3lSca%#C!H4igR#89tE?>>|2z0J zLwhJs;to9bC_X9Kv}y`ehb9V^Zx}XMz~Z$MKyt6rQ-s>Tjg6v8STx<$;$rZqEcm@H z$pWRD@bz|H7mW|Qp-*-g>u$f|OBG_*u3v-%#D;-9Mlw!AND5ocTrwcr8jYYl%- z#nAWSkT+!Un>kr5N7u^oo?XB1hkA>+lLlZuk8JrDU2VT)_b(ULvaIpqS$`LQ8ZGXP zYsTfpg57IFIs8?5-c>EQo~O+Hnl06+NTGhGrowhr_E-SK^bg&NnZlz6m0jITCPqpKm6-gmh;qhF2+R>t zZ~)fsi!jXxt3OTz&Z8;h4oP@$Aw-fBbyzhM2i0xo@+CG9#TR4>iE*F3Y3w9+PbO!y zUugcu5T|9p?XpdxfGOU7sOMQYhkkVZAxR@%hRr_T!^`qz6Ic5Q^M<|1oH1z*IU-*= zHQ%~ptk|~g>FU-A5|_6^@ZDFW0*@56Z3jD}pvprg*U$@tSl_6u9(|P|t2uV&0KTs? z7JqfYoes!Ohu7YJgX0KUIdwKK_Up_3s=MbgWk`LqCI?-}<0kso8w{*Y;`VvM!AQv_ zTHyGnOCJ~uhkH+mqb6@+@6xGcgGN=fh--Ed2qgwe=ATj@avb%>Ud7LHN|YrgM`O&d zDDC4Ond73ggo(WkCT#lC4@5U&YLTyzPxH@=CX5%%vC68iFL#jrby^ors|N|sokk3)IUC?H-`e>X0r zg&T(&tzjnK`u<%=Py-(nMlzr-uZAjg-|J~?9?@0>uI`_Ef0G{c;O?U;_eB+~E?8U38u&qY-44AajkhK1nM(6%Zn9E7+i>+IKvnF- zN$)$Yhpgc8muNIrJbD)rnl6EFG{N!aRFjte*te`$)BW{B)R7l%{WOdN|8*Xq`?LdO z0me)<<@`a=w^?L5_TO3TYcvXv>=;fB0E}i4fptbh+S=vm04kxgbol+@15zZn@)&IL!6Rh-`q`qMa@x=FYv@ctN&1 zVMp5#IS2(d@p`wCjapQzFWWJ-g_o`S4b4-j6YoJxTWSWsv)pX%TrB#Y^`5yYq%+~U zsYpryahluqS8{(%+oDSehDX+8LF_O|*`gO?u5#MRG_vkLD5M7J4$wKTw{jxQ^=fy@ z3O8H#1ev;*ElUAo)(R%;o33!26n0+@3`kSr(A&CHuSDjA4{!(pOL0~mOy4|P?bvu> zdCKS9RN&UbG|*^CA?GxyS7YLgB!H}GjfA=EuSQYqh9bK9qvn--UBcR+AA1Y>N$RJk zh-;Gc`g#AXsY#&!7kF3YB}BOPoq*9xB9GQd07@&JP7re$yb*DvvYvs`Mfl1XA+hP9 zGb*}0%g48f@}h7?o$uxBSZ*MSGkIjSU;Utp2x=g1?seKvS;I9Q`(vvZ8#%TDn<`J; z*jtJgF%$M8Z{{K=+WzTVdd9E3tJOdGE|Mjml5p9s;;9Hy-3HeaTv*)F&6US1mAFbV zKsCp`P5`s=eb97qr3Lhy(ll~hhJ}b!LYbXrP!* zE3JK0)|Z-nZvy_3#4u#0dsP|vek0^f=_qRsfk?CKQud3vo~Xg4+E(GWwkE~DNKBk@ z)fg~M$B^2{{y2Oe@r<*3#$H)pdOtEd?H@2<<~o5HpNrv2Yf^zAYT}LneGNnaIgxbN zlQ{^E-SoKz*}+A=f8dtx?9L+obGJpZ>fYmmd8W$d4iy3#%vLlV)u)l}DFtFT>U0=s z_j+(B=W5!CglleT%;<2<6-@2U(U${A&D3-D$~V=VYJhqWbz$!1yJsm|@l`U2JJ%Vv5$~eStfX<^L~oq>3q0zr z3T47gZ2&ORqk_;Ep0WUPFDil)FD(0Bi~Jd zMFQvZfNz(tmtA6%EO>7LmaSz%5M@=&Q~CX}d^N)VVe2XgR0Av~QVNYc$g2?L_V2aM z-Lu|*3q&`0mv0@oDNR>ozXDRh`MdLq`I24Cs+QwOyC6>Ct%*a08n7Z~qR>!nhim%e zGY?K^+S?^zfvf8=eig${8PC=l^QrUE@r~9A3A}?-D^qtHKDcNew3M}s<6KX!`iPS>{oU*Dz4tHo;6%i9B9Z zrySz~v&025)MLn1DUiR&N9BxH##**x&IAD?{cw@RgvIVd*zX;`G{JzXmhP0m!(dFZ1-5!g>SEs3TKncCYM6B zj$=b!lSP@%e>$e~(x?RD&Qv2qJozCw%_x$N=VGB>WBduHevM{zafvPSwj6UPqBqpY(%O1EA$ z8K`x0^U=AcI>nDE zWOjv{O6aQlfTGYPoS(L0R@M7E3X~^WKxG!{n@~U^N7S|HY~c&FEAfJt3HOvrc$h{Z z=$PB5aubkl{uU}VFQmq}&d1aE^UG!O@jq1FP9hLjB(W_&>{1VE#jvvImXzqrHz%wU zy7r!z=Q(A`k8Mm&x4vYULpF4-SC#Ib2y(CGSSGecTfi2tCnlN4M%$?*)`wzkeZ2$} zu3+KH)b_vVpY{|kLlbxu&SME`=sy3e%C}&RsUIBPlss|{*)z`Wd!z5IS9IIqJ*(uc zdX81u`$~b~F0;&H;C9qmT9`olD0Ph5bdJ1%co`p~;i$^QotT7dfJ;DIhqhF3r}QlP z`0@7auKfzZVS`AeH3ncp^{R?F+QcJ)5^+wYpI#h#go78R!I&lx;05uWpP=m zX4LOaO_)p+q`lKU+UCs`Vms&11IoKh^vboAUG ztGITNqSc>albH!0R*`bFlRolAH0XvdI{Xl`&{!YvpRPisR)1^4Y#q z*`^Z=^RELdnAf7VV1bWTpE5CR2vj3S37#hvl$5e5w<}D>JE|CR>Ya__)LIjtjrnQT zxEM|dd={+GIw(UiU_gF#UXuFuy{<3H{@>{P00yzx(yt$b1-07*a_{>i!#z1X*#(j@yg#GEbCK;=ZNfrQ`Y5f!lVvF213mb)F?oGSAq-N zUktoJFWZkY=tY{2o@yI;=W4%F{q9~Vtugw?t#1Rsqv>TFL>Ime@q(AqItPw7ta|x( zJW@%@O3%KG#w>MocZr->y=d#wxs1=6u`nIo>WGHZtKmM$Y4&D-0Y}t5Sj=kcB-rzn zho$obaSV}T1|a3P+y5Y!N$>JP`s813b#9UU{v^qnDv}S+cP@!&0===aPrm*F6N^U= zb_j7NtrjTmHPmJyZrZ6(-jcV7XOdo^y1kPYePw&-b159er7g||W4&s?3aTdkR54d7 zRO6a;a@h+~z^ZJ!gfh3YDP|YLyBBBEj;Q`hZBboOkfeV;tcfSrzK`cp1ElI( zaqwivq&2&n5*r==)GZ*N%WgQd=s+b^zC~V$60dTU#W8(8!K3O|(&C}Lv}57`e7tY+ zBccEG0iYUmo4b1@wz_=~vlZ>Ie%7_IKMr!~m=z^2}qJGkD)QThK$`|fxu-~WHvB9biab=t-eC;1hzc=|)ry zP`$SguedUXTMoPMR!+)QdRq^JMq20yZ4?ivU~Y!3+<5S%QnI4&<<pDY-x`l3X;u_-$XqL1tJvksxd1g-jQ^@f59!99|#HSTpF6a(wCUIs>BX zK~elvO!2xd#NoZp92s$kyRE6&l(+;}+=cSYZ&^XjmK=7T;}4D9fYEo3oj1k$$#%PJ z&rNv9nciklpvlPH<<3%&P~08DLw!tzpI;$xuQszwkt(f;b zm{*NT=kxb}YxedMX955#6PDfV>ug5MxKB*mtA!e($-853Me^7to5=#@*jlsrBUKMZ z9DMGuwT`o$4Yf#=hv!BkMeA;r3Cli#viuLzx|d7~sTUGf6<&dR6s8KrF_T$IrhFoe z9q4r1+}?`GY>jr(MUyYl^XeiwwO)5EWx(en1?lR6`*hE+UI+Hzo1Hal{GDwO9Q9%I zOY!a4E2@Ial`7`7+7b*x@Czo?`b-R)<7&(`a^9MDQH&%oNr~%5G&>tBI&V_GYgc~3 zE4%AZbxtDu0;@@z^yAw~>=y?j?&v#s%a2Umr);bc*!iMpJeFi*Pa(y*Z4ziUKSL!P z6xiy%46NCd*3IS9@%9-QLII++Nle_lf{Uxtm$IIXN~8v`6`P0ecHN8$CyN2Z-=NAn z{WfrL9`Dbv6z{ijUNMeI)44np{kcLNi$OIMQ*o)#sfx^rYj}CHq;s!>U63`W^g=4X ziJ|)J{H5?~CHE`Uyw5{K$jBTjIhS^Hn}CVJcL0Q~XeWSSr+ipYG0b^#SEz%0K z$RmH(SK^cD@RRvENnUiFuzn6@MaI&(UaTAW(d0c?LU~gGAL*k=LYS3h>%VU3w6Z<8 z5(3-d$O9yEO(U6dyPMZCAG&P6O)_vwI>$FX(f9gk zuz;K|M00AQsqXru+{gtqnI}ZG7tor7%+>G>^2j^gDmmI-nbcdas7nn37?m1XP7&FYELS>nI1i?CEV@Ehlbaz_BXJOw@k zo=OD@m2M3+XpN8XJqaW#6U&x{@h16%fOw``B+LmzGaH4J5-UAYBYNkf`A0ws7R4Nsn18?O4(w0RIXJ#T43+2!4 z-+T_Oz1hgbxnxXFH^r=_l&v7Jk ziK%)T%#{Y9g4a7{D(n*ng|nYrWxjdOdFS&bf*(e0@%azf#CRmOMkjg)%tm5IpJ>HI z+M$d#;ecp%Hof9W1lW^>sjZFiV?KV?f!|XHb8im|>dCALCqh(sOJn!+aH72uWnpcW z!UB0-5?iskoW3_){{44MX72}?cgYZu_?Hy0JX(jgVoH9=U1WLue#MEU3*y3Th4W zP;ID3c>&S*jPA4aCVXi{XRjrU!bcnwz*UO49_Gzqoxm5F-xkGdAHI(6`$E?T%@D)R zg2XVsu<%oONyhTY`07m?dOhxkV(B^@^v#{hm0?qF&#ETAj-Xx5f}M{kGT-#pY(BFS z-+TrD>9MDziT_ZX1@<=5bJMt_r75K-H^l)X-mHPjAV8daTzOA&VwLoj7vJ(wW*l#$ z+w`o8t!!Z{dhSIJa5=Zt?M`Bxk!8GOlhYUtBXaqwaDl4nIWL7VhE0q0#e-4sNBVeY z3eBtcN#`(Sz3m+sCkwYDmUhoii(CfuRI_!oh9I4fR{1zc4E2cb@Zqzfe$PjvTY5ZX zAf^tnC(n#+9I?Mha;zKo;bU^ z@vJyc10(im?!O08vpQVtK9?*(s=d+Sx2KplN7scKK7*Q$Iq{WKII~gSxo!vqOXW`C zI4snwj!J^p#~q&IA~yFL*A`Gl0Dn95G>I}7vRgNcR9t&o6PTn$RVv9|`N=5tt3K9B z32^SBe%&)f{r*d)>o8vam6jYJw0VJ{oh!rnZqZZ0bbj2+D~5E2tb|TCGz&wUrb1}0 z+TO9cSfn>uV7Dl#>-yxCCU9MUib1g`vKgX&vnt(ZMRT5PH{Yh?wZ=Wvc4El*i@oG^ z<gw-E+OJTZ=jBL~LEy@+v;SaJS!G5@|A7xJp9nYD4H8vtHlD@$ha$HCx zZ`?8u1Jo~{GV;QU$3Ilp!g!j(b6;GC3XIR|Mv7(%{cX7j zEM<6N6+UJe1Z;Uu&s~nsn3(9IWeNUWxtAgo;wR30Otp{E5G6W`tt1h@R zF?lIWFczM@kn|YqssJ5b_|1Qx=JA)d)c0YK6jgFqouWPNve%1d1A39GT5qN$#W7jt z;NOqbC;13$FfIBr#7~gK@LTuIv)>0|M=g0M8ZY?|HQdk>JFI82OnMdj>|tvl_S;b$ zJlm{lMedFpTvcx$&}d#C?nx|)Lr*Ufqf=z9hJK>LfON->i_yUpIYfIVqOUA#{cy4| z4=2wn{SqVkRjOUkGeJlrfX{Mj)~)$;ln?%nDh>N# zF~&&BI@z?qzaf>^)0fzE__aXK&>g*n7>xGa?7@fbWF~^dzd4v#<16-;j9G8;G@`As zH{ql0s;r&`G13po%&oolYiYS`DGB}i0Zikcw1hY`c-ThxPF)RssVu z914CYaNpLH=y{pA zMTYpSE--LscP_^J6L+9 z!lDSY(}}*U6tk1brfw@}yj=d4kd-XGyqwo6WIQgPP4vx!H&{!|+~v{1NekFUIc7u3 zV?d0*7HoZNy*uK)suDW1E=`K(V^X}1&H<%lcO;a?Zz-Ykmx0TZr@o+OaQSUn^n%#L zHubw9WQ{fGa>mkDvN+2(zM>i1BPcZLm#xjzo_lRx?Hc`0jBAecx)ddCt|9KDW$vH# z-wQD376eZRd{Fef$IAC)@e>6E=-mEJo7X@sUyOJU#?cdZvYAbUjDLKA1(w)=G zxUy2lJUo|!b5|h{BPKgDU4}%-OeOJpdo-J=+(SISc8Jt8zL#EEp%LM|9v~UVMl9q5 zGpV@$1t!0j@LwoNFJa8Uf+A$|+jV%sW%E;jvZL|z$g^=EtO%)17Y?PGf>L*UL8+GC zSm@O1BAUHMVoM8!Tc7D{%YLVOW!gt+kgbu~&hpVn?jg#nM;VgrCbKEe6@1*(On9__ zk;~G0pD0>0e~(*d#TpfhXK*dAz5-k$7fQxk{q6TzQ><0W2E zWLht{kui|H9=z!7D+&Dl=qbUy<-*K!nR z;F}P|H;?XycCpN=VhFOIH=gA>Ta=;q9Ef{nH~YcDs! zn}i_nv5Gi-`_xi;TVSq4K@3K+Ds zcKjlq<`lh9R}`G9dJ*QDjF$R+IJUJp(a1l&Vlz(QlLAI8nvh=Q%g1An3}j7nx*5g3 zJmNEW=ZRCaiJuZ1KWfIXy^xv-@&uPl zYs3$iD^}Jh?M^E9_e`AcK>Xt-<+ub49oU?6Uxc-8bEQL`txVXRr_6CCwA?O$V(MrW zVS@klN}3NfvVDc3I?^h{GD(Cl#G(utGja&8dNCM?$*`jnUEze~4)H24VZY05-h3z< z^e#Og_ke(dgg2a&G*sf~Jy73M*4&67>Th(O=V_pH`Wk3t(ya*^|G@x3WFv& z2D!Itmo<9aGffclIqa`wAAvD!*`zcZ>!*}2dMVsf&%8Iv8GLTtdM>Td)Z~}tc$pW? zg*Ev^R6-x!L??sNjBU(ic`dVusAoQO6oV^H23tO>=Po)eC;n(=evG@cOh1hM-RN5? z7p4YU#wL$Ab*S`o=FVqDwI|aLHn1O}K2dryMfeUoTgo!&3w38&ZoblMK$$cUpYiL1 zd4BperBse~7j$N{T14(iPhY{12eTyjX=OD@@KYftDG^A5pDadO<=5>3xzPmQ8I~vXNFvDBUygR ztyG)7V*9wOB)i`D_j2N|zn}_S%T;R9PhhXiAZmoHQ9@^6Bi*&Tg~V2ELxUXSRjDnU z?(Q4Ab2UCR>B}%tuZfm-JN+!;H_Y%XZMmI zRe@h(Ih1fl+d~$CX5wVt|r$)_T z3H^1B=|MmJyuX|eB<04G-3&01<}h}-?58nPTX6ch3RA_c4LTwMnCHS%dT~gAP)E~5 zF!6XNUdLL+x_)Ymz`z4W{k8B{HE>L)`hIC>(8nd}NGf|j)VqT{`Ra-`UpPlYYtW7a z!30)J*wgSzNsA0+Ld-`V@Tz-jAq~5rvWPCb79*D&GCKY)?~zU^@JxhbvI`QXVSG1W zz5ANak0!Qy>vtODmKEX8ZV6RfPkFPX_~eGFSR&^}IZN4qaS{brn+LaUc=SxXT>XGj zDrQ!3_P2z+oAs(iko;>RoFU11Hl9y%9@lb3OB&>|U#K@qzTJ`0&UQ^MX>Nhar28_0 zTvLOE#yurH5If*wHHnCzad($~pK?|NHOIA%_x?a6jLZ)R7pZx32F1V5nO}ZEmh^{G z5ki%Dh;o^}_5$T?aEaW`xWXF1SoD^a+28}ib|bVH<zaIFD{VZy!kpHI^O zy|&K*y;e@SQ)aK|Wv2Z+D)VV5_Zo?B4RDYh7m0daswiK?gfC*{Dt_0=@qjFq%7aguETMBrj;Fs9Jqc9m%!Jo{` zBCp-WGnNE2=5665p(H=_SLJjPTnqJ1VYA?l*5Ru)3~EPB*7GjR2}or>pJTk5UA;j* zsC!U?v*JFzl4rZZ<>=o|oJ=8Q6F^GN&YEJz#3tlns7S9NqTPsc`;1f~X;EKh%(H5V z&=!P5;80|INvBA_;w-A2obOaBJ0IcBrDPXGn(=Fwyw$^%yI2V|^lQgU7M8*dSTs&C z!4p+7Ol&MY)?dIqZ(iUg5Z&bThXDmlzMxcoIc(6~XhyH;OUVar$$d8)s+S7cDFMjk zxTCfC8VsMe=S%c4-k#3oc-ZUZDE?036Js5r8zO^16MQQJ$4dSTf}HQI3dQH(u;w>r zawtW{5>(mV2bJ>)kv(otAM?ltY4TMm-hfGRb}rQ?GW}jc0){`oUj~UY6MbHK0|6z_ z?KPO>B5;0}=ApzPTnIA%Q7@*al0&a$5JEGnMCQ%^U@ss_)j^7by;gV$$l0m_A zi~>PXH~652FWae-F{GN$8ujCV-KyO(z4wK5P~m9_Naonjl5*!+)uAVyHWuCwS8o5A zkO-l?NWR4PRUkd%`O^Wj|Ex{u`-H!vhzQ^R#t{#^B~7VFpC6+Ix>HO9+EEAz$&IrF z^}rE`UKqFaj}j6BKsBfMV#0*wBMCRK^Zxl0VtGqa{Z*jbp}=`G1XCBf*w;r#zGK~% z56~xX;Z}WGnEkpq&e8)dNiooN!3&M*{K4vLoNj&w9}7$9GJ?+lg3t?I$>boRQ%sns zpdJViMeO`_goOOgoHoyli3)Pe6C46>zhX2!WFGsSZ%06YbG-4hz`fO z52u0t5RLnTV}$rY(nx4D0Q84&Tsm`5CE;iUTUv^uBB62V3<8bc*vDu%dU^gNL_!1X zK0pIhbc6 zU!cJOM+5jHIS}50$?*poR{stS|9^+ZpTPqTlH(YTV>Imir5*o*2EpH=A^I=TfCuR> zXaIl00Y?L_7-wJjynn;L|4H6I)A>(vz(JAx&-VSV z^8QzGz`%~F&Hp25= ze%S{x-ni1Fzu)A{AkD?vdi|JgcPxaN@FSsc? zsv3@V3xVzIQe5@is7RxpdvN2UA46Y1O^Qwa^9IUsjv;Js-y;uRr#-a&iLUL%h2Y>ir%l+$hr39$3?xwdVUK|S^(Um=G0FMpwj##6hbnc zaFaZ^`p9&BUD;28)l81)`2P@gsSzSkRG;JZ2C-K|eGi8H7dF*V*v-(zYv?UOs{q8J zi3mIWFC0p)(_udzhBWHX_#@jBM*hZj^b_0RVSoMruKs9?gNQnIxdZ@)9W>=+x3O?2vXRk54=7V_9F-X!E)dqOxM@l9F!Un2OU1%#yRkJ@L__x z3nNOjq@z7DX!*zBzcGrWgC7%|i`WZrg8;fAVFQ30Y1EB&515$L2IBIBaez6!CC%SN z0Y3G#gNuK|m;)n@Hg12X53cSs7Xa13b~E(pmrXd?kKwCy4qcwsMI5c4Ed_vtO|$c^!YP#X^S*dRFk zm{iYuWqQdi(Ss0+Lj5!!s*+D)y$8MJ;nwt^G*lBh2HFCFXQW4t0{{Ol?SB^r{1@9! zOZyEa@~Jfq*xMgk%*YI+$F2RPMVrl9U0xWdCdP+xIpnskFu2=i)Emf$&S&6=}s2>sl{3!eCYL)`~5Q)F; zJzfgN=J6;|`STs54H2a9gZ^Dvl~m*3MtMS*yrJ6pvO$f!7_??qc=`v2w7M|GJ}uW@ zW9GllC~?0z>esVMA)*BjU&5mD?{<$t9a_(%a~}7aS=}F|HuAUGqGJHkvL6>Y%Coh) z`9F(d3)Nkgy(yy>yKR3%*tv=L?FIQKnX0bJY^{W+d+F_~3H^^c71&x+{Z382XIGu- zci36ZPC7*;$s-%l$nBJNIfcDd_!GUERqLY^&}axL4Vk}<4M2C|@YE!gr45}V+$9Jp zXS7Xq%d1m@W8m#0!G^781es3xV-9aWeufBDk}%dltjxDz{$v zI+=yvr0GZD5WG-5YuWg#*uYhP`Z#RxaICgqbn^BolUqtblg;lVOy-P6?)~wQE}rK< z&i!%PpTA6ncLGP=BKQ7-+J6-MpX4H$1pMjjaWBXzWxlD`F+`1ADvS-|Z(qF57wUKg z9!`SngA`;35a5l3?k+G0-e{)&uOIyS}Hw40qS}!tbyX zf9a9@1=~k?{ij}dnBjJuM0xB_bpPbkfmOgs(#OD0ocK$K9M6TakJV?!9t6DpP;c+kDy| z3)baH4|kQ-njx>qT(604IaB z^&r8JtfB(j$JNp1D^ePOZQulXZY08i?GwT^AQ2AUKCI{o#4W<7Yc?A)rEri0!pB3hf0>Z{g}0Bfj|Hp$>17k%K8f;Yq$q>!gCK*X$~9~aI%O1C(t$r~x(HG% z{;aLYz0?e2SLKfv-M{pn_UAu!0^rsrNf^2JAJqOE!G9~4`Y$tq~ZfdG#v!~ z6w&`$(VLKhd{WWj1wHIkkm2bS_D4aNKNVzf|2Gf|o;XRc(|QjG2ikE$xYNZGBpgyj zN45%VpXAq7q%;8AkDmcY>t=dMMGBs~7NnM#mOpMxd$D;)`z7b%?9=UHcXByMEuLR3 z-Y>3=)N8WxRB1J}1CcScqE)Wf6D;OUd0lp`?Tb{XIU{0VTTjKV&k+a-JM(_u6CPNw zdNO4}76YAiEf&?x0piRA{8t>XBC7^npE``2??tTqAOMt_VKtL&{;;fC7!BDRY(j6} z1fPJT$G_V-54O^+4de~)S*=elWYsPN80_ZdMilh!yRMsUtXZ$L^ezbui*DO*y^m~j zSYC#;+@!Jnbst~c!;|I`q`^HmemMPp*Yq80}cBjp0eSPTO-W1FlHfg=o{T)!$()ik2&;r?);M-p?E-o*- zE%%#^pcA^Y^DERKSM>8VeJ~dr4Xyb8`Xd6a9pDREKogcwr7A}oY4gO+Lh_|_*q5J$ zE=>7-;LF^!I9o}BT~liIt)ys#6B{awqbI)%?XX7B01=*Tt8CZTxU@{yYsj2w&&6-? z>ipWco=LOTA-otAM6(r_=GL?w!0n#s=J&p!fuOQvI(}MvRWKs4sz%hPL_~B|@*DmoH?+-nwN;xUocYoVzubVBHT}&b z5$xTIu$m1u_L6#o(qUs^!T53ax$6XOI05m?7+gDJk^9eF!R6y)~;^ z8>rkLS>Bzk1q_bS zakxeBmIv<-_hDI47Yx}+Cwce_jP*n~NK?fznUt8U4RFPU@+lwlI zP1n8w8=0Y{%S(p`i$fwDT2ztM4y)ETnFIP~ErQjiG$MkA?IO z&0ybBG<5hoGz(+{2rv%*3)KplK%A0!({cuJiXvm_J|Fc{BnA#p8K)C|4vCLZezFB`S#v z_%2V9(11un#JNQ9T!(vTMdU?9dmxfhWWo~#Max>x)P|D-etdZE3@S0&$%|FV6tJvQ zz!$1Ap`oA0)jIM)sWgG47 zbz1Gjx(Cyp&i`aOeEOQgjHI7lvsn#JOsG~RfbNR^2bF=mFI<4;d^UQjdkwFMJE&+C z6&UTO-T)o0vr)hxNh09E^$XPtxr~T65?NtdR05%exycsJqh>GIO_y*OdFNr~k-OS# zrQ|>mMj|u6 z&Qc%sK}8c_LA=8|`7PCieRwpnQd^~VUf^tSs3lbhJRxSi;rVA1UTA#7GU6wANv2S0 zVZ9%tw`<01@NR=Ae_k4>&z_cUx&HqJth)#8ghKkegrEc=nyrB#AY$cleJ~^d;!k{@ zSk4E{KwSAPBx zp}_RiyQ`&ff7Vj*({@(x{Qm6jvV(C^ew`oh$6Qe9&fsTRjg0qs$fAu%-NL;CE=5U6N1%X%YP?`ku>B7Bn8HL}Now1bO{F3f_VsJpUom5CMoU zIbEd11pZM$Lk1>}YMWz1l5~U8XDqdI&#UrpoKCt~6zrp7iL5|Uz;2#MkG&M>AdO_> z-198==Sek__hg8T5G|qPJZiQm{oVLjcH}1Pn(yp8({;l^mx7z$ac-Rl@&@a;#c*$Z z2X?4$2u$b1@P1}i`=;e(RzKjnaZbB&_BSW@R)Az64e2KhUTwU$ZTO^~wr)5$$j)HD z#wsi+LJ7W$cx6Utgb06vKwu{X?C5nn;p(5a4{2YB9$pe2yu6(JCV~9u{VvGD zok_%T)d~+d3nZ^MI!JbC!FO03b2u+S^epNU26uSa-y;4z6k6O61IH$4ZHM7g_kP_a zI#cD(B#^-G;KniK%r%zh<=dC6x1(28$k(g+BLgdljPj_nyq)_hrS~@%&*J+sJ@ex? z`_=P}Z?Bzv1CQNo0e8l&282R#V`uDG^(})613ludL|^E(rdy+00uXZfzB23j*m$C*Gqm_pw3>p9Vf_2RELqQbC;Q}MCoG?s^G2Q{T}RSB6ZNU@ z>&>c(%EFoPqjl>6IF)6hYhAv?eJ@RzVL_SzQe5k^<~{l^&bY!<`9Do4sw)h% zR7Rm>pF;q67M#dDyWwpxw|A`iFFFKY(Evoo()f_L{E(InYKePqSE+{wT7@t>P73r! zs(#UCil4221}U%?Bl~X?^i|fzGfyy)JFDIj;}l>p8#8goFE3DQum*MG&l#PsQOZ{J zxC)r40f6sl5X7|AK+Pp^zQ1}YB&12-@jA(+a7s!?^2@OyN%(|iT;gPz>ceI#}#P(?ZdssdG_`8 zYrq4LSGZo$nB}Li73p~Erz0fiEycNKK-w)2mmRvRqAFD%qS7u;OQw*PM>l{7pK5i<`0yzl=~7FErG1sszdPe6${YCFnyM zntl(-RvGbRR}y6mFy~tCv$u&FcgH37?G5$`h`HEvQ?yfF zSq1k6OqCZiVowU;2c0+2cJ0h*R}EHNx4p*A@9NvWXxZOedCnWHf%=uXvY_^Riwz>z z)$wjq**01d5E>E?Ux>PGc91!j6ccCdTvol5L}T%w;@KH60K6fW>N85)+-mG{&)Hb|UTUALzHcvq7|z+yvk9`Q6ekN@WbA}E z-@Yr#WExt2GYNPG^C8~R&Hj?;mSx_fwtcOTz8~7WD^?8Wp4z5`DWwVWNx8oy-hJzM zwnzy}t0IaYPdzF4u7PjNfh{ltLnYM5{{D;eTAe0><>vP_PT&kLK`I~GkuDRwpsN;`*y$wXa&b>~N#uYH}%#G-`k}sEnB`7@33`7iJ|* zu5ALz%mNGDN@5CMGL{WMyOM94{@k{?RJanf5^zO1sz0<-Op z@=Q2qCWz2cH@Z#N}&LiHNi_BAqSVn1UO&;9#Ke)MO_$Q!`Yt2i){LGi;JHVXy3_F?+ zLJyQfKq$QDZ9m&eJB{f&**|H78vqyHSsK1nUs)% zxNNJf8hQ)d!Ng)yVtwt_o5Gf{qVt;a zPrWeA0|_I)MO@U9nTDU_Ynx4A;{-4t86 z*Q%oUMGAiV*xYCRSd@bBoMVwC%37jQ5_f=x_oOhQvTZaNB~c<93!1(xfj^e-OS5X9 z-v%+U?uvk{iJdWz>zgr7mo$=a;XY1xh`Ukc`Q=0!1(#V94*Oj71^P|FG>3*5v$Zbc zC(JBGm}kHchnY%9CndmIgS%x1(d%gXGE=chME_w8*P=wE0UMGFikycnk%M!uO#}C_jcC|m zqOn=?7DyOBDA*|dl;fH6QWu)UUFIc2rbGME51NCPuzR%lB2q&}~d+3X~qS15h6Dx_1{z9BspF!2euH6gQD({+6Dru*F0 z28m6%W;+w2sJr4RvY2lA73grPd$;h3(j0AS`p-7vvA!XR4MH=z43&FPm&@iolXC_K z^|dSR%n@OV9366OE=c8LLc;%Dr}=+QdpO;fZtX|Tl~!U73< zpj)0hzL4@bC%Ih!@=Nc?tjVlo@p4xd#iv7R5#LgrQQ&vt#kIT@m6WcCZ8<#Jc~3`- zU%MhJ(eD)DL`^o0j{_xXny=_B0@c!Fhat5kgTJ|r@_aq9T_$)iIP?>Nq!UUkbJ4C? zSepdY&QG8ldgr7vqn(Ra6`Boru4R~14ruBW?1>x4XIlhr{3L=UN6&~H^?vP3k5P%7 z*|**%mhikO)bYj#8@Eb%Hml_J&e}Du6ZhK>8o%vTd#@~>xxGB|KR3{N^i+THxHoqR zCRjzJNTG#w2OCsT)8rP_PSprGV}__9_Xq=W3x|_lI>TmCG`~h!+i*pjAjx7ehBmL8 zh^#8yA=+^16K2+|KO7V^B%G&zYK#Q^-7}CMBqsY~+R|3{^h@ZLocZ9SZY7C}t*&Ki z_>x5IkW+~x$b2|${_q)qa9qx*BK0V@q>J9K5DE@S(^`3z48~c?iP12# zA5KL>T^V4pVt0=$$)c4oBqT2e+W-bmMTr#HBeeff?~khv9~8gPWuRu=sNL zZ>7TmT+@m-8~5xk&+=^$^X6RqkI2*x%4<#_=Bf(y^<2x*AA?lBa@(J_iEaGZBm~=) z3KZ;}Al$|qgHirv>BYj;vqnmgC;)zhtW;L`I$BeXwBe0L74DSRB#hmzQoXa+yVbBx z@W7M%o%aHcFqn~lvK-Cl?$9k7h^d^~pVoU&dN@}a{&@;Sjn*l>Yv%&zOP#W)cUc*9 zryB>fy-Yy>2HY!bC(`nyuqZ4|NZVaA8uQ!l-*JJ~dD) zZkYGWiB>;+P4LXNP6<*eukZHyJe~x2s}%Ts<{H=CkKnTsI^KMJeJ@*_RaDXxz}bP! zw8A9lS>ErbXt4g2GBQ2lk0d<$0+Yf;Jci-f386Yz zZ&M~o_xpfoB?wuwnqU>R1xxuA|6F!CHgP)F%#y2E5;J!FYN$OtbWZfMv&(iKaFV)1|&+}~RSKSAh3Z9 zAYmfF!OI{2+^`iKVW5|`M)~BWf~^NOGcG(#e>pY2Z5mX^{Ym+^nVk4a^0ibh-miN3 zWzb*|-R=A|N|JSi`2T>>SWnWTeT6tR{udZ>*AX7DILC8Gt&9+rszvK4JY?0SsRU2# zE=25fWPfN%F4r6}>hUbMamsnUbD&?2YOqIn$15FiX)ak_X!PdQSS?b(W?l{9E}Vt^9-68- zyvl9v21T2hZBj_F>BlzuX>Ai{i#r^JbQD6pepp#{hm|%lzcOjAnJ)lCN%_A3x0Vq= zlR3;Ke0g(n5wX53WTrL*Tp*G9>(VA?cZ1NOKgMY#CMoku)Lanm$M7#)K!kI_Q_K4~ z_fK&+_RMiugk@XJ?t-P}y89unvAl0%@!Zo9q9C(e#FlK?Kc~sDsB6{`=Ux`Kv1$#g8qb~+;c9&VF8CEuPuk!4*b-Is~M&QY(kJn^TNvhN8$`I z#53eOK#%i3!0HH;Q2)JDJ>Iq#&B&I^iMvdehuWXF{y868x%&QxOYe&$J5Li<0jd^xK_!TR&hQ zwv|Nc0bW_y=&nV6-g-OKXc4s59v$w0;kaEM4I&d{N6@^ z&iXZ(5~*Rv^Q*=~^f~S*^!hBFX|*4r668b*(Dqp(+lx_bK~tq>5=lV7=g$+*FJ$?1 zb2so)O(Gc4g0v#(Cz}4q(H*1mnBU|UR75!0f~kvnjDuen|J+3PgZ)O*SgiAY=r~yF z_woUc9>jZM=4%YLzR(nzFNB5dJ$5v0xGmkc{eh##wff{RI)3&gvt(RQvhJgLA?ZeZ z2iUp^3X$BQxJX@jxPel1x;?W)yH<%54t9ibq#e!E8xJE#h{BY~aL7Zr8w+-jneX!1&`?!DZRyQ<$5*WEz zD=zO$lS$CKis4FEf0z}}CswUTwN^tcQT%m~P&}7a!c-%^c=)(5YCDYG<2aBt+7SL9 zIFzx(s}(vx{VP7eA)Er}JJKsK(C4uc;SVw1P#pcrOJ!Q%_8wqET_~s5E2)u9g6n7H zXB-i>L@s*r-bj+zbsb7a%Ji_E(#zphPUI3_4$8Y}76z=ptIe&`Kmd8OTrMe}wCn$z zExl)#0j{8Rf}MKQ@_nK78;oIE7i2N(ghOPO27D*Nhfcl4bdyI3H|s2Wcr#;$JjQ3G z(~KDu=#`Ia`L>{LI`gpuJgAIm+-N*WHXcvnOWoWOMuo-V9#TB2uwkx=QGzx&{kYHv z7%ng>Jix1mtf`TtIKjs3cNDVEW>>kZX-`hkp07_x5h&pEZdMg=^XW+HS3L zw`&b&*<)ydG-~KIj-x$oSQsTK{{dd>FeI!rkoeCY#`J_j=rg>)O)NiPyL9_{4QC_3 z`g>hhBI2on?qbatAGINPeeLsGS|HV_D-$ovXG%Mrx0cQRD_0LWVLYe9**)#5`q z)D0(CjvWw(37<23OfPtDE4R`@M^jpB5h@+aq@rIVhFW5o@GIHGBZYelbr<;U|F4d~ z59MedXYcEIvbcqNahR196F?8w+U{{iqsJ`EiR4w}LdtjBcy(FC&9gU3+~~|&TwS;X zi%Am6?p%t0?@*=O{e}Pw0$PXgFoGwHK`9%` zb_O#_w`EY+w`Ormojy!jX8XXc?>x-X4`Bbn5Ex4$54rg98pt&Kx*2&Fn=>p^bD9?? z#uS;=-hHZS$w@syeW32^bG81JiHSv*;nkID12p1?960r*oRqF+i}DlIV4`J(E*6zeYR8^({oUHH#&U-?SX1v@UOmhl0GA;6v=MUGnf@_dT^Ug6S-#1g84CRRd#yAu-T znW{ESZfo$3PVve;?0IE*JC@|p@o-x0T$=`UtY2TUuf+W-(jv)_FP-9LKSWBcV5ML~ zvGy5mw(WhEeUegI;Vy`3C2p$Bs-C*O_L;}~+_&JC4t>4p%JG`lYH0BKBpLulBVrm` zXsEACWE>~waA^A3*-O||uPn^?xuUFNe9|h1kQ;W!EFL12^egmyvI)koCJWRY?(ML- zV%l1NferQbCMELyCMZS!dfflH)pUg1aYLc@-AC>tbBPB>*6f(X<)4S=XEsK8>HN1F z?U`#4VYu)!O%A%uCa|09!0N512ketV^P89MeDHAD?Oh43M$sR^Wcr0Y$L4h*y5aj; z-QW37{HXf_7hLb%M7KMc$VCgSts|eVtTx3G)8EJNyGv8Poa(9$o%G9qUc>aK}q=IwK!_##CQGC_H2L1F6lv@9Dl7>$=7ch zzuq)*nUh0F8^dU$F&XIwOn`jgz|T2|4P{3;5nAosH5W<6;OyX`ukVwacDvjhcdztF zO3d8($$ZW{AY5=t>4|4nLRM4)F+=wkHx`&}f4t?;!%ET6ee!oBBUT_NSr|_^%joWK zcv0c=)&FHSR7Q}~bk$iJmtK8WMIFzmqg5O4QmF7I7=iSm*fo{i^dRc#MsUd}_VUBn z;4wGyDB4%g`w%G65FoN2HO2j@dQ3`%WfCB>vcD{4zIezXG_k2P7l!GiXS|GKkOKsQ z0@U|!sR~RQ1s3EPy(0^m~et>V4x>z&de_TY*6_8=gP>tRLNqDxJHw zjo(baUoU3c8oeCShwbKafkQ?m|t0Ru%~|{n+Tk)JLBGZ z9|_&F{#=QUbW5|-XZ^uU{Y{u&bx1;%FS@jNvBUsdJxI$&w*ygT56J(ygraf27upUp zMuP0V^y)dy!8$C0S;P%~wqWhr=ieCI(=5=$38kNJxSq>ccyhDz8qs}Yuguz;d1HU~ zecw?V4a1y5Bv6~7Sc}m~twB4EBT#c`B)t_p`3>>kvbBmSKXKg^$p`^%7u3I>+@L#s z-s|{YCeJT604p~Tws~+O*Y|UW$OsqZep;k4t*V7pyo#WyD@@1n7?)=kJifSi z&{KosoILWQwD=C6k%k{iBw1552mE!6GUw*cB5zAhNaIWwr5ax{Be(lf!TRu+6^K6O zuclVW)D+KAXc0G!SqQR0hzW@!j5S`8Lu|0Y1!@2M< zcxSBO>jU-u0^9Zb{kfgRT$8>$m{|w3?)0-!thGtU$GpS+83u}-$;f+!{70!2hQ|V+ zs((a=Biuj#8I3UEC`28>|9p)m0dUYcG>bQNDX1rDYoH&%OLfh8{>#?9w){W;8OD}x zzyC>i(erqV?|Ogyt$hifCW;}KvFn-ZUPvD5ma>=`O0BfxJBx&5+4(#MetV{5xNwP0 zkH19lrg;9wF?!7I(KbPmQB4R9?4%-u{~MJYxw31Y*AchEz}0gsHIO~)SW%(xjKxV+ zHDW)-&FekKoV3tI@Sgk3a)3tw@?j9o$>4^pzwg9;&RDfR=2=-@#B~Tb(cX9F?z#VZ18vEcx6>%kuBSi=nq4R0E->T*JHkY>wb~sLU*uder0L#`M ziGZJ~(-oAYE@@e&E_oS|nxiaO+=5Vb<8#SzPL8F}!s>0y>(uXB&%t)g`7`6ip%y+W zXICMyfI$wO55RzL&!FTskGCT&l3SR9GIX=IC__kfSqPN!HQ*riWOF*};Z^>P@i6no? zohcTkODfuL?P>`MJ6Jj$dF50N35+7sOvZI;5$5?1u>Q|iZ1iQTd0s)Pp1m4Fw}tw= zdO>AXo-RWtX7Tc#{G9c zW_uO6@4fH!%eJ(%*@(WZe8kW6+<*J1%yr<@tw+O@c=sGIe+qPgiRA{<=Y0R|gop-R zydAGAJP)(tiDX2WWJEY^Mc#6Dez*Fw44e(tBT1%)!yVbTyCZ|=^~ zPV~(hco=ZsBQ`dCTL%CAa1u^~{~7Yb;OmkY(cA6Fj?W)Ng(oDsFkY(eIJmL1!&JYq z9Ei3hnbxhl1UK$=c-eR~ZMkkFjvsum zD)E^kugWr2 zs07Ld@)T9tRO4Z?myuM2$nXd+w-HD)48$O1rR~s+fqp)ap_ehO)PbIcI6(Fo?xw^l z6DM>tT*v0wY>Fn1Grl?|8?CGgb_finNx*Q6<6Gn@p!|!rxhblxvU%YB;iBG3oFEaO zFN>%F!Oq#W2>pn$<4s-J1IA;*su+R-%QqJH5(Qo@lC~TaA zxML52H2uFFkxzyv1F%qltM@(TgU%r0{TH6a8pto?yDS1X+}$z!YT*;;thb$$DA+On z)Au;1p*uvhtl%kQJ<X%3iT?J@T zP?cQUOTP!Y=b(z~q-N*RIci!`6xsHiL~!Szj8#JatDVpwj8sy;Av}!cOaX{O7*B)I zx4D?sGL59Q*?o6H$FcDv+p{8LYEaZa{!CR;uQxV2aMk)p2)petEaPw}NXSu&N-WEB zLTeWa0w=iYipgNAC*T@LK_%Ata{;9a!~L|k?! zz1jj;2^-84xv{Ka3vJQu_-S1>UdpWGnKoYP8!!xYErwDvrhSTeEcT3%qiC~aprzm_ z%=rHoda6UAOm|d)ftUUz3ho&;l?UUQJ$G!7mKIShTml`1Mb42o<6+J795&Di@1G2?q*WrDRGeH>VlqWl786~s# z&W$VX5o(<3^N0CPy+#1NQmL8N?8w&>rD(dbk}($T1HMA>WSyBc)!`U8%8Uy1J~ayK zfC{@cVnG9jH_jslu66p)ZcMPP;M84cyGjuJ*4h11Ro!VI>S;6K9_TCEU*VwI zdu7I!jFawvBmask#Gz^^inE3tc*LKowt}VKaX14(|2)(D(C%!i*|e823KTROc|lO9 zSy)JjGVkHu5Hg2KE5o{g17ideJ_XgvqwQwQ97PX%0`8Z9{8* zrO;G&?7LSJiZ4bXG=m=|^wkk5`7^wyVpkJybjg=+Q4oeeJK5IL&p#a7{m1!eLUhw+ zqvx{(T{W+F>1^rEZW=120MX{-;1~jiWssVR`QCvHBM%g}qh2tz)$ye%DD@-m+%Vw! zkXFb0d!`&EW6YFOUg3wozk7&;vVe|l>c#^x{%Ox2EiytcvHWpb)UKV1JXv-xabJWfyn}9K@ zBJUnGoq!+V=_cCM`akEr1VB5|7iU3#^=p@G4H@E!Y5B6`{RjW~S+i>6ll2tr#X*DD z)Oj0CzZlx$kRfG_!(czy!?=~5o_6#W=U0w#LC155M?BC`gw^Q9P0PQS>*tRwEeE_; zZqpIWyb>^lToUK+jt=_*tnZ9JI^U^b8N7NbAbJvA>%Wf6-Dx2K8M2RHBR~-oI7sGB zL3T!ln%^HXNT!S(5iMDOE-M@h^RJ{MDuW^u_!LSo8H_f$q))?>MM5SUAA%;*Q<_}2 zGuU#L0$$arq}Ubc(UP!q^S_3n9{3c6o9PeXkbRb5wQPv%D^n(DK{ipy(Y%npi?Dgr zy;G<00-)*nwX$O)z7^DQxm?mg0CAU8Prv$0r>K@iP|~+t>}Pg_tdJTS=<@D1%x)8P zN3;5s08{0)2;Ia;489Nq`C9~h)9-GerPbX^HY6lRWSgLOtC@==dLI>`qrLoaqCoS_tiM!C9XMlwm(;>Rh!IeYIuOO z-iiPL#&`QnJ+l`l+#ei@dh+qgzdp>jqsvdk)c1AtVe;?< zt|^7nUruW2i)r*DE#CA1=H7SPc~jG}Y2%?NuG;-f=lB6f-efR$J^{H!H;&QPR9<_1 zzIZ%$JW>*9T#`3x-Y&RSD0GOAY=z0pD0%Om2TFE~ESWrW){xE!M@F1Yok^D9P?}#} z!i>+42AmFX17o{$9DN0sp*RT+<4!O&h=Q@L88R?~Pe5Wri=&CVGmDkz#Yyn+=7Vwp zYZulC0&W#e;Pe9$Kub9b{K^qDNjw`3<_TCDMon9VKD3ci&bz|_iVz?&$bWH_9~^6| zGhRzo+=W5jgM?5ly^ZkejFnEhhF<#EhF(l$1_1wuFEU}2Bfm_A@7&;^69lWFAa7O= zuDMz2{HFOrRBDo%!@kZWN|7Uv6k_?grGFlzT)Fzq=fhGi(=MyMdF$KL#$I%>y4arZ zwIt#OZz0!zY?Dakg*lc5ak%PbshlGxm_}DX)@a)#nx2)_Epk=IAR4Hpn9_9=0c8{> z6s+F}6I^Ugdg+Hre?Z!_%_g`vPumEt(wS-GSNkNS`I_ZMI8({YOSb2I1VG37j+XOm zn#R0C2EWECp{-=WX!K_==>S;wq8E)bjzi`Tn*5!G(5%8BcNJYXIg56PAC!{q_-m$` zc3&dHxXOqPgg9$@cC0{Rv0W)0U}>Q@H>V93;Xj7{&$5?DW=QsBzH?qvcm;5~*(^eB z5rc~h%A2-ho~}`=eWkzqDGZ{6@FfsY41`y;h%Y3yR<9;sk6lu+84ywAVjdxm5v= znRKQsRR2P=lC9^l`*jBy;7Od{;=AQR+YlI~MTe33F@OS> z1YQgI(+wf+rD6)p(renljHJooS|jId_QH=OLQeCfe75HIFN?vJ1RiLY*YC+ZB;yEq z5T3kXNmdxlu_TPPn)8sGR`**J;sImX(a=NINCp9<5FcGgCaOb+;zYlvRmL1uqoNmi z=bPV^StRLR;1d_Q^pk>ao5v}cRsaWK7ZPh=JcQ0c@}lrACJJqpue45>ivAqOaTv)6 zoROj-G_L5s>>l=11R>|fCTI$`>zsHM`4m*Zr2Jw+#*jEMC#RYD*?}&4=?dzGvNek@ zyL}HucgTbq)H}miyJnq>0!T4lr76YVKyUi$xF>?plL|(_&+#@Q zEXcqhB~TGnoyYM#jKn~3B|(uHlW7w51GFJN8vIOVSSg(EgHm&Et~Ol3jF$4J)KT0?n84zLWCpa3dUX6T;xF8o5ZfB$edrrO3{psO{EE=oQFnvrL3mkbuJfE4I{dg!m@-h=6HyE&13WZdP-PIdP+Q zyXu{$b*I=AVPb>s=bWK`C?H1K4O@)LF;K#Re323BGOFeno*X7Bk%Ubx|I{%WX50CW z(zp=XO!>{jb=kElhGS}k3?2esvKUVQUn-X<;a3B>%aU`#yKeGWz3MZ>fImfHG;~*Z z%_0elAD!ZCxQsl%P=a>zA^K0OhUYKym8rP#Bc|V2!ElN}z^9x~SynmMTUkUna+`7GKGWY8X>^bOA}=r>%$K z>`vN;K8P{8tB3G1Rb@ESM-q(W+Cez?O+;Y(6C2#kWx24)2BN2!STW zzxV$S7V{z|7}rnS^mm;BU)&{K^NmP`vBbj4<~(!9K{* z`zi9%vgk(;LxGqwz&A~^wXRflRa^CKiNv@E_8Gs3Dql|!;@zt52Qc-tLTt7Uq*KPc z_O{V|1H5hSVuJhCqA79XA9?@Ja6`t)gJ_R9WWpe!*%m9;4tdSp~FxlMz40j^GV$iJihC%c5T6tStl zfv=tZ`z5Jat$D}u%cfJopyaFXiy4Iy$7WbA7@*_t=dIquVPvOCHAgN{eLPyr8i_xh zojV%RR9Z0;Zf7V}1qxZuw4XqDrFu)4^FDL-#~%Fn@rpk!e-|e$Pz`fc1a|JX0n!Eq zz^OR`sZdu%g3R(BrM%L|3s;E@goD}V$j%#>d_vC54~^sp3KckNg!i_d&qEg{cS4!6 z69wOIrxrSSbEc<^vNtAahrWVQ*3I>P9dTdg)vssVlQpbx)%_T7kmzZm9(#2}4mtL%oX) zH0}GMp}JqG!fd$b`a@H88(|XPA+h_>sNv1|4!{aIC7-DRSRyluT_0eWc>4h#Nc`$u zp!a4Kmusq>A2N6PK0-B#8hK4Q?D1CG8srF9`_WAQPa4e@pk;7`ZQ}j+_2u7j$md8) zv7ITt3#U0^ASULelGPS87|nh#H#*4{*$MN}kYMcs>M(rR=Dm!Q(J$M&wNlUpe33hD zS-Bj?W;s2)K{D>>$$<59*y3~Y8i%RoALFaM()(%5=Xl7>IQE}Px(^Uz{uGq&g%sL^@xgh&1MN^?y7vy9*KYbahAVOZVBuDltP0(Usi{NVMwK8@=+_Cy%vNdx zE{2<95B*Ta|F$T@$gRNUxKvz00%wfMBy^;n>f=ZQuwIW_VYzKpcgG3YtoqLkLF=?p z+~}VD*GhbA+L=#?ciIBAKymEn12~)QxuiIEc}ZlP=3epOd5{Idb^6e(c#+A*h^1M{ zB8?_*Z8D44Fd)9YP^Qd=iLIu|7*uP2C#j=Bqq3KsgrgnK9rgxCDr>IzrN#W)jAZ^3 zu&aHsW$TJqie0?T-kN;u5{+zPesDMaCk`}Ku9DYPzj73DW0YMtah!+FrEKAkkmTZla_*}-lO-TPo?@TK8{vCXi@bSZtW`yoS6eCRf+YGrcn;kHKGop`jt)Cp1M6VV9JP)WFe?f{k{L=@<5R zPSlbbHaL?g>+DZMk6?c#^x}&o6PkA)PrcQQx7ky-JPj&eu#Ak-n)u5zTE7p6sr;^X zkrsWAWE8hDSd7Za@&(AFi!qq3qvcZd0)wTM-TA#B`rq^3Qt=wzOf6dLL(DVd;`A{Vh@&Z)^2ysYh+K{K`rG zFHyV=&=Oh3Hi3K`L~_3cUuk?%Qj~*=RTW*Bw4T)k0`kF1xyLKzKW`1zF-9uRwV6!5 zX5u1#RDP%w`YB3A%Q8(1ec3UTSx5QV<7teg=anNIdcldBhE+0uQ5qHb(v7CZCMLvn zC;R;!^uN@!uapE&_72jL=B)<2n$8e`Yz%x4CfsQFOzuaAnrnwyQQp_Da(5o2*Z$<# zfD4kmTO#78HHii2;Lm)6{paX81TLk`^!=eWNVM1C<2}}?J%cxKlnJWZp_7MfIh{pt zReKV4S16Q1dKwqt2PKLzaLvXl*2(Yk;wIup2ZFv7hdwLa7FG5{MZHw^?URZQn(X(I z;{j-7*5q+s+0;Kt9_5tp8D!O-kyakLfW^V2V0EYKt%oZerHNhFRlSqmRzWpz-%LLwy4Mb-Bc-yVrYd=4N><{>rV-!T z%25={~@{=6vEN8mT4&A@+V<6=)>)`8t=Xb`*yz!kbfjCE+rn0 z<9{8|?OSz}!YRFcsqT6*9E;9e+5k=XAP7HT_w=9?gB37Bq-E$fp!~2$5taOyE{V== zfwkLglZ8St`a{yuCzZwGHw<{I=%M^n&J!Lz)`u(|OPcI!bsg`w%xmLt_rVS9z1d5@ zK@x~ByAsbBgG}y9jo7OSz$~kc6-1i-^VhxdX%qcL5Q=EjT#Bgbz+lwRQZfU4r@54& zF!p^~*>F2hTe&jmI<O0OqYoEWCgsW&|r|}$qsIe>YSd^#WRq4SeLQg#<$g<7 z7E}{8lOiD=_#Fpj2N5sdk={IXZpNv8MLkQR<*bkM7LAr9rS|j(!69|G+U8c#AYig) zDZwDMHY28(Otd|=tF>$#l*MBwU>vpygE9*mzxY}y!C^`M?Lw%b2t@QLJeu%}F*Hds zfbi*Z1-QvY1nH3nBM6A7H8we7Cy>LJfg(7Y5ahj}`59qJk6u?({yoS^9kiS(5GDeoC*6ZLiX}OMN>{C3Esu9+wD7B({KdS&tJhw05 zHDdF>%j4-WT_GYBQ^MI3J%eu0k_UC~+&HDtI)NHE=8XvWL+y$Q^%|3P%n2{BB_kdz z%Xp}K>)}!1#)Rq0vdb-b#zOh4c_O@Riy$sQMIsvAJnY^;JAFC zOpyR_E0i(x2PcMPb!9Y>Pf8oVvs7)QqYVZa3F^ODum1A1lewnhvPv3NZ$FNmK_&~< z0~`t+2QoLu5^&zAobf6dF0v?}4ixQ1TxSZ`!lp~|%&%szjjw=lW;; zQq4StV;#n;r{A8PfA2zS5^I7JI)h8nX}9BTbLv#yofUm+cP%V6CjrP|;>TE#$wQJ* z$Pi^z6j#M>{I)3rQL0Gu@!I*O5ltZe@0?=`B#S?*(9Zt%!~N!k6Sw<-2U+tQZqT#S z1?B9rdTTQFQv@TNAIExggnSmH`ZgqWg9yh;OU_UXqLM;J!C=!&jKhe=|F4&~45+FL z*F|X%X{3=3LApUjkVZPCLqfWwV+ttU-6$a4-Q6i6wFv1BB_;1#fPQ}Nz0W!O+l!osFb&+6e2fC5efarbN%D;vl=SUQbp+r zxEO&>E81(kECn@ls+DO(#)@dsB-4+y)Taohw(g@0Qvo!TBOA{ZUL3!|C@`}oM^|9$ zC@iW^kh3wxo?@XrHVG5MeTQ}Ben$9|?IwIfx0C$RWgkNqhgl1d-ggT zQpegsqhq=o>Q5A}Ysk>ea~L##z!AwPgX74AI|$d??Baw!28s99B7L6%QNKc#2@{AE5IFwp(zO=u!L% z$*M;DGKY>4Zvdq_d1(f4FSoQ*pgbVv{gf*~OSIYDu$xnomQaHIRWm~}b#n;cXa!c% z;>!KJc!uYn`)sNt`iV=-D`~i7^SQ|jWZtu$b)Ah*Ea4<7o5(dJI)UT#l&swIFGzUj zTDJ9CN4zVy4R$GaQqrJ~m6!cKE91F`=AsJ8G%|5tF7T8B;gi#l77jD5tyf0nyYmIH zL9?)F0i3L#9T{Ati3SsuT8Zxz3kzSC^9+}LqZ}2~x=!k@P-jA9@yg(&hW5l%Gy+k< zn=0;Z2Y`R`5?58t82erobIF-kMi)-P>@FeP3lhwzn2}YlBVjqqdF7#d81f1Akvftr z_h+Eh3#X$DriZTddSZiZ63W{UPA)z7wFHB?e7~05-j&B1_`LzHV;M7j6mtK*|vRooxi#!5DbS5wc2Ac_U&_GWH}iU zb1W|f^+|{^s$jiCnW_7_FlyKy!tHm6KwS2xQ_DjU2V|~`_f=ahKB;aizNpvuwJ^C) zjp;Vsji=tl1aZ}w+XXd%O5D~yr_N?`d>kmJh+ea@nd>x3s7;D=hll#whLauAL1rR8 z{BRy&Dg{(~weC8SM37|o!NVuZ@keN#V|q|~qiGC#y!CeV7i0G}0V2&O%)*?A&Vbn@ zal4w1p}d0xEv-6D9HZ75A(m;+eN(sR0Tk?b9kz?0BU`2WcrOAXbL1^GRA&&>iYa>F zVb9t(NT}!#o-TP19T8HAfP>FNI`<3GK> z0`B3SafnnVE7^}zWp}=J#FbT#0+^S42r?N94=OdsD?lvpCIP>4cn93@1H0$a-(8*r zr3S3b>%pvR=2-Lgew;!=P?pJ%`m!X)G`J}d<6xAQZDE1Xmi=u~Pzir;VG4nY=xITB z3XCEbfsw$Ll4RygHS_MH)qHwx`q{A*x--69)}Xke($yUcXAWjeKu>8G%{2zbyYBJ& zWTr)Qs;0-<63xuEFu(R<_qRrAzH49oaHZZs8aC2y>6$U;vmXThD?7z~A04A)oVFAT zF)G>ZHMD}1vAdgdqjn#i0$qqmvoa>LTR5HPXAazyL)ZlRqY-N1* zFBwKFtj7)F$rYtrOx%xHxPu%Tv*MZ#X7zSrsw*iN_%8^1vaOKQa{;KOEn1?QP!M^mzEE z2Pyy?l-n>2K~DGUcvLDGvs^w??d(P5Mcrg<`A&5%jAtdBUWb$K@V+*2YJ1aw&vp#J znv~KabLDB-eEAt{C58^}iMA`7N=IKg!VtO*)WBWR7EeKDVS2rcyaw(AOb1$d%n4NW82Mpf1SM8_W&4de`0%R-nGGJ~47AUuIED)a}1UoN6-A7*^=$f4@~ph5FN%-CFA^U9~v`i%goiUx88G@a85y+l5S>m@(_nmPbz zE%nni^bg2(L*Y)dF}lb2z}Dc88+G!J=?Xd=v4?l|HzS^x-;agngWSn55tKZiJ|==Oi6ITiwsN2_N|?dr2&2Pts;tYRXMPb5w}|< z`d*Jhf2w9YJuAdPV)Y0feX)E|njX%B*+&SaVp*7?CMCYN;dVJkUIGkF=Y}{xz-iEk z+_HihlGeE&l58c5U1=BQi_h{JKdi9jIh=ChD&7HlQ}K$Ow9g_ABWYM3lB7{hXrB0H zzR@ZV{U*IARWG4Zan^%qM(GEk!}ng2sbb#kpX$;1<;4Lag=u^0p2f=(JhC5{>6w2R zOnSe}Oxir=8Bqps`o7dmQI(v~^llQB^v_~-)ymtWRML;QKEgnGO}RNr3rqDu#zr@` z8nnZgm7I@ZT8wyR_EII4UR}SVB?`o%gvZl3Za)kEmgoafY8^~KaC|l&bz1z&n-7MW zl2}U|L?j<0HQ(315tLycvV(5IE$t$mg=B+i}M z%Vwfy#3}SN)?VkT3LW~2`O|H@a_F{`;N{+l_2dXwW=03~B3+#ym2>NB8AeG8hmeS1 zAo+I0jqPDK1If@dzT@zkUzwRWHWZ@v7wy1Ygq0-0Z*$ml4G9O;i?3IU&q)uF(!5{Z z26XFqD_xHtq1C)e>(62u!CXnREGbv-`h<`?N=qTc5o7QyI@RdIn?;6joJgO#cQOP~ zQ92e>8qX&@8SW1%kCG>KH%CRokf+HpePa+nc-1|y4{dCNih!TJSY90mjr*V+@ANah z;l)aILDRY7kJl%3=c?|5SCJCh7YD_&Gf_ZjT`bOFK|tcd(bYx?;YB-qXROo^{fXln zvq%nH+Yx4gT>MAzI3&5RB4aTv15sF$$mjdSgz6<&_AoW^a?1EUpcOiPZPFQg zXX|&UW(52!vPT#^J5upCHpY3lxz84nbt+|4dX)}7suIwc97mr_tC+2i83-s(!KPDH zvg2UosJz2UC#|c(1R+6G?629dDmqi=ahl2)b!XyE-e+@*ja$@G!Ts8WK3dv(J#NS_tB?gJVUn$A~z9h+uI zRI0YYZ%!%yD1WxNa9Zu)^;Fyy7ILCT~CRDJt(HyBG+(kjK_v> z6nrM6+q<0m=1fQ!dRhaHPWbU^(>MVc>BxY&xzu&_yk$t_1PIvCR+WmdU)Vmg;;#+t zr}<$xdq}4(q*%w@(pBM@FB*do_|r(KaTo55XL(In#evs2=eixZwk_(P5x+t%G@#it z+1#bZbJWNb5=n4q*nFWcQx9{`5wdCZF;!Kx1T$2Ke1zqo+`yGAcQaFJ(lgBWQ<4)r z*6y9Z0PG?!!hW!DR%>A4oQ~={?a=C7LZ$)?85hYNnk)Fk5D22$_BMIVP0gc1>%Pd? ztFABadP^0D8j@`N>`NbEhiClkyGWsO7`5xUNxxj3Ii(SoDYOK~^TC<85m%>0{msn!a_xk0d%{Nqu-db=Z~~PIbuW9 zCq(ijHFgxd-Da?N-|w z9n;fGQ1V<7{&)>rltPaD+Yx&6qCWd0lQfuy^AuOn2;4b^)Bn1Yt|?H}9Mng0ra)DC++H zLuV_yn{TZZd8>RLxUdl<60z;mf?MZ>?fIQrU8$PWs+Czp7}n%d3z|(?~Te zO%617#|@+_gAFJ?H0*f&810S5r1#S3$JummG9F-q1d;NHpMxXvhGcDQ>3|3HO9w_j=rY9Qd}_i%ODxsz5;Q$Q*_Z za~Ab&X7&b#Qbo#u0$~dEMsMmqfE|98{;I!4P;J6y^viOm>GJ3RE#X8oe+kJm`wKP6 z@3hK=kM+Y-@g&;g za!2i?f+SG&bOo)kXjKJ6-^yd}AdRhdw~UdDq{NfhkD~m$<7rtlmQ82fcCY$s@8^?N z#fTaw6AM;SLDFRqd(+4XZ!=}}Dzz$ixwZMwR$z@t(~&DHcsT*&C2_O|mO zszO9mjepms63SP602k${+5e6cCP%h|vpNpEL|TN=PA6*Rk<8aX(6L~b@=!7kZ6fa5 zYz|9vew4hiAN$CFTN9Tyh}K68Anxkr9O_!rVt#CYhCiO-M3Us$FD1wJ_-Vh?+~?r< zQ0iPzP>UK4?IRr{&P9u9rNMgaK>;J0yKbjd4THVxG@xJVx&r1~e-SgBaav;iaUq<~ z1D_h6*80d4bP%k*tMOZA9ikt8?}Tw!5PEgXR-_EJ=#x%9!|2R60i?0W+h!E%eA9MH zzGSW;DuPe?(2YE6HZW>8>ag;>z0WE(xhz60#WIx`$z9=YEM!CX7iHDrT zpyt;x)po=Z&A_5=+asOFP>YwZlk&rH_45;CC|htgpMd7CIkwH2A4kqzkA42sCykg2P zF!(HlwB3TiAITGLf3LsQw^vYai>WFATMn&MO^Ae-IZDTS06CY3kts85TC|=b&><%+ zZ^`&jugQJ-lkW~~IUfa+?KyejlzYh@^V0b0Q=x}c#a`efOIh6Oz~<*$$Q$rFDw0dI z|BJq{I6!>RU4h*p2=n;PqaU4!;aOkR6}dAKqgTg~cEch-g9eaZU#eC20vW~8xM}{; zY;=efW$Cf7Gv2*#aveNH?ZlmZiZ>rLPZ}1qVbs5{q+fSg_i$r1Z<&^kUMJYmON%SD zi@Wdbg?Kr^Nq3=E)PocV?Hy)Fcw+I?a}K#owE#7M`n({wI70%9^s2jW{U}yAN&CK3J znXwHJPhyr2rzO}#HvGXC@4Vd4UWLHbg1XGpdLy+4#y|-~>MAI&WYU=n@8Wb-J{}iA z+&DG236A6-I6=L)N1xoc9sqqI!yEhUJpB|0gbs3n&5?*EJ2=t7pMOdjE_ywE6}ZRR z&EYDPxB6%tdErHjZGeF~X*pI}=cO)ny#sl7C5rQ*%;blOZ)&X&TlYFFbQ}&8>Ed}Q zy?n(nO7X_XMte<}aNkjcR_qrIbK<#5Mmu zawbnCZpCD-5;UOt^|A0}Narw%h<27IC=^!r6R4s2os_-1bum5C@q5jh$kiyk?OLC$ zpJTZ2wlYH6-?25uI43iU9Tcf+f8g4)`X4Z zzECUZZPC0pWz7{+rU!=_zVgD8;vBd%pMrF@3NuW|Psd`y(e%}IBPRX&BdGNY=?r~J zQ~;~;Iac!0IQBjHKJ7WYyjigyi?8;swyIss(Yt=wIASEfeBUxaB5a%+rHdw-MUHJS z^WiByE!hE~=95=-Iapc)Md!`hI7%K2s%BG~58R#9IT@#)mlwKNTQMo#a0-Me1!E%V6#uwtpA#FL+0N7o(?VuO!K761REbkB! zx)xVhEOwA<9<-CD&s{n$Y6Ze^rjc3k>dTPrVGV!CJ=<>Wkl+`LMIIm}?ZZW$nr8_> z(QA?WXeY$dB-cNE-23%(G!prEPzt_mbKSF^A@U4o9i7$U?PYn*tY}gdbI(j}T0r=x z&r09u>-sb`(Bo=IH9bLJQEflCLmN2K4SzlUaJl&ftw(FOp}BfpAT_ljmx%?TM^PP4 zJ(FO-M8&{wVp=fc6TY(Y_{UN*ifM^+)crsB4>d&S544oBOTX9+kq6gh}7Cu|*Qoxq3O z1J+)+ibTFX7w7anX9mYDzRPkfdEvyx_IMjYe+D%v$|=FVL(inrbU_le?j?+Oi4(d} zE$TAS>wT`QHTHE^4ciAVs_GojPxkA)^jENjl6H}+Wb1q)^-24re|{>fvXYg1=rO*v z0%H|MpDAK(P^8ARMJ;--$IM7#2?mHZQAy7%IKYj48!tAPCNbVjvGi}8o$}}ES>fJW*Hq~jVL8c&fL9*>`V_Ec0w4$^r|lh%iX)1D0_0jqzbef z%4aZcX-WE=^5@1*QQ}UPJ;?2iyfVqOhWmG>Vjr%ZEZA3eIzjTtOEx-Z~vM z;!pYCf)fHW49rx&K9Wq#r;?Wf?iI|O-e;@P9VW(QOrp3Ccu#81PFx+G61CDDELt^7 zNuhTE{WK@$=vF6#wFW|4L-ZE7FPpJD^H~QU>9th~EP)s1@AcK3L-1oVKP+e2zlBce zZ7EJ3ibB$uueF|UmQy)nrm?S#SKG!$?#{r)$z#lS*U;YhUyeb$O`Bb-`(FwtrqQ1YYm~W^eYar8Y=JYW zGxeHS!N`JPCK!CHQbN-a@WP~CPhYmUVdEgoKHMy^`XvrpZ~g1O=m-}H<=<~Y~}qU z5y@2Yvs~~L7InfR5-f}NIz$p|wSAuC@!Sl$$weRB^~}pAhlI|MC)cv-J4zV1q>y2B zQvsS@`Fg-KIEp@;ow{>Zs&`|yuCB*l4zoRt&Sohas5gRD3~u&F){~m1`W^%b_a$;l#uF(i?Nmu7*z2J4b!0pKYg6 z46Z{~<*a=4bC*x4+Es+RY_+^NRlU@>Z7PgYTp8YeTnf}_p7oIc#7WU?Cg-hiGl(rGlL+K#Pu~hmU{E9@EYiC3w7fsts zn+|sy#*jU!K(xIf$wS4hWiJo9R(OCHv#^ASe9uns++TXP0ByQ0sv9Nmo;4DlNdAIxdFimhJY&u>0}LnC?cU zhc2}Xa5P@<{m1V=JL6E`XU{76GrbGf0S&EF>I{R>cQR*Vw-n>yte9%QA#nr3XE46O z?ygTiLVh-Apm3<3{DG3?3CaU-H^D&;N;9=q{*-M=FKjI$Kdf@kbStjhLQP-2dPzM8Z_9Epun!ejz1G!@9QzY z+AMn5MWw)CXre3WI+v^I+-v*3#vXb|;oXW8PRPUT6|hZuD7VNQfO%wtXbFRJkRaQX zi^g?slQjla9Y8{+_#@#NY${rS6!*wpelpbRuxDC4uIE&*#4rsb2rh!B%`Zc(H;0l= zGO(Hgem4QB))6L73^8D}_|3utwI_o3p-jhRBaN*x-;CeDZ^K;)j+Lm5Z&%){k823Q z5~-yq<%xyYi6*BD1p0G_EKoSfR5Wsz3Or91!|~&DrswrPLEi4vj5cefu zF@K#Ow+PXfAvNMs4*3xQc~L|rZ)aZsRF+8`*R8O?1GPy!(ZoPl@i#go=NB^#P}>JX zRMLjj90aSZeiq#B?!^p&{=97*Tnr5U9|j5Lf{^XDXhuazT6coc(&@@H5OTj5U??c~ z_l#`hvD?cgmWmEnp3KiTBuuX65h3e!zG{BPw*Xs>tay_F@dUnk)ZwZX1e=yATRHEo z+5@R8^v`)d&Vo;!dcwiH$uxeTR!mQS$hARMYfnPhTF)s5>Eop}G-(IeD3RDBp~4Ac zv-78sz7tkUC~<7}udNnzuvnqqMadVIpekJ8em!Rs7Wo_eW(}fJdFa}BoQn-t;zrBZ z?Rc}3$Q6g@KlMhpEAs~AAF#2w0!@=Ci1eD!t%akXjX(BF=V1@n!5#%v<+0n~tf(2; zmbg;D9ErZ!d9SVFQ^@9=H0UV%?d5T#uJ4=*_4Mqb*E3R+-8nK{OX5e6-qnpl zEoSAtTCX&*ovL6+0F7E&L?)+npAQR?y%h!vHy8mo4LX+}i>2lTqxI5-j`aei(JF#dok!f}K>3^frtM#L&Yc$l0SPoXaL?2#k$AN)yRvE1AhgWFHZ@ z>q3rN@lC#0HH#lS#`JQz5)2w);;wzb^hD1wO3O0BsCAhtH?Er1PT7D<27Dsf6*14W z=5%$JHu-aJ%WhUv1M3-oDKLM1YWnJ`lUNt>yP6Py;k)hkUEkEzNTN7;^RFGOTV02_ z^{$-aK%C*RIeBDCKUC_Eaq!Ed#QG7QnDiY_6HdukCixJkLx)oLe+ejR{Q^^w*ot?` zB{jZgmR0EVgaOtWw5GlhycF6t6r&}nRMoZJH=wsdul%!2TNaP1jjCi)4699Ee!|}S zjS7nyhxFshE>_J|{~~&!Ueq2I32=gi_=gQ3=epXHLECf`8L z$Axb{T!M1HjTP^R#2&wQ{bCgQl`3+*tVe|(CIak$Jdc)q^>z%l$+oV*Ops~8hfSch zSXx)|RkP3%x-qrtCm&Bpk9=nG36^J3p4#YDrP<-9XUMRzcs!40SIC)%*8_cPvEl#? zga9LTI6g;11-!-Y9>Q3=xW>3}ttK%)oSvhfJRxWItTFs}w+xEcn<-t^_!jds8p%`Y zS}I?ON~hB0xzLtlj1K;VHp9bD_vn-a@p){HI6PW{vfg!gqp#A!dM{MNv!_Jd$Cpiu z=XwxSr0&2szteZt9cWTVzUdVR0M341Cen}==u4DRCFY`@v#`45X{U0K@RF*elhPcj zJWIj7J1~>c2aQL$-7lvBhd0IwDO_J|aj$SGNG-2k6hzg_p5i^tsTsrzcW zH30c%6;;A?OzI*w-F=0JeFZ`1qrxgk_qyUQcPlLt+FiZA2m{&ME-C^H-|F@Z6a5NP zr!FtwvZd(gv~zJfpzWN5NnmD$5z{<^e@a3dc0u1xB?nn@Qh&;|Jn8xxA!g`Q)OCd} zo8I$MiD$Sw(G`KJRtIjKMGY)(IZ_awGUpSAaD=b#FG>ADFwqahvIp*wTO_dsmOH@m zNvXixR8Js)K>(fdF&F@9Jw?JuAI}l!NFABEzv`{|z{F`jC>DnH9mxv|x=Hn4iTg0h z2CMVsW$8Tq`5`9LmBx(k^mB4Rrx;)pf(Hp;7TBn%TC_*H&g_v%9YWvM=X^(&p!G<% z`@*Sq(bi4gSAxR9e0BRiQ&GwlG+{tYhhHWPoGOlm2y5w%ZeC@^cB#3KUKST1$Tn0zw>W-iEuW+Es3nhHQ^>iZ9DTgx7bMuGFG;}3VASo;kmnrfgfGO)FNY!_* zR{}eoXTWxv>SfB_Vy9Fb7VKRujUy2CmuQ5S?5~lmW@Xn6E3Dhvs=A(v9R^NL>ikF4 zR?;4orlagne|>C2Zl2xPJ5wBNjE5x-$3k5bppRekE+U*#o&N})0v}G;`yke`Fu{+) zW@)@&+&vr>u``DQ$Zg5@9Hezbi`?4)vz1zE!p>qjpr;~)c-mPoPu=P{@!Rj*jZbDp zr!24>qdkbf#yOLuG%IndX!p+&aLv@sR`of|JFtFh>GB1wes@e3C^HH5yWH`2xyZ-s zgO6eH74;W@RiwEhPoeb|kI+*ZqY^VwE={h6NY+WR;)bx0Aaj`>icv)bXR*nqhr?xp;AUias;Fy_XAvMv z5@6^>frEDnnht-%9%?phuC{I#fDrEjJ-XdQ#_ic{M{Jen|*~5mNV%e zj9;tg2?)EJChSc1B{9RIn-V&L?cLXPFmOgC(9y_q$B< zxNWtz^~6vreV6G}+5eEcw}aOb(j6&n#y~o#2^%gEG}KtryTzj|)WK zQ(otEX?@BG1sYd=Fjmbq@kF>@pyeuB#oQYz4G_%oI?dKWIG&MIOkOKTH?kVq9NR^} z_J$$3!X^pI!|=YT$c(BlCfGD4SgsD6pS5n;juLO$o?LS|0s|IACb+&$0bPj+(+&IT z7qD3SR5<~)pn<~|>vIxc2RUCW`qKyGgl|Z&rFsAol5e~V4$AbpWLAtikJIIro#`Uh za0FV*aA#Z5T`322PM8}HI#2eera+)nG@X6HAt^UgbcMuwvO8*pi5nLk7d_>C7q;dj zn*3_A%tI+0fp~p*2Ymze39Ty7 zw{4W+piGLh?%HY0ao+34Gua>GwezCPyXc7O3?X7T(dgH_eM=kip)p;-M`_P(CFg9` z+3VLIMywe-W~J_?O2}xVD=FLSn8(njGBW|PV=jlG11FRzRtHaT$NTEin-fepPkB56 zw}XpiDn>W7g~%Au8R_}qF#aBimrgq>&n|0ZtGXWWZ{r2}y1cdj37RD+_BDF@N&v^I zEMnek>AX!D4h z`sbUbRSoCekB_bx7fn`{8NN8WH7=&rxWY!7Is-F+4asQQbLi{+Y`bmB!1Jnt+Uq#G zb-Ip;wX9fr;N8xwolp~e-rkVdqj?p;sIeYcdA{q?uvFsOxh5N2?OlH@S20D)3xLlV zdOyfMrqB7eRu=)XN}IbD$?j(zWL0lW9LtLuLNDMmmF#U-bC%j zFI~RBcCG{h#c&Da?Ta% zXj+{ahwNQd?Oaa+{kTb()-LaSJhs2t#fnmKEtV`rCbhkvu>BgzH&=dLG&Y2g+CGYX zX}}BaPLMsMgxW0LqH^ zv82;eiyMXP2punugV5eSGiH;D>0x!wRF<`saciejNR$}x4+RKBeo+bn=4FG`4Y zAx;{6vT2Gm^b{c z^bBt#@LM~(MV+WycB)#xMyYDCtGlMM6VUW6$2}d*rRAlaqqwvA{{IV`|B?&vk4gR|Nb+C~VO40h6RD>`97E*mA5wWK zV@dRLVqic1Y1n^{SWW_uA2U+0TXctmB$EK%V33$neW<`6$OB)Qvgh!E1-i-1KvL%p zC4}yuK8A1^gV2KbSYKx87!zlYG7Kfs&{itNkf10egP+#;yyiW zyfj1Qn-YWm;42FnPFgTwkxZ(bxY25N;f`}8sz1Wy94UhNlC;PXo&x z@dqHmT0nvXOzRf4mZb7vx&PM~`IpK5Hi*nxIet~>tNnk70MBxG8J$RnN4FP}aKZX) z#{CjTzvVxZ_fK*ECq@AO6GZ-B&;WiL|Gz~9Iev`AX`}etXIO=Veh>?)!HTdBB#Vw}1ALmJ1448q zqOX3X+8~=JUetR?cPOMYP-y!m(j0*YE&fmuf^@wg4LAm8%y)OuLLNzoP<2UN<(?68 z19O(n3dq$R{vgs|%FX9lJ8DX{EAra;Ezn_9xqt=7%1}1+endihzbNFp+-dF`eTT!o3_ZG+h>Fia6 zkl#*00JQC3#qQEWm;|afk<$R`KYF3og9ra%Qttf}u;n}{?_7%T-<+I4#B&Q5ef%Xt z2%{dB+x&NHGfr;n-|phv2M@l>1s|kL@n@RNepyt;cR0xG8!ET;Z*R4;fYXsa{vQVa z^C?7Ph_6wJ?_ABf@AI2Ba7&zsz8_EO7n1%>95S67Y~tHu)`maPOazwXPj6a*E%F;E zH)H>F#~c`nV8tMn@IRRh!2WM$Ti+o?3F1r0*k3rgLBhhHzMKP({g*4-?p!(2!;)#7 zPI&sg?~o<#muxOPD4ATNK${-RFWGZFNt=RvJW-Qw(l`XEy0AkTkQ=v#6Xo1riXCPt z_GG^)S`eq1e*=dS_{J?DvJpHk*a#80tZ(`SNSt`0J_W1KWqs2KwBdhk4%HEDYepEn z>6Rd22o!r7D?sktlp6dSA>ZInHpkx-JxCaH?StJ9z5&V0D6f@ZpL-CX!V>Y^6e9@W zn-NkZAUAH)00W}`>j9(RR-g{yd=e>1Y{qr-w0%o(aq@HgFAFI6zm5e4GqAdt1|Zxi zz8i({;2Pbva>(&Yi?8C?bJ|N-AlhwkeD9e8wbRZ7{Ejs&e{d@#ym*JYcEq71?83%> zfYDxacASB=wi$R!dxOkox9ZQQ^D@~X+AP4W@v%}-vDUBxe}|f6(#!4lFBxv5h2r~9 zG8@a>KPTtNROe9KO)Wz3w|gk^kIIAg<+RZ}6Y@8Z^JfM>T@(J}X|i2wGWKoe3P1e_ z*vVAeQT)af*4iNN!l3_ceh_#2!b>~D`&(fJFr_5xHR0RbLdCzHguR>er&KqzZlvOq zcH>)5QvBnwe>=E!rm(pUaFIptLEe=?e}g#S&d-ubPmE>hZNL*CX$_0??I4|_%}8yA48rbiTEyC$zuQ17seA*KGi|BPQGRCS(6j$I(2F5MqCGzGVzV{vU7# z+u(nkF@!Hz34r#lfVLZhO|k?r$(=>SiNW;~>$XfNL5$7*hc$EBYwRHC8uY(Km*85G z&0k&?#rb|$JHc+Y8~oeLU{(+>15`N>Hyi)$W-zsX-2C6<-1!H-{!7Mpe1ZQKV~7^N z@CCMr-5(bDkN5%`=eIHcqmy}W;RS$KZIDo(;a&STzLNgJ7lhY8_!|5RUtnr~;Oqa0 z^DScl!uenL`X6Mx2B!53UU`CR`F~&lj4V@ju+4zqz&7sqOQ#fwRl*@@7lJ;Vzryix zuHUbU2@bfj#lMUVCiXkW*s1*GWQZVl$qN8Sdca?%eg;7|1*D`vp!xU@Cqo`Ui2c_> zgK7Orn*UZ95-e)}LiLSCz+EMR=nCO<<6;?X9TdJbuRp{BCoZl?a75lL`yuhf^oK1W zq^BV9OnbBFg5;l;zibJw+pRg#ug~SHKnl`|MX8`Gv0Eep-w8!?%-7fj+oUO3;>X|Jvjtg z|4#Otf9d23DZavx)iwlunLjqQJ!dsS|$-4WacrXWl7%t1l!U4?s{2{Ff^IaxtHDJ;B>SpFdRk55dUw zmpQg2sKE&u(zHUNZR)RZD*F`R)bdMV;0rI&Um8QG{f3Wm+h36k7UZ8uHUD2`fiiF> z^{)y9ru9!8-wF*t_Ef-aEZDmcV*h}8wUODsnN-q-)tllghZ8IM%Cf$Zu@$IgVdzXh z>H!`*fo4A(^Xez?r-z#T55S*hwE9OUo?CJ~shcZky0X1As&eon9)YgyQOP()Kw2k=Nym&wLVl1m5sI0zAG;Urubz z&R?Ci?ON%$jb2Q|%DVpiu`&B0q;{WA=M;|V;`?joDcO}B*ZF}$w5mFf80xTeKje*cl0_v*Qa%^SFxc3y0sY?xkFJe4*F*;_~(HY!usz6pzq9s{Ku8DgZq`- zsVkKeea2T;_ZBWEcK7uttmkza8;F^{Ys#F;e5nUA4$6H-}2+p}4( z8qd{b_=hXp=Bs|T>8D-@I%f2&UHQjdT#;^u)^0s5N_|FpE~V%`I6-h9aQk>k99lLc z)>N7O{KPEK$MST|*7Sgw;C z-%XM7Upahdcy_t~)D-2f0b8I*GY6;5n(Gs>B4Fm~2e7rpomjW^bMc1`==}P}THd+o z)6=Y@q7%jwmpbOA=Wb2F7x%`v_^E|Qi9)K4O=Fl<%lpyid#)AN*9{FGhx+HMUw17r zvN+rn5{aK5Spva3JI9@tfU|w|NEdK={BFmx9aO`jzy0x{n!@M@J zrTY9K>GiJV*wNRmSX0HegSki{S1ouLjS&b? zP@QB@P}pELzy7_0UW+UVrnngcP3)&y_Z|vLC?6II|JMNU|L;6=BYy z9LXC(Lk6L%61J|i4hIGGhy@A?_0KubA>olg2+{4Nln_GTQw$W8j;*1&9WxW;uiQ&$ zm`ELIJT*P)_E|j#jp2`c_tEOimW&e^1WSwq+^@PYQ;C lf+GCaWR3Wn$vU=?+@a*R!f1vP!iXhAI)zdr#3n)p|37q`7Y+ab delta 31177 zcmY&fWmweR(?$fOySr1mTj}l)DT$@K`zJ_CcXy|BgLHStf`oKP=faDBpD*vHy{^4x z_slsn_ryKt)U-qAXG5c^$iIcbhJu2EhqCzSp&g4_f${gVjFL1F@y+Yk&`?kqaT(Y^ zQ0%x>FB^KGVgH@oXl*p(y+u8)gK=8eLVV!L#G1Ul~aNS^;AaC5qcRz&cuzt`jvTiY{f zmO5Xy(`G*$N51hBkoBqV9!Z5@*>3eER8s7%@o0Sr)c-%Sy6ZPxaF~A&%{_#KkjV`SN=xM}6h2hEe+D6N++iEP%9q4_r;ROq z&gUlja~SWBt&lKQV?kU76&?TY!_&y+C653~2Ek$u_4|T^-)_>!fZ#Oo25+Ck!^W3s2v`#v=3w5}_wi3L07-tXJG7j!Sv@W4JbQjBj(&=d z`MA0V0iTEu{sdn_d?8oY`tD7Ti#^dGK#lCl=kegO^X1o};mhxu=Q-cw8^F_4^vg?o zob>Y|U}=BW76LxGF}j$uef_VdX;E!Q^y{vJuFJ($;B?gP>Lnh$caq#cYujdQZk~+y zWLaCiNY>U?wd`&Sv;sCww`A!LQ7F7o}|Cqy6!rA0^YD&g_yg|h$^nwsf%u$ zpk)I%z2>6!UGD`wyJi+;fiyGkrlS|Zd&*AI+B4qCHpq>^bJoTYMB6X(_~q1|tZ(Dt z?64@>k4UmQUkD+dOD^MG*v?1FOLAD>Ow*6VS$tB|(HNs9eY@<&4*~_rkB~;^)S1cIGv;ZZ{CQS& z$OKzj{qV^Wzr>u84N&Nyqa-FB%ctW+HrSIDn_V+u5xcesmY$>)jJSM5hMJ!>@n`@1 zy#X8k_1EA*<$Za$eA1ae`v{jQ#MgmA8*FvcY;~3y->sW53udvFE7liZ9$1xES>u7? zXWopAysPWYIJg1hwdFso9iWYsu(lDAPTyZheS;9JZ}!U{Z(km6$R?G+rVlOFejRP# zlb7FClM_R^I2QmB5>!MuO}6Q}KYleVunXaK^SpFiC$ z{*y~;Tl%N+g-Z7{+izAiE(OM2#xW_tnMSMdnSqTin(RG6Rm6kBW|^ObJ(-B&v-9JW zqTi{X$!NAMM}N)!bO%)S|n~`K+`tytbklgt&iil?E z{kd00Amr!kzPNL?-8o>pz>XmH5mD?O>fS?g$e_9Np%IBz!@B$Wl?WyQzU2K^z|EaQ z)?nCrCGDw7s;STyxX8xirX6BIT<_{95$MAB6Ml!*eEfWW zcvw}QO=_^Q!K1ticB=!xHfPmVb|U&=f1oYxvs=x&d>_27=Y;LDZv>sXe49aJY_%;b z99F;GaAH#;o9g`|q&%2I{7l&)g3wx+9~L$2c`QE%T8n+>11Re4tkon`CAO*#E*wat z98*^Dr3H^YVx>QXeI0?eVD;O)+`{X6`F=*&Q;N62|HMb%$3&>If)=l+Ky7fH102qB zjrHx-1K*a?iEdxa79XWLDxWS=h{j%UB`FLbZ2K>}A7y@@$ga0n+nl-juUp@ayLT@3 z!>(I%b%Gpk0Ppdaa)Yh%wv%H07qS@+Yf?KyNNOr*-q`N%vVPQ<)??llRP$ zI_mqn6TGp}8xR5AO`E$WXA zu1p7>nK}jd(Z3MGXtbGp%(~J>mzD*j={XGsw0B(J+13|NZl&A`k*d(02X(`yprJZ4 z#Bw&<1A`r?yGU`t_vYZ)#K^U)x`<`P$m5iCY$swJ6?j7Dy3+vDj#GH=fzM)=7%{Gj zoN*xjNDHE1OS1-@tL-QPR7x5NMxwlUy?sfiO|q{$dM13bPNzsiae4S_VZ(z>^E=y* z%Y7qC0VfZvwM;`j&l|_#L5}g*Ml4S$C3_+Cz`kR@TyGand6A<_xNyFTleEP5R~ccX z6yEs|F~uc06p8}4TYX3M-cs|Pbiyh0WX${ZIdm~AcnWTE(?WEv-GWFS*Ek+(S!*Q} zej3lt0~uTpyRAi5)zQ%ZejAv8UTPDngc6I#EdfATIYe$!bMyIC7}Td!9&kLz0JtVh zGz?^Q*OKW>72Rl)$trEp7A-pu zCV=GlgBm%ooI0OcQf#m>UZ9k)?+Yias=bM%jnduuEOnesLfEjZ2|J%zpCzt5diW(8 zk2Zc0RT6P$^>d{SM_TCcqD}2Kke;=NAg&RtN)LcC~4sC(;DEa>DUv+qEzH)?BEr7)@?>qe- zu7|W%M2@o?-FI$sTWkq1Vv6le)NQv)@&c<&_K6*?PZU9p9#2YG!Z`n-2H3$UXhevG%=RY#U9luz!SXvE#zV##h>d zp)sN=hLQYFgw)Fx2ET5%`S3K7e?#_C*$M(5EeZi}Oa>u#BzS);(Su$4;@uY( zU=d%5Bl!_JSbO7#*pfGS1;&76aYZ`y5aKy6PVBZ!`vX^UZV}(GbOJi4K6K;#hH;OC zxxnTDb=-ciah z79FgvVK~d-XC`&(7zT7Tv4UC(0d=6jKq2<|O-c`UaJ<51Cln}w&ASM=TyBozjn4)c z=vLe`=?%TlFF3Lb-TjsVFL(ptEO8^MXMS$8;UqzGvcvH21R!JUU`w*_76sD08KN{U zQlYS<7vM%csqz9;6|(R2jt6Tj6(s`SM?IX;c#^Y_lK@3{e(~f+^_3jOnCmh8e@=fmmRXq>NQ#PF#VV^@sss z7PBeMs~D}AT&M<*1l{=9cYv!-6w0!7z#)zcjE4>b`Cv>augnx3R7__{d%`>CjmI*% z@pN6Z`u&A<9l1gvwKE$cMDT9Aa1p<5)R*(1X48X$#I{lS`C;lLItpu6Y;BAU*Pm8W zlz?;XaRY8>YJ}YUZVds?+%)+YGFM-rM3mv&EqaTVbX|MTU+78!-XIRL&4Z7DbnxtZ z^wF~II_g=ZeRba|svY1Ajs8L68PU7&J{b5aWVnZ~)Y(H?`om<>;^N$G5|$rjk`%(Y zB@!kG+Qm`W;djb;P$YZQW!58ih8fdCcUP0L%~OGknf6P`4^(ZRcc%SX@S|17U}t^6 z9;L8J8la3wq(*)@dX#hA8g#F7T+zTFQy7u01M&1Ph6FETqY+73hqozvm9sIe?&-M1 z?bBS;ZlWhs$c6f$#U7#W%88re2-Fs8K2UEm$OO^?N8CDf#VPeRwkAm`1Dr7x)QGc% z6#twv%&Sl#1o)a^`MT}6l1FG35;MY2i+@7u*=89!376M_4WCWx6aC+9)+1laN zob^-AHcd4-J9VoagO3e&=|`6Yti5e1Q-+V&z4olJ^eN-QM_;76AfL}>4yvI%)hKA2AqM2M~ z?HeCcIEXScIUWn!UPGMvWh(P|d)4%Om7fNI@wK}4S+GYA^P&61{jJ)G&-JG>(KA${ z4xzDTUq34WrTlGI&TxszF*7&7?w(9TF z>y0i=f!|muwMem;l!++Q_kBztUZ*`iKf!Fi=#y@`)ALN9uKPVM^ix0b_7(C(+8UW> z{C3^M2Er2G^m7*RGpf+8nc^=7KiE1zUya!s#vdgaI7_@Sx;M$I=w&jB#L#mT;4x0n z-w|Z^)1OWX-JPtgkL>vB0~%3{iBn&;$_EwQ0V2F)8J{3=J*hpq&a|1m@k?=C=YY~P z{8DbPIK-umhEmkc`LT~v?ofK>%;gU_dNsuN_Mmi^hN)uAeE{m+ZreuVq&xVu?D26M zoP=V+cONBROB5_2VPu@s1r|BUJ`!{?)sH;#%LO|)Naw?-LrlkEG zi^9vpy31pi>$SZYKF#`im+O%|RYta5lX8=Q;2#s_=Zoi`=)uza#)v6SN6t(c3XWk3 zx_o`0om8hs=%S_h>!`WtXu(s0xDdOS!fe4>VE5YOxPfMZU;rs1KZ8ITtnS=)1Q(#@ z7UxMILDW7k5uo!ET}Kj#djBQs%^HoW*n+D<3)3)FtG+}YTU9!XZuPQ>1&A>P7WtoZ zrj9Tn@j21O`U$G@zdEM|schBDhB0Hx+5ePr4f8R4RVFabX5(ncohte&Xs2fL(wqi0 z1sgdwQEZAE7c7u#3yypL%B!{gppe8}G{vf3{D^K3q~+BhX1|)c?@fHb|4hx-9v496 zPWihDE9BMGeVe4&r9M1irV2R6l_vz033&&(e zKxb^mP8?cFJdmfJ=2`$T)iR#?jcovJG$Ip!_l|Dpzv@}ZV7Mt((ByJ;_%-~XIXOiu zFSEXDlVtl=&sESLS1cUlC_u0WMoH_7DT>8VB5)F)lWH`|TKkj9EoHu$KHTN5d=w>o zrcG9!exE1w>4Rg+u#J#vM!;V35P-?Yp~pIEeh&9GmvW~zCwVMJb@k1N z3t`WbDm6B~m9rtvxJ<7{21?1^M5I}wc~bNMCnFnA>!`H+&zExngz({Ra?>kTH!QI< z5{om_Fn~)-7^Pbw3tHr|lG7VCdCq8)-)rj6KbN;pBUf)em5x{q;+OSy< zDK4%#r6G3d1N1%ptxgc#0%eNG$@!1A#XR`}4 zerSt?KiZAC52&LOUfvMJM{)*SQ?0K6|bWz-H zhzU~MQDZfCh6I(M93DFIFMN7WL}Wh1r< zSgKw$^AcWc7*cKD28QI<@vS&0nNn|n0P!!Rt&@r_PD3;oQ?FTh`X1D6NVt1PSGCdt z=`#V49`JZp>1uxu(`ZTg51+k4GHS;?>n^MQAb3u41^sgYw@HE!g;8g&r{R0friH1< zFBgLUw6!1mo%lrBR@c;(s=7Al#u+|%#})Of`uD}j_-c*6u{XpxW%ATfYVQcokTRR( zHE?C?r#@UA-M09ZDEH%4o1_q<#cBe_GEvo>Y21#OG3|vYtcu_m$|_!JmMu5%oX&#E zku^^5j>kU`Jb(72864bT=U?}=iC!EL7Fj0UiwW*u=iIcoiW=V8yCvI;kKN+LKx&gK z(yq>y;Q?)6>br<_%%yo^#ZkwienXEQuC@4vmOqm5+mX=@x3HFv8D|UdiFKUhyy1RR ze(@r9@0&U-YC4kE^O<6f%&?vD7cJA$R*-&I17TgWeQUZ7OKc(9E0iZEX7*(7+hhNL z8|~b+mACPyPHz0Gx6s;i|JVzCnR|ru;odW>yFgY*3mKB5*vCw>(RUyA5?}FBM^7uH zU`V5;Ne{T+G%|p3wZ#GQ4hQEw;AqFi|F#2@9yH^xTeN)LB3hPX^d!9er?F!U!{&H` za7TgxKGcWXCz+pi;h#09qs973ug0EoX$d1Ar=T9~k0-pQSPe`9kO~?GlVz+!#PtTU zbhfjX1fSYP&_Ap~7HrN=Tb02$>4Kz^pA5l^f(F}JT?ZY7z{L9fqhM{zs$a{4=d;_5 z(euN)7T&>?U5o0?Gew0X_)3* z8JRW}TnY{9-^Qx%S0W85F!ap9=sgDxX4 zr6DXBm7pL+fypV6wcGMOWU|O|>S9R@ui9(8rg@_kwqQ`d4+5;xZNJNl`AiJ61y`dQ zD(4_(aA18!0xewIpU1Uu6*6kt5?izQJ=O3H>})w8p7kBEJ{=`>?48p5KDX62YM%Av zQQTyD+E_dj{2a7LyXYy-4(4a5*KpwD$^4a+`Vc%9+$FxF8qSTH9@}ukkvWzWmP<<> zoCXy{-1H@!B<*XUu%gk=>oiGH^j1p`0YqJE{Ly*Y%z}^cI?igwB?w>trQ^|vWLolP zASw;&^{A2vZttRcq>V8g0;9hib_^1LS$ApF&R+3)eyh~c)R97G_~FwZf#A|pbe;Yv zjavbva9Tx%u-*zPu48(J)|5Cd>+j?WM?&Bwk`F0|sQ*%?;fHFC+dILc*0$)AbLiH= zz1qu!Gv1Xw-&0V5=={^>YKO-Q;7Poon*P!EOsjo&&=Vu9)vPCv(5jeV#s>8MoKdHlv*9Fj-uDa=AV6Fk`48(CzIla+6NpR@8YEqAI%foPR4@y+0j_ z?_KFWK3my5a-Lk-My103CRX!UMd1%iHotBIe06Gfgh`s?b~Cv?<~v{aHfWFHzY_ne z_jQKk*#V3;O_aU5m`7qe+zVADcyX$5=+r0rR=6L-YLIj;ljX!QQ@BeF1qFLF#7~np z#x#}u1`D5P)q-a%aJ90DcXACQh$YZN!T7Fq zl%iy)wgl$p>0)L0gfD}|d#hSDT~3_)qkGKx=>P@F?1+nb_6uc&P>~Q3mEoYu8>qh< zfGQ~y4brHDv0`Z-`8{<_iL=&D4*-tt z>#SKOoobJI>wI`Uj^@qcWKW}@zAVe6O(OHw5vVT`KwK1U;-FE`zfCb3OGuW{2@%&F z$YMC!h-8@Ldx=%#8!;i_+?ek|PO1AxR`q^?Hdqrol5dz^W%W{`3r6W8+6Vx+?Pz(vrH ztb*D=nYhVoV^`!fs|JHNE;m&*fi#56MU+g+sP2p?<80Iw#)BIX3F6dLMI^-wjxdUA zAI$8vaShw?;HwAuxV_E*z1B~UGM~gf7#=t5+E}&B1Vk~ql8?v`mv2acgW36R&cux= zA@$NLYWJqwCT~H>?mq9(3S;T5jxuox9vyYIcdl4$8(a$bI{giYA1w;$Q#{cAc@TZL z7tOl5yVKJ$_HRd2I!RAr@%)%D4dI(M?xG>Pi_52N)+eGQ{qMP5feCaR@^Wrm69bVP zS8bHH@CGF2e;B_{0Kb~LdkEb!O_4|k6xH+zBbd3mmHDH-jYdyKw>oJ%goZJZ9D^x7GUI>dTR+95wTU1L4|y39^J*W}Id zXcCEVq|OqfftJvk%ayPYXf0iAuaP9?R4-9PRHJkKxRumG2dLupfm>_Nk%Q!5{?!>1 zoCb0*hgwJ(lbol{&7K39#P&AWWY=HFj6eAa&qW(JnpzQHW8%nC>R!Uj$(W{nASi~0rWTM&j4ZGYv0ekMyGtp>&|zzO2zgJT7bK&r|IB4RST+vt zMsK(E1GV4R?~y2ZmVb-7Libz~IXOvBei-H+3Cu(M+tV^Qca*NO>BcKcycNs84xTeg zk4FJd6&=lR*;Kp=I{p)UrQeDbSXE&GS0u8DVuf4&wS)taU|GvwzM>-@qy}p$p{)f` z#yJwHi|iI9@2p36I3ciPY2rkI4g#b%H@n5Ep`!&V^`-o?_R#|br$izA+nBXTe6KA` zg8tRh7l+{YL(bO+c5PLjoIB&{9jl_k-%A#^XB$B;ZB$3qW8lX=Uh>LzM>j#>Z8MVt zu&NCmhx$7$HDu>Jtk~JX`Oovc9q{O}I9zjLfR3u}J}YLSf-IIl8@NzN;$7Su(Px>3 z`PrVHp_Y<5U9aBKxG2~4+XvAqsaGlJzg0-!E)86+UH8C!;I2qW`qY~2$qHQeF9?b2 zXF?~^ZHbG-80eDS3#(Q2Yk(CY+)t2;rC<)q)j@3|zDZhgbcPzYOFhiEOe-dQmC0Z% z|2-kZj=n<&K1JLTtI0ZYB~qH9z~Vo;jc zq-YtO?!g9Pl5awq3(U*u$;ryi5Pi4SG@IHU-w~XRWsL}X0uw)2rj@>nf#8BhkPlVN zrdUkPR8nF(mw8c+(y-f?dA*q|+n0CRg)$N^b2;Arn+`d5CUbmioyUUPLo2{jxfi3o zfpa<28}#Enc?6nnq;eDY3|C5xLN8z~g_8V8mMgiiSz4@0D(B6PkiJD|Bjtlm5N@$X zgoW%ld1zQEF29QF&eVZOk6Q1q@6X8(zVLkN*qt!%SQj~~tali8Lwsi(gKHw1(fQ@4 ziqX$?n?uRAQfw;)^4dJqNZGz7`a3wu6?>H_7FwV00at)G_Do~F8p2%4hu3KM8VniF zXHry}P26Kc8%yY;H^OTi*38e4m-J@Y1iDuPB=)2A@pZ@=Z(lxcupcKD(`aLiIC# zIjpAvT_&1 zDA*vZp@$ZA>oI)!2xo?!6x`0bGV1k4Bt?oOfaDDcX-UI>HR089VM7k;Ny`K^orl@@vlJTrqg;-E@f#fN@ zzk%X*R`1i(Kx|B|pT#ibW;5xij8sG?Qo`0^WdTNm>w~EzNjMx~gCj0`NL3VY6fso* zj=46Ak7FC#Vp;v6Sy)Hgs9Iw2pGIe`$$9>rpQir=xI=;l8#|9COiEzg>HA$&`l1rv zRl@~A*9p|Rw6BbMsrL3T1AFB@d~(?A;@_k~?Uw>z5ger#XPLOoM7z>SP9drw3}@sE z!grbjQ(@9URJMo6pbUWc#eje@q()jT7`MzJSD)R6w&BwxZ|PxCTQz_K>ph-3DyJhI zP2ucgS|~ywi_+`jg5V%9Um4%>ZMRaeo^|w*Q25L|>0_i=Z0J_**FK1Z_mX)sdfZP6 zmV;$6)DDXc^8tZ^=gQ8G^2H|i_7u5ncEv0a_p#pHM=n!$Yi3}{bwWm|`6b&rf7c%J zr$N7KXfT8jGqj>aTzsZaQL8%rt0_hGTZPMn9m%n0*8LtK8};4JPqP>db20xs_A01f zUR=zug2J=A=c30%7Y`Q=64tA)&~G4(O`XapP9r2j7{!^o96)XrIs*G~gQ{igO(1!;3~hLasJxw@zC9-4oUJ=*H^Isa|`)`jD;m^XwUJ50lS zvrIHnhj*V|nm(30A(F`0Y7_bGs%GceRJGKNyDE1Y)_KP(9;Dtf)2R^*?|P(sUnNW!8*QTJSdVHpvJfK~w+qI6TOcDn*%04Gq=MKm>P5>NQOeotCU(_7|k#us?j@TPaa%a>a1e*0PTehn#>s^49_t=5LeI`Lc;C0&KZ)iYobyUtCu7NVI!ggN0xv7B(Rl>PE$l4PbDe#j zN;v~?l;wT7HMzD+x6>51^`!`kDev?PT;(nP&R0O~(NU2ESS2<7|C-LR{lXeqgNho@ zH=Lb+mbA=V0Bh^0Rj0}XO1}#u_*1mUk@5#|;dS)|z2)iO2gV(ptyUdvC*{PS$MKx0 zJML3(33cE?)Rxl5CkDANw7TlE14(Ee;ha?EILtifc~utz@tr6&=ToU=8lL*e@#Yff z)OPcocHX9;48o?X(b3~E>b9Gq@SP0PBrrQzjPBTgfbXP^?d50I6e#U&-xxynGO&57 zH81uaPd+?#?BCN|!C!Ns{~fW*)2`xjnCVp`oXmWkvo(nSGS@gI7pgSNjm60Hmu$RmBA4(ccmeJyu64M`O#>Fm9_{A1=T zD8NNRYA|GjD*=~^>Oh>e-hcH0Z1Ej-W$#KsO=Fz{z_R$ zOv4kt{1o{txbz!3!$L#6r-EU#*s(%GDMt4>0f%ne!=0 z{vvs#9E~Jo47M))V%2h4vF8gPSvGP|)*K?ELt7YXfHd(k!OOPH^1~o;{u#Ef%MR{qAcG%^7_d zAha>|+$R;e%%k4!YuMgw2Q0?FUQmZtV1@`WY&9@?7LIUNYsjurQXB>H6tHSBj5g^k zBGW4e{BvLH;AA0&`=|@*Xp^?Z2>Wpy=ZQ>3Q2?44B!qw8UKIF+9xo?R z_{{z@OB43?c>+`E8?+PZ?TzA~eeQC*q|X|r!2<{rK>;k;VeTsz$>?s~6fE(VkGB!F zyMHe)WtL5jzGT;fx4}0|O;wfHJ_84jlLe>FCBv2)jO43>N-p2QI-LBNC5r(=jE?&a zmTx@Dag#?ZYU*jGpHMNPMkx^IFv${aA?G`LaHT6IoFslT+fnN&MDp# zuC>Oi1cAnlP`SvJxJO=SjJb?8;+sH5D0FNJKm=D)LSMbHoxk~GRCCkCh?5TTL)n3O zPUKz)Ua6`h@CE_ZF*T#ocT1;yY>dY6j@0%U zTCly-_0`j#oIJ|w?d?pP&}OQ3hONERGW&(m;NH%jM52?E)AOq5k(Yai$EBCp?XL1v zKzPlE=2pMMWU*g61U%nL8?8N75O!iqQ8gdg;J}S-&j91ZoxJDlDDr#Dhp-TqVQW12 z>fx!PkigrxQV*qH_a8r#S>Dm7JM4~a?@7EmK2Hh;y>GvaWj>D2PR;JiI<9W~;cxtD zfCuu(4D--=+WGC{rGlAFVXVswC!q6#wTWgVa!gkEQtP*oDL;y`I`B#X zYSQoI*ITv+7e^*Qm^B)=6}k=$YUJm1y!6H)UCe%x{CaK_8GQ+ouzWZDK7ir!@Yrh( z#%hlI-_X6#({e8EtVH#auQ7dQEu2(ycjA4S$T~X*70@Bb%)wumqm7L0buNy?uHzpF z;h5VV_jd?PR0T;$M-$uB{ciBhseNeGXbcG(3rPC-Rbkc#GqFj>FeDN4t^6uzRG|Rf`N1EShnqj5Q+aUSBo7+?yuwFS2cVnowkmlv*%!zBI@l_Sn zff*j*QEC1!h%FDuHz)W=Z^jMQfNi#u)@3A*RPKf30gV+}WfGDM!zpnydNvMtOA_wj zLJ<)}Nxyj0V*fcI>uXX1`J!x#l7jc+JrWh{!{OV)xUT$zR|R;6?2X3I%e#Zb-`z7e zVdP4LvS4k7^u@$rLmCw(?4q}4fD2TE8)07;P_ofrQx}9zkW)u?@iN)YypF6ItK{S_ z5G{bV84=+I#o;0rH8G-_?ACGTxWN11T_NFlgK0kh6_)=7aB&7JRXc)KZ9-8ew6eGC zQTxGVQ8WJg)Rkw^$j2TUpCx#9wPx-w6@+L+wHfY?c?Px%rm?uAVC*DTQTti8^{gbM zgM_%NA7Z>*=Z?f|7cG+3nI<(>7+8TvcF)xX-{t6G<+5XG!w2;w@2D9eA;&GOC&WUT zQ|X_*lBIUaBxkk2^l>A)Dwm}3{0SqD~?`$t>yqD_4*F8=3NgIZuU?*tVJW1o4J1R{&QrLCm=u&oR?H2Yj3rZqan`{EV z2zimPY!MUnL?#1(?-sN2^ewOa?ZL8KRi+QQ_vp=!OkbyBScAFIycqZEw*;Nyb04I< z4_U`)gt`iXpej+S&s;Y+14m6C|pZ`L^ad!dN}=@lWm?-WIuCfjDpIJ5uuN=L-Xh}HRMNpRAr;MREI-|D*W;lQ zBZj2KdDogq{VMAX9`T_Yd97UjEUU+dMbBgx1cYrf#eIQrnGRX1xH->7n=}+}zhgJ7 zxs(6eBD^*Erg%STaMa@xDQmN|d(z8NVb0j7kP(z};FkS~L%_H0R8u)J*f8qqH`6h>-)7DONJNpe>(=YD@DXgK` zZ1JQ-zb8^%0=^eV`zUeZ^&h|FKs%JV+h9u9-sUSnEgTi1Pzv&h=%Di_!d}%sWAxr? zbkw&GxfbSN$Bp)Q{}D)xFG&%^mQ1>z?8E&|zvi=qff>+F;b5`8A*3)UyoOrCN5MfL z!Eq>nDF*_Xq(u)5HwCW27NAv1Yv@K5MC-1fY#iII0@~R(_AJ*s3RR7emS_8cl=j%k zVQ$zF6QL~U+cYNxPvqD5EUZg<31-|l5+_1=5D3b{4XscMDJe9lp7m1aDj3QSo-)IV z6I!p3CB{kjnhn-ZE?9tt3jh2M3=h!1Xsl$r@=N+($EL79g+-+Ojk7SQ3^HWWqBOXK z0Imcg$1HY22X0OxWVPLb5f&jGmjJ2x3$|m^uFwGkk{j3Xdi=y+p|I}e5kVUYJzrBN zE!imYX+K2GlB#)|CQg!%Da$`zg-tb&O1lT@?a2=*y!ugT@mS#W#7P!X+?ikx(L-ld z_HFh(?l%?J_S3B1Kip^YH(rlZZV~C90gAR&zt)BYjhV@E3``BX4}ULl;wYkn+WlFU zr@mgmeTUTYIlg0m;hXWaCT!=v7JujUYqkp_w5v|F>F6-o8+h0s^me}6m#co7 zM8GZ^cOWU3^jMaG%Ba)aVMIwmtmV_tpRcDIwSalP(3!SWH?X5UNOKy2yIa|sBNFmG~@k{m$7=qb!ldRf>j&4 z^i`1#AG+FUAgF|YVhJl_S*?BJ(ID6s;i)?9X)#|fa{RqQ3taqa>$?8(poRWvjs*PQ z$d3`eO=}r{9sC2tO6!7EZwjV;Bm0eQsa|nW;!DdnOp1T$x^vA_Hc+j}rT4uTTOXXJ zzDXiECkwfe{_~m>nMsK3txe@Tdkc0hAUD5O*~{)ci*D4=ue3_!vs;@IFSE#V zCjrxLJAM0I0JB*9M&7W$b#!wqTv$bD0-^9HiS zY|$jNO2t=uzdubS6}{e8mbtRslJtYGzQ`A7(p^Te^8PQYwRu{4t2MdpIvwxwEgtV~ zTbLB`dQ}A8Y-uU6Nv-fg2;48GBE+s)P)T^=#M+n09i=zMvww^dG+gmLU^pX608R9Z z5#4O)7-~3OASH1TVg<1EAkaN`nkquaDBEpOb6pcj7XEEdC$HauM)T4v zL#)}ZUQO+qD@1EVgGM}b8+HtyZ2u*3TA*6gp0bgYGxeytNrSM6Id-=;4U{9uQEj4O zJMSSEr-By*n>ra0o=Rq>^e*JPnrz7cXA#TcpHI~O`w@g;-(9aNNr4;Xw~5DTxP$f# zFGR&oKWdU(tOfL}WKo)fzckZRP^;j%Te#8a4w-65L89R((kVleI2|cS7*l24>7xi~ zdc3g?*yt9lOOP+WAl-WTB7pG!cm4!7am<4hM0StO9jks1EA~QVwQ5~&&X@SbU3S`r z&i}BgKT^j5&)JidtDdwc%bF2A3rkX6cK9oi{TZF4!7 zIoTD|72T~X6hbD0h&{+%3%OKeIS2OS0!A0SblUs@+|L+rh4n+4mpZZD9_{IA?>HD~ z^K>~*?CIArW$0vSASKKMgj3>#n>*FKU<3Pb6T7H(f>pH^D-Ut*#~}7EYzpXU@Kmej zDU#e@7_~=*6bB&f=g=`9`_m>le}9Imm8V~LMdb2wc*9vIR0e0?Sv{1g%5qW6oyD6W z;*mx`U?kor{x>yp-0QOdYRaPu7MWU9o`hv@g2=^2Sn_WpJpVxo%7bB*qv_$;3F)iu zuY~Wllg7M#BhRNMB`kHZOYHnyy-BfUS%%oLD9}yM9jD{tQ_X}O(q%?OWH1&1iDUTK zZPo#&*LIO1pZTQ5iN?x}8Db&bJBb89gyquhV82D-rB+|AjR^S-WkOC1YZC~hMF06R z1&!C)K&&1vqG zSYsICOrg*|P5}jj@p@Y0x{3jO1l{hZFbu2N|A55qWjV{y#B<`*x32~0wS-N3Ms$Cb zL&P{&!Zhj*7x&s+SCZ4%Af!IN~c%;Pf`o4eXlJ5uZ78{x@(9=(|htj!G4o8H5s|I7tCZQ$ZosadeLf@mS0#S4m7E zBj|@pcwsjXa`-C+Y^p%}q%KuvEqZ1pTB&7bJ;z%RK{!3$#V(eJ@Eom|(2CvY73PY> zE2rru8#6>$pY-o%ux*VzyU{kplMujO?L56f<7{5dWeJ^PxE$X zgS6m88FW5j`e#PTUP)JE+d=K+Kf6{wF8aoRp(-r@SUEQFTDH;BG?(^|_@<4A=CEG^ ziP6ap*vGS6rZ3brG7KQnurat=CgzYUpZkbFCxJ1>-yLyStiFs;Jz7P6rAQ|8nbUQx zrf{I|B53W-EiHjI7_YQRCbO>42;JKGSLt4@Y}Kz?l9Jfxw_$ujqYm!B=|w#!plsOz z%trDkMsJ~cq2XAY(?&yy^kBM1{EiA$dpPa{bR7^X3TVpZL}0C;;B+RKZPs4#!ZjsU zNTyd2v!b`YfmK~a9N}L`N@ie10qri(8`z~feLqkgIsJ11{m z)ZUD76-))(GaLB^t23rs!rx9zI3#icZUT((+>d*)= za98J5jNxTCIHaUV7^h|cdWvY$1?XF;zaP2Tp72$WY3shq;{BZp;EA$!*zGR#8rYpX zXB_!nTdA~5Qz+-wu>cboXz6ffRoQa!2p2}~4IZ4HFRdFAY^&Xu)IXnVxnL959N9ph zEYU-Q=ujGz#Oa3LmDvf?!k!`MiP<8BG>%PZt@b2D6<67HjR0!L)&?`D=cRTx9fj-3 zXuBwb_GHViZ`kdc-Zn@~5Nu%J4WD+c$UYjifAUHHc>el+AywRmY1MWoP@9=HVUc;l z6KvcFZ!U{>EBU=r2&TX3KSC^|y{{=%*T$K4gt*LGNmKHCi+qo@psxG=6!q z<3I^CQwJnfRD{YOEBzq*fuS1)S4JgV^#*I4MkDr>oXkk*mW zd$?qd#v89uDIvukjOtNsVvHg}NlBeLfGB{%5ShJWb0p)3l`;WObnK8Hv}9dMLe;1= zzfu72&sCWpaq4Q!^_?o+gqeX|BWY>V0z5FeuB%3N;E87ucLLu*U_c zxrRQg{V0BY7mCS%lb@LMSKxooBWL51)z}~X*W zgTpm@=DN;xu5+z*&7RpaG=7VpC1pJ;xSFcbEQ7r>GLzyzZcO5LWEBvT`N08wlW?k`XvI6{pO~ykdBh%zzW zm4;B^H!9voVXZWNzhmV^-oM#?l&zH&GMiw29p?5UhsES)4M4nklS3xyGl5`)$*DYy zl9n&&R&!U&jbc6dR>=TyU&FEDyD4t8$=nu3#G3={l~2C1C(VmhEvRSQQei->icGnB zH+cP;`J=%n2aDE*nxgv+m7I^G?^IO0a^`9zQ+`4lMrIb_pN?5zK!zn^E>SP)cw<+F zqrNd=v_bFIv)~9dp_MCO2X9fbw=wQUnUuq3IWR5-AA}(AK5j<_=vCX`-c@reI>;K> z98q*Q{H^=0BzN+v_1e09DP;f0!^){=v5zKAyV<{sHrCX%B(R~9rS+3uH(a~xQAkGa zqd{ZJUFS2y)O5{st)Xy_Gy8}G+YzXcQzeIQDuq;eRG zq4cGHcFyw4obV9>x?EB9?S0YDA5D$jH6 z7K7CHlVrl`#)28o7K&MZaUs?cfaDgE7PUAYe zy8cyS8VkT8Zte=jQhU;TkI%u3{_f|v#=O3d337qyhH>pJPKaf!`Ih8mQ_bQzT_p2 zG#}XAOIxwygv_&5pnC7gP?tfo(32s}d|xqm+$rAdAHK*w%8^&+$U7#?rtm*(%0=@! z`XkwVkyLirUXYCl7jiNm9wbu`4?egwD>2-|xTY=#c`JE?KsY9{#brc$Ok%nN8VjJ; znW?dwKv!<{Fj{wf>2|P7rJdjp4)>cJ9_i-pu2K_MZj?xfya>XjxD&~aexA_9m^>^JWjo{y*`QOz_i*WYO3z(w ztj&xqN8p=DkCly<>tv0^={RE>U!Ua+S1B9B*pRKhZWHYF>`5}fB}%2O?8CbVk5=g* zmDt)fzWpQh(u6KQ`ZtTtZ?65QVAoW;XR^7#u}7J#J!Dw*#()LtU?gz+Q(q+CWD%1N z9%iIFDeZeM3Y#b0scmjnN4p&T{G>$F`cvI1aS9bwEA(!=PY$0eg4b>g_RP`@rqMs= zEk3)~5TYj3aFpd;=EmQ$x>+8}>=BO~+S%q7BpIM6m7v1E*K+@<9EJFZBJk z3D2aRza@bAu_#OM;Vgx?7;abNx0%SiT%5$6c(4tt#;c-0+i(~zcpdBje&Z>a!|FC> zetpwj<_bo9v@C+=HZ&cd-(I^RCNg0e7FxNQ)Vadf?-p(vTw-I@PeFAnGF&H{+1p4H z$4f%j(UWOer%6*wuZ1mLM72FdE1ht#u+Vr3;Qcfp)hj1=`*|gHicuNnP-N$>ZFVZK zKt;UO_i;y_Q`r*z=g)vfl~iqG1ukmw9(qySLBTxLq(mN37q+1NtFH6SSeWuZ;STpXR9IRGLZb$WiT?Qe;~Mll9s~bx!ISklW~d9iPdf=E_8M7U41gU5|&Nk*8d$7RHvadyP zi7V<&XgJenre)(oa3APMt89sxh@tmx-q*RO{CH(4;dK#EglRkqi8BGlJU>~rFGVcn zS9_?Aa|zSO;I4?_(n+dDP-?i|={TVThD&VTj zn~znk&r#7FM0$f23($1aciSwYns_AWX<&$_@KraTHSl@L=$`DM>E_DR*bd+>XdSrmKP z!#IXb_rwA6;Nyxd5+yzOwS<65U40H+-S?6)?A6$HAYgZjXAm%%Sg~B5@geolEf=Yt zdx2%&X`@bM2?Qs240y(t)Tw} z(btHuuK~aY#7noA*CMd-Mz~k8D_aPPkLbg&x=o*l4}Lm*#-mIwUASYIf`Mr34O!Z$ zWs#H)I!(G_%49gE!y59V`YEEYDtlFaNL? zNzOS{IIeJ!<%5?*3L5zH4xs9-qPw3=U+K`GMcTwlrpXWA`Z5|NDjqwy`pCkpsFwMf z{$R4#DgjGdG7g6snK~pxdbY!hwk@i8X2?7Z^*XY#*PuUed`la{J(kT&%GSsUUJ>wF z-(aw@Y2f`l=`&Z;`37+p zWwn1MwF!LL!U~Ai-qneQB-2U-`kK7ZlG1JWOJkWKLod& zF$K4U#-6*qCnH(Bh$d8Cnvan7yY#owjvI2Wz82tFONW3SteXi%GR7zd|Qc1 zQB~1uRkl>3LOptppW;=NAN=RiCh6zY^37^Qom=u`tr{bZn5xoqH<`yV>2E4{+7=C3 zKltu?7Yof;+1iU$?JHSK2G{-p{ml+LA#KHP>#_Q6@wF6p>Kwyw3eQjWWUXJn&B1tV`Q zJ~!jH`n8nP#p8kJKNX}8_qqtvFMDAeD>KH%6T_RB<{?y>&Aj(L9+qnhYNhqLPnB*3 z-+y~0*tKFfsIO62r1k5KY`sbV!5wQdqQQ!SzmCl8lYT|xpoX=`Yn~(p9J$GTjb4=9 zoy`@_9or$^gO>dThy1?oEkB-w0^CV9JGcydDWMtMXl+p%|21n#CSg?}JVf`r+s!!D zGt9j$^Vp;trW*?}^D|=nd_#FeHaq>jUSEm@ruJ$g=SjaDSPbAMj-d_!ojy?!8=K&L zmma(Ea%g1qZ_5~xNm9L|KO{+2xVDm97c1@^PtqSFsa*?>Fn_h^BF+t~b;>p+zx!qsNls z#lSSu(}yE>X`>$S`KvazF)9{e ztt#N9VDFp_r5%=K%fh*81A6)m!zsddli%OSQ9-LrFl|d9FHq;@vs}UHnkOdNHJ46l zC0OX|CWa$#n3jB5JmUEK$}L;52;}^tYg03x*TZl7)hN27lS%#@br21k2lOViiMd0p zQ`_0#qvuP|ihnrg<~a>g6mSmS#~9(oG3YGO?Mq86YD`3H5~GOn|525oSeK@ypB);< z{j#rRX%LVW8P|m@+$bkX<$RHm?B*pVa((tw53*K6gS7%i(}U#qH0atnxXMY+QO!zj z&Mb6(1wXFNQfez4sS&@EdNF#daOJVz(S2B*pBioU?QhWwKDc>b>8)_U56D0$&ZR`s zNFCQzCOGot-h?emp@ zZ(Aey*fo;0FoH+*J+jY7(Yz=gQDj`xLH`!t$}zs{aOL1JUGOT+|FDCHQ(-D&SA#1~VQH-P;PQuS{^duZqYo)ohscAkq)usY3 zJ@f;=n)K3P`rEfNzw*is$GVPv-E1x1_;OyylU^h*{o^3;*m&wA=l>es%?a|0uc?xT zbeoOW#J;qb<@f8SRp)%bs&;Q1*D-LSFDgIiu{$9lHUXROk95W_Kc%iPl&czdEuc-@ zllZm$n>Y;;dg^k=5~p}9px=2 zKlBgvg;xrGL$E)kW{bZQn-tlVeK>=&2|n=gy`W~)6y}N)4ftyqih=tMNTlGkr)(~j z+BKo~j3keQi&3FLxYKUbmb9?y>uR)vG{HX5-Pk*!EHU?C1baYG9b;ApfVp?;k-Jlv z`iH|`OH!Q>mzNf~HG(fl8W^&-p2~(%#7Sz4ny1bBM_Pz#W9dYqwF&Ms=;l-3aibjW zT*>>~80Qndrr{8xTisfdRoJq}HMDg=qF1_X9V~HW|MTNPu94p{#BMfwZCWqb?@c4m zepWU8{+?2-?W$`Vl`i0@jj?HL*KJ0yYA~GFJ;=5EySPTyGocJN$?ddmVnL{9lZB|xNG)t<{Q;!6{rx)$Fsqf4EmYk%6_POoENlV0{bE%K9#4@~+7C7zRJ0O-r4s3br{JR(jd3!)s8VPE z=T+}dMvbkz4V(G+y0W{^82W!t1NKh&cvO$*r+xB&cQ4X!zZ?3QCNm(sr7*-jIEq(V z#gvOLoOa3C*YNRr1LepZrJZ*-5^ayS)bFS!HKWa^DnU{2;O9)4B~7bkb>8~q_s~}s zK;6VCv@quz)Z7XQ|BgagDS!8RXGj%r`&SG9Vm|WM%;#gsrtu$g`j?m*rc?9Zz0R1C zxl`Dw%hpQnp2;9L7HO6F?Ver80SWFfYWPZe{89zJ_TjdE;ZTmSV|F`Y)%qoQPv)<; zNWwcXu=j0ceml$1sI1xuJr{2yd)7|2ND$XE1FwszmGT3Ggu1g_PqSFMx!djz@Mv_p z@b@Fud5gBf0a+Oj-}EQ2RXk?4W7THPDj`#fZkSc9r}4+m>6p^(z856>yE?^sLc5zb z*M$Y4?%f*JsuE&=BsXiCQC)mVAhq4=7wn6X()S?v!zP!%-{)tBOvnl1QpQ{5k5y&Q z>H5uD5`63|K>V<(2}+U4%7x(-@VtG3V*J+Cyc?4gS(xG#K5pQ%<)YZHlyinRc_-Wy z4#8&mRzshd5AxT-w^*c!zG$W!Oj%ZV>F+$%b?4y9?`iknU!Y2)&`pCRNIeU(9k}9(`&kZ2_Z5|M zK?WWjvw||Ii)YcQ%5K*Ff#i6z*Sb2{RtOwxY%ZdUu`1IVL*PXfrWzYEcQSgG4xuC z6rRFR_Ek>)9x0yjgCZD4aXS65AWW4i4vr%94fDSFIS_M z?^`sM@mEsb6~*MZ-U1ZeGEG?27gy_@7r>}ngz=zvxfJ$4zF7wW6qEz%cO-3h2NMj# zBn>#_W)R&aI^TAYaR~F_vZAwlCpp(gcAM%B#*HF{+s|68KzPkO*X4QZlbs#8WXgCu zG(L00zKKYIMtY=cFKOY zBM|#iFUfYy|vihkahd%;p(DQm(8uEj-*s{JcP9kMP( z@=RpMb#j5&pP$-F=Zg^Kd6*S6!J=|^>8)dL%m^`QVLRV7^ue`nH=7`un~m&qg-mKo_G4?SpU@6NBlv6hO#p`GW;t{dlZc8g|oI> zoumeo-+@o7E(73WUp8{FJBoZL;oKt^D=0G-XZb8-m(aD-sk>$P9dBpc#~!_{5LdWF zk-AK#obnP{*k8OyHe)pKuy{lYO?tneua}HR-CD`UX{YD>JIn}f#=4}kOr(PcK2x}M zM82ScV?hdt9=DV48u5E`VuY)1ng#6u4pI$69lS=OhqHigLR?}@E^oa1y%wijw|c+% z4DqTMv9SJQ-~P9svBpK!ZCix8z_#(#Ynz1U~m;jRaB}a!7S|nel7d? zKb?cPqDOo~f4{k*gUvwRYuc~8o3feN)}!;qV`cpPy`D1ar%~<)otRC9-UlvX zCD2t9g`Qi^S5b&;L|?@9;d2RtN#GDO)}XQ7*SaepCgf#3GYpwJWohsj2+VvQ1V&$w zMImwjIZdZU*$4_zX6x^mN1iB-cY^EuF&F~1aM-eAq~#Hs)i=MHpnH82rD7!nYo0(f z*-L&4kF^MBbS#PJX8f1uNrZR?FHvb{`cEr|$;J|Df4mmmf(pQD98JZYIPN|2an?e_ z5n+r>m*@_Jw_L0}V_=hY!L37eJ4*Oc7cN?^A7bS0cXn7-B zAe-4hdf}UoRXsz3(O9UkQ3nM}lZIQ#X`j?<+xGhG6PXi@{}>b4z`I2|N z0;|3V;@+DC0$4p@mT?4V9Z1Dr*}5mty6NIYYQ1nuNOn$Na}A0k0g3D59a*P@sTbUJ zMuJqF!{*$czEd-NZkg`zzdqcUN_M5e7>9Q=VLD3IYOEcdP}dhjdqi#@@FF!{_$FL& z%S5c@z_-rfy>F^uDuA6#V(*C*sjs5&QIYncUH4WL0dIUd&)&xyB4p%* zp03~`$VlEp%kyM(O-~Fj>Eg;(EMZpECg!hYt#X20v_G8EuOVh1F^DxPiv^2IxKOFA zg6n(y^S}WsWV50NL?Cjm!S^J6Sfd_DC%b!yxsp@eh}3-HmcZ?XgZGrK_O1+<=4Eh= z*E@+MB1r-xns@twBpD&I(>Vw>6&RS;GOpHg9361f#wY9UXx!Yh9`5FrTu+tVvk)<^nqj$j9se3YTEH3euy1 zF(!NEJUy7cBFF5kTsvWB#RIQ~{31KNmyg*IfwALbv+6DKg9~!$LS~I&Km~0a`w~2W z(v1$F*KQ0_<0Y#G$3H9o7-~YlH&C^$xq?T)v>dxPiopy8be=_P1Xmb|elQYe*6#0* zVqjf>XdFue^Ci^Ax%Il+Q3D94E(NR+s{ZBF7e}-@@&P7^vrfxGk)O>6n+k9Sm>5Ai z{)iDGXa-UMoDVbz8di5er~W|v{}mwsOWFSh@qdKSA@*je^?heBnrAZ_;E+N3r?~vR zCz$&ndq=qsvh*kStH^KuOS%JwK~B%*K2+QQEcef;8{vX<{!^eS{!euui@W?kD-1ZN z?jtJxySnkg65%Hb&7OY|m%r%#i$ow>Xool1amC}Jx{YJy2>oRJlNF4-K#1SVPwJDO zC{(xqW^(9(XJh@>V4$kziGA3a3pF;Q#5xnTke~Mrd7w~@-sN)d++af{x zf7d5i1dmAsU<;IPunV9PT8f&rUi#BC99URNDeAC365c23*A0YBFQ5b(`s1k|Um3WLR%UR%;l z&4;9t`SNKkeva;M%<__iq|yoQ+JHK2jZn9Yf}qWH1Mal6&t1xvy1Kc^I=>)%I#gVK zoQ5g!sZ@@foNuECS3y0=?l3_CK_gRbdZ2k)F*o3Pso-}P@HhKT7ClszEv7A>htMue z_^O$8KKks07O@&rgcm1t((8eDKc!0mowpLg^`{a5$IG%F_?FLzXnz)l{P+cNh_PDe z=f{dbg;sGE{F7_|u{%vc2S2IyN7(I#k)dpqk;00U_HUbEZqPbePFV8Y%d0DcSo;!A zq62t;QtLks20ixA>JKCWzU2!D^klgTW4_E{-svn6e}j)gop(B79{!kl*nGf0p#R@Z zctp;hW{V0kUvtVljCcSaWFG3!@sgY$|7{$is`|fS9`|1{f90Q;cLJG*5f6Z0G(ws9 z$HAb-o@M?HR3aCdN4dcKU*P|d`9JdkuvPQ1ZvJ-@9*uv7`J%Fm%!9;({s1S;bKpN3 zo^aYy%aOTy_LODXnuY1>t@yFJveOj0gI;uaD-w0uN$YrN4i=_9?R)6j!WC3AIMDoE^$br^#$LsL>XTaZS!BxAr=t~^UJeKRBd4`o;n=x~;D zs+hwgu!3}1Btz>c19589r70ME%Nw!6--{M{KSq4*{rFjxsFxTkK2^i`O(bvf7>b)X zBCC>4v|b9gV;!c_xf}vckDgi|2>i}-Q7FdpMP?&n774{QgGr&$yi#Z z2LWDHQATFIPbjLAB2a^L%srE;xHaiPy9GLP)o7xT8KdHv4+|9NLHqba<2hw z3#I<(vw)B6W4t+&>EF1|I(uaE%7d;hFskY`DO*^O(NZ;Ohu;p804Q$zS_XjEmMeTu5!0xHl3j$mPXpGQT( z(A-o&sc&W?opcoZmdKpR$@_AWk#$VURAHh|qobhqpWw3VH8pvj(G4fm9*?*zkM-#Z zuVHg!6s8!nK2@c5#4}J&CQ$p-S>U3#Q2QtX165J!+yrO5b*&1Jh6>9DCP)y|$azc_ z5^bZPzc9tI>s4L=CG2Tke~QWth6*@=1#UQnb^SsNp!SI_&Vov+D&WqC(&Y)0qp}6Z zg%CjPlMonP5QY%|Za4`+@5@tRK*xmI|Iu5h_eT-eF;)+pGYEO`^lYzNM z{}WRHn4IiW9v4D{K{-krbmFhb1&@5sV*YFBA7^8K78Nu&=d}zD44g}%{|_URgGxC` z1L!zsip?aU*)fs7o)omM7XEgVBc=Ilhkr(W7QmAq!jV`1Z z)INzqula@Wf;Mm(-!rJ78FoR<4Hwi5+NWX;y%0apKGibA8D&6Y0JTqI3taRTY9H}f z=Vy9A^S>)QQr$sV~S% zng&BA;zT*z7b{)G+2~&!8uL#Gt47bGf;N(VuZaU*=l70B0Sp? zrd*Gs+qO9RyepdM4;uj3m;WkPyRdyFJoo_{(7eH;Et5x&R`~*%GbRevA#p-P4LwgZupCs=&P=D8|mJ1;O z?b8s%o(lnB(hP1mEmr%+caU6$!bX{tMK|~$lO^+nAGp7zxis~yYEaOk$?Ld(T4vfx z=8}vd`cPfj9~M=~Te`;-m9b&T=dht^o2v?G!kz0iFlFZkURy*@Y!`0Z zmhi?g`i7*cVeJuo2N$2(JKn@7K6k~$*d9!L;#6PkU~Me z1dLzQPZI>#I7`>IC#bu}>b72o0rty17FlS^{kzoMTPEf&OiM}aw|k8bm@%vuWEPuC z<{);PO#>lI)4$c$<~NGNz}J9in%Nhu84#AF-npZjHe<_ePa3)J$o{k%R^Rz;Ru)C7RpOOY+SWi-H>#I&kWqmn0$gM71Qvn{;Rg%)HD8-v6- zoqI+HwIZnpeylrhj%kV zRmRf#O>?6OWXwx9;@nFR9?EQAeo?YLA%IU@Z5Ow<PR(ME0nHe?Mjz8k2*7 z#1dOtr+G-J#rG$-1xl19TY%z&o!1s}-rEy9i^z&us;Vt!+XFeAEx>H$h`^YoQ)(Y; zk)8S0pxO3pRn_u~kL{hi+b@;8dwXBXAs#~bE0xx^i1SRd!f?AyuMgP+%9-5_LwN$b zOi?9K85{xxs{DEl6LIr?8vR_Fw5Q+Qa@CDcNpIHd=@iKd3lm==BO@^t`wmoIiue>4Vc z+X}c1&L!x23<1o(9dnBZ(*q7p&0NRG;tnJ9udKwS%UJNI?^VWCKr~MR-=|Cs4+n>S zIu+cTOM4zcPBBCzP|#_r=8Rv#58r_=UA}d0rzWqUk{BA;Y_l=9E*E$QU5%x@iu4Y; G*Z%_ diff --git a/workbooks/alz_checklist.en_network_counters.json b/workbooks/alz_checklist.en_network_counters.json index e84733dc7..8c022ff86 100644 --- a/workbooks/alz_checklist.en_network_counters.json +++ b/workbooks/alz_checklist.en_network_counters.json @@ -749,7 +749,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}" + "resultVal": "{Query18Stats:$.Success}" } } ] @@ -768,7 +768,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}" + "resultVal": "{Query18Stats:$.Total}" } } ] @@ -806,7 +806,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query10Stats:$.Success}+{Query11Stats:$.Success}" + "resultVal": "{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}" } } ] @@ -825,7 +825,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query10Stats:$.Total}+{Query11Stats:$.Total}" + "resultVal": "{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}" } } ] @@ -863,7 +863,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query18Stats:$.Success}" + "resultVal": "{Query23Stats:$.Success}" } } ] @@ -882,7 +882,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query18Stats:$.Total}" + "resultVal": "{Query23Stats:$.Total}" } } ] @@ -977,7 +977,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query23Stats:$.Success}" + "resultVal": "{Query10Stats:$.Success}+{Query11Stats:$.Success}" } } ] @@ -996,7 +996,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query23Stats:$.Total}" + "resultVal": "{Query10Stats:$.Total}+{Query11Stats:$.Total}" } } ] @@ -1034,7 +1034,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}" + "resultVal": "{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}" } } ] @@ -1053,7 +1053,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}" + "resultVal": "{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}" } } ] @@ -1091,7 +1091,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}" + "resultVal": "{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}" } } ] @@ -1110,7 +1110,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}" + "resultVal": "{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}" } } ] @@ -1148,7 +1148,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query23Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}+{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}" + "resultVal": "{Query18Stats:$.Total}+{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query23Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}" } } ] @@ -1167,7 +1167,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query23Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}+{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}" + "resultVal": "{Query18Stats:$.Success}+{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query23Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}" } } ] @@ -1241,34 +1241,34 @@ "style": "tabs", "links": [ { - "id": "bff2cb3f-8087-4319-a8cf-810034b5b293", + "id": "35f07a09-028c-4254-b496-52deb79b50df", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Internet ({Tab0Success:value}/{Tab0Total:value})", + "linkLabel": "PaaS ({Tab0Success:value}/{Tab0Total:value})", "subTarget": "tab0", - "preText": "Internet", + "preText": "PaaS", "style": "primary" }, { - "id": "31df8a1c-944b-4f7f-ae74-860e423c17bd", + "id": "8a3ea40d-843e-458a-a272-ceb877b7aa0d", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "IP plan ({Tab1Success:value}/{Tab1Total:value})", + "linkLabel": "Hub and spoke ({Tab1Success:value}/{Tab1Total:value})", "subTarget": "tab1", - "preText": "IP plan", + "preText": "Hub and spoke", "style": "primary" }, { - "id": "ccaa8035-700c-4618-8eed-51dd284ac094", + "id": "afe943e2-6bbc-4ef7-85cb-64954d1d06aa", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "PaaS ({Tab2Success:value}/{Tab2Total:value})", + "linkLabel": "Virtual WAN ({Tab2Success:value}/{Tab2Total:value})", "subTarget": "tab2", - "preText": "PaaS", + "preText": "Virtual WAN", "style": "primary" }, { - "id": "8c4c21c1-51c2-484f-921c-538c48517027", + "id": "a302f87e-2c70-4c74-b83a-ebd3f5de6400", "cellValue": "VisibleTab", "linkTarget": "parameter", "linkLabel": "Segmentation ({Tab3Success:value}/{Tab3Total:value})", @@ -1277,30 +1277,30 @@ "style": "primary" }, { - "id": "913805f4-47d7-4cac-9fcc-c5ef17d4a132", + "id": "2a341f64-dfc2-4ab1-b220-fe169764b328", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Virtual WAN ({Tab4Success:value}/{Tab4Total:value})", + "linkLabel": "IP plan ({Tab4Success:value}/{Tab4Total:value})", "subTarget": "tab4", - "preText": "Virtual WAN", + "preText": "IP plan", "style": "primary" }, { - "id": "f962687c-e0f3-4801-816b-cdc957dbaeb9", + "id": "2aae6146-3c29-4e0f-b437-3a60bbb9651b", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hybrid ({Tab5Success:value}/{Tab5Total:value})", + "linkLabel": "Internet ({Tab5Success:value}/{Tab5Total:value})", "subTarget": "tab5", - "preText": "Hybrid", + "preText": "Internet", "style": "primary" }, { - "id": "771d3851-8fc2-44a2-979a-b5a54d145cb2", + "id": "1e46bce1-edbf-438a-9700-aff0b3586cba", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hub and spoke ({Tab6Success:value}/{Tab6Total:value})", + "linkLabel": "Hybrid ({Tab6Success:value}/{Tab6Total:value})", "subTarget": "tab6", - "preText": "Hub and spoke", + "preText": "Hybrid", "style": "primary" } ] @@ -1316,22 +1316,22 @@ { "type": 1, "content": { - "json": "## Internet" + "json": "## PaaS" }, "name": "tab0title" }, { "type": 1, "content": { - "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information." + "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." }, - "name": "querytext12" + "name": "querytext18" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1380,20 +1380,42 @@ ] } }, - "name": "query12" + "name": "query18" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab0" + }, + "name": "tab0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Hub and spoke" + }, + "name": "tab1title" }, { "type": 1, "content": { - "json": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information." + "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information." }, - "name": "querytext13" + "name": "querytext0" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1442,20 +1464,20 @@ ] } }, - "name": "query13" + "name": "query0" }, { "type": 1, "content": { - "json": "Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." + "json": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." }, - "name": "querytext14" + "name": "querytext1" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1504,20 +1526,20 @@ ] } }, - "name": "query14" + "name": "query1" }, { "type": 1, "content": { - "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." + "json": "Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." }, - "name": "querytext15" + "name": "querytext2" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1566,20 +1588,20 @@ ] } }, - "name": "query15" + "name": "query2" }, { "type": 1, "content": { - "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information." + "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information." }, - "name": "querytext16" + "name": "querytext3" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1628,20 +1650,42 @@ ] } }, - "name": "query16" + "name": "query3" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab1" + }, + "name": "tab1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Virtual WAN" + }, + "name": "tab2title" }, { "type": 1, "content": { - "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." + "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." }, - "name": "querytext17" + "name": "querytext23" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1690,16 +1734,16 @@ ] } }, - "name": "query17" + "name": "query23" } ] }, "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", - "value": "tab0" + "value": "tab2" }, - "name": "tab0" + "name": "tab2" }, { "type": 12, @@ -1710,22 +1754,22 @@ { "type": 1, "content": { - "json": "## IP plan" + "json": "## Segmentation" }, - "name": "tab1title" + "name": "tab3title" }, { "type": 1, "content": { - "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." + "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information." }, - "name": "querytext10" + "name": "querytext19" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1774,20 +1818,20 @@ ] } }, - "name": "query10" + "name": "query19" }, { "type": 1, "content": { - "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." + "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." }, - "name": "querytext11" + "name": "querytext20" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1836,42 +1880,20 @@ ] } }, - "name": "query11" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab1" - }, - "name": "tab1" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## PaaS" - }, - "name": "tab2title" + "name": "query20" }, { "type": 1, "content": { - "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." + "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." }, - "name": "querytext18" + "name": "querytext21" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1920,42 +1942,20 @@ ] } }, - "name": "query18" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab2" - }, - "name": "tab2" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Segmentation" - }, - "name": "tab3title" + "name": "query21" }, { "type": 1, "content": { - "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information." + "json": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." }, - "name": "querytext19" + "name": "querytext22" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2004,20 +2004,42 @@ ] } }, - "name": "query19" + "name": "query22" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab3" + }, + "name": "tab3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## IP plan" + }, + "name": "tab4title" }, { "type": 1, "content": { - "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." + "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." }, - "name": "querytext20" + "name": "querytext10" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2066,20 +2088,20 @@ ] } }, - "name": "query20" + "name": "query10" }, { "type": 1, "content": { - "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." + "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." }, - "name": "querytext21" + "name": "querytext11" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2128,20 +2150,42 @@ ] } }, - "name": "query21" + "name": "query11" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab4" + }, + "name": "tab4" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Internet" + }, + "name": "tab5title" }, { "type": 1, "content": { - "json": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." + "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information." }, - "name": "querytext22" + "name": "querytext12" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2190,42 +2234,20 @@ ] } }, - "name": "query22" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab3" - }, - "name": "tab3" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Virtual WAN" - }, - "name": "tab4title" + "name": "query12" }, { "type": 1, "content": { - "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." + "json": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information." }, - "name": "querytext23" + "name": "querytext13" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2274,42 +2296,20 @@ ] } }, - "name": "query23" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab4" - }, - "name": "tab4" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Hybrid" - }, - "name": "tab5title" + "name": "query13" }, { "type": 1, "content": { - "json": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." }, - "name": "querytext4" + "name": "querytext14" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2358,20 +2358,20 @@ ] } }, - "name": "query4" + "name": "query14" }, { "type": 1, "content": { - "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information." + "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." }, - "name": "querytext5" + "name": "querytext15" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2420,20 +2420,20 @@ ] } }, - "name": "query5" + "name": "query15" }, { "type": 1, "content": { - "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information." + "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information." }, - "name": "querytext6" + "name": "querytext16" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2482,20 +2482,20 @@ ] } }, - "name": "query6" + "name": "query16" }, { "type": 1, "content": { - "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." }, - "name": "querytext7" + "name": "querytext17" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2544,20 +2544,42 @@ ] } }, - "name": "query7" + "name": "query17" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab5" + }, + "name": "tab5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Hybrid" + }, + "name": "tab6title" }, { "type": 1, "content": { - "json": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this." + "json": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext8" + "name": "querytext4" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2606,20 +2628,20 @@ ] } }, - "name": "query8" + "name": "query4" }, { "type": 1, "content": { - "json": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information." + "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information." }, - "name": "querytext9" + "name": "querytext5" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2668,42 +2690,20 @@ ] } }, - "name": "query9" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab5" - }, - "name": "tab5" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Hub and spoke" - }, - "name": "tab6title" + "name": "query5" }, { "type": 1, "content": { - "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information." + "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information." }, - "name": "querytext0" + "name": "querytext6" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2752,20 +2752,20 @@ ] } }, - "name": "query0" + "name": "query6" }, { "type": 1, "content": { - "json": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." + "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext1" + "name": "querytext7" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2814,20 +2814,20 @@ ] } }, - "name": "query1" + "name": "query7" }, { "type": 1, "content": { - "json": "Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." + "json": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this." }, - "name": "querytext2" + "name": "querytext8" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2876,20 +2876,20 @@ ] } }, - "name": "query2" + "name": "query8" }, { "type": 1, "content": { - "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information." + "json": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information." }, - "name": "querytext3" + "name": "querytext9" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2938,7 +2938,7 @@ ] } }, - "name": "query3" + "name": "query9" } ] }, diff --git a/workbooks/alz_checklist.en_network_counters_template.json b/workbooks/alz_checklist.en_network_counters_template.json index 22b2375df..ded98c87d 100644 --- a/workbooks/alz_checklist.en_network_counters_template.json +++ b/workbooks/alz_checklist.en_network_counters_template.json @@ -41,7 +41,7 @@ "dependsOn": [], "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"value::all\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22Stats\",\n \"type\": 1,\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query23Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Success}+{Query11Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Total}+{Query11Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query23Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query23Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookTotal\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query18Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query23Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}+{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookSuccess\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query18Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query23Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}+{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookPercent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"InvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"50\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 4,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"WorkbookPercent\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"SubTitle\",\n \"formatter\": 1\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"ProgressTile\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"bff2cb3f-8087-4319-a8cf-810034b5b293\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet ({Tab0Success:value}/{Tab0Total:value})\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"31df8a1c-944b-4f7f-ae74-860e423c17bd\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan ({Tab1Success:value}/{Tab1Total:value})\",\n \"subTarget\": \"tab1\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"ccaa8035-700c-4618-8eed-51dd284ac094\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS ({Tab2Success:value}/{Tab2Total:value})\",\n \"subTarget\": \"tab2\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"8c4c21c1-51c2-484f-921c-538c48517027\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation ({Tab3Success:value}/{Tab3Total:value})\",\n \"subTarget\": \"tab3\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"913805f4-47d7-4cac-9fcc-c5ef17d4a132\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN ({Tab4Success:value}/{Tab4Total:value})\",\n \"subTarget\": \"tab4\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"f962687c-e0f3-4801-816b-cdc957dbaeb9\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid ({Tab5Success:value}/{Tab5Total:value})\",\n \"subTarget\": \"tab5\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"771d3851-8fc2-44a2-979a-b5a54d145cb2\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke ({Tab6Success:value}/{Tab6Total:value})\",\n \"subTarget\": \"tab6\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"name\": \"tab3title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"name\": \"tab4title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext23\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query23\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"name\": \"tab5title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"name\": \"tab6title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", + "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"value::all\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22Stats\",\n \"type\": 1,\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query23Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query23Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query23Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Success}+{Query11Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Total}+{Query11Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookTotal\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Total}+{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query23Stats:$.Total}+{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}+{Query10Stats:$.Total}+{Query11Stats:$.Total}+{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookSuccess\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Success}+{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query23Stats:$.Success}+{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}+{Query10Stats:$.Success}+{Query11Stats:$.Success}+{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookPercent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"InvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"50\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 4,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"WorkbookPercent\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"SubTitle\",\n \"formatter\": 1\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"ProgressTile\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"35f07a09-028c-4254-b496-52deb79b50df\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS ({Tab0Success:value}/{Tab0Total:value})\",\n \"subTarget\": \"tab0\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"8a3ea40d-843e-458a-a272-ceb877b7aa0d\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke ({Tab1Success:value}/{Tab1Total:value})\",\n \"subTarget\": \"tab1\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"afe943e2-6bbc-4ef7-85cb-64954d1d06aa\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN ({Tab2Success:value}/{Tab2Total:value})\",\n \"subTarget\": \"tab2\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"a302f87e-2c70-4c74-b83a-ebd3f5de6400\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation ({Tab3Success:value}/{Tab3Total:value})\",\n \"subTarget\": \"tab3\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"2a341f64-dfc2-4ab1-b220-fe169764b328\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan ({Tab4Success:value}/{Tab4Total:value})\",\n \"subTarget\": \"tab4\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"2aae6146-3c29-4e0f-b437-3a60bbb9651b\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet ({Tab5Success:value}/{Tab5Total:value})\",\n \"subTarget\": \"tab5\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"1e46bce1-edbf-438a-9700-aff0b3586cba\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid ({Tab6Success:value}/{Tab6Total:value})\",\n \"subTarget\": \"tab6\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext23\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query23\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"name\": \"tab3title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"name\": \"tab4title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"name\": \"tab5title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"name\": \"tab6title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]" diff --git a/workbooks/alz_checklist.en_network_tabcounters.json b/workbooks/alz_checklist.en_network_tabcounters.json index 43ce1f777..a24f96f21 100644 --- a/workbooks/alz_checklist.en_network_tabcounters.json +++ b/workbooks/alz_checklist.en_network_tabcounters.json @@ -70,61 +70,61 @@ "style": "tabs", "links": [ { - "id": "cefaac0c-d207-4c42-9a7d-75d2f86d1f7d", + "id": "9481f56b-abfd-4262-8a7c-d9a1f738d1e3", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hub and spoke", + "linkLabel": "Virtual WAN", "subTarget": "tab0", - "preText": "Hub and spoke", + "preText": "Virtual WAN", "style": "primary" }, { - "id": "87c13089-5aaf-44df-95a0-1037fa8ea326", + "id": "254839ab-5719-49ba-9056-ba52ddbfbf0e", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hybrid", + "linkLabel": "PaaS", "subTarget": "tab1", - "preText": "Hybrid", + "preText": "PaaS", "style": "primary" }, { - "id": "f8da229c-21e4-41e4-93f9-a0db2edfc8fd", + "id": "080e94dc-2a70-4423-9de4-58f6ce9dee18", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Segmentation", + "linkLabel": "Hybrid", "subTarget": "tab2", - "preText": "Segmentation", + "preText": "Hybrid", "style": "primary" }, { - "id": "bda372ef-4c44-4dfa-b744-8112289085a1", + "id": "21719327-f800-4e78-a6cf-30a6e3ea37f9", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "PaaS", + "linkLabel": "Internet", "subTarget": "tab3", - "preText": "PaaS", + "preText": "Internet", "style": "primary" }, { - "id": "f5c27a70-6301-4cba-89c3-9f69fc37893f", + "id": "456aa0e5-3657-4627-9b74-36ebdd0233a4", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Virtual WAN", + "linkLabel": "Hub and spoke", "subTarget": "tab4", - "preText": "Virtual WAN", + "preText": "Hub and spoke", "style": "primary" }, { - "id": "44cda46e-7086-4d59-870d-691604dbe547", + "id": "16f325de-6441-4e8b-8719-a16b31b56ffd", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Internet", + "linkLabel": "Segmentation", "subTarget": "tab5", - "preText": "Internet", + "preText": "Segmentation", "style": "primary" }, { - "id": "ed560364-b2db-4766-80be-67632a817e9d", + "id": "74fbb015-3f4b-4617-b0d4-d0e557c3a0a4", "cellValue": "VisibleTab", "linkTarget": "parameter", "linkLabel": "IP plan", @@ -153,9 +153,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query0Stats", + "name": "Query23Stats", "type": 1, - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -169,9 +169,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query0FullyCompliant", + "name": "Query23FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query0Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query23Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -181,65 +181,199 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query1Stats", + "name": "Tab0Success", "type": 1, - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "{Query23Stats:$.Success}" + } + } + ] }, { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query1FullyCompliant", + "name": "Tab0Total", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query1Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, - "queryType": 8 + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "{Query23Stats:$.Total}" + } + } + ] }, { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query2Stats", + "name": "Tab0Percent", "type": 1, - "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query2FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query2Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "round(100*{Tab0Success}/{Tab0Total})" + } + } + ] + } + ], + "style": "pills", + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + "name": "TabInvisibleParameters" + }, + { + "type": 1, + "content": { + "json": "## Virtual WAN" + }, + "customWidth": "50", + "name": "tab0title" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab0Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "size": 3, + "queryType": 8, + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "Column1", + "formatter": 4, + "formatOptions": { + "min": 0, + "max": 100, + "palette": "redGreen" }, - "queryType": 8 + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } }, + "subtitleContent": { + "columnMatch": "Column2" + }, + "showBorder": true + } + }, + "customWidth": "50", + "name": "TabPercentTile" + }, + { + "type": 1, + "content": { + "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." + }, + "name": "querytext23" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query23" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab0" + }, + "name": "tab0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "crossComponentResources": [ + "{Subscription}" + ], + "parameters": [ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query3Stats", + "name": "Query18Stats", "type": 1, - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -253,9 +387,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query3FullyCompliant", + "name": "Query18FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query3Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query18Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -265,7 +399,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab0Success", + "name": "Tab1Success", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -276,7 +410,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}" + "resultVal": "{Query18Stats:$.Success}" } } ] @@ -284,7 +418,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab0Total", + "name": "Tab1Total", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -295,7 +429,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}" + "resultVal": "{Query18Stats:$.Total}" } } ] @@ -303,7 +437,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab0Percent", + "name": "Tab1Percent", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -314,7 +448,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "round(100*{Tab0Success}/{Tab0Total})" + "resultVal": "round(100*{Tab1Success}/{Tab1Total})" } } ] @@ -329,16 +463,16 @@ { "type": 1, "content": { - "json": "## Hub and spoke" + "json": "## PaaS" }, "customWidth": "50", - "name": "tab0title" + "name": "tab1title" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab0Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab1Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", "size": 3, "queryType": 8, "visualization": "tiles", @@ -370,15 +504,15 @@ { "type": 1, "content": { - "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information." + "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." }, - "name": "querytext0" + "name": "querytext18" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -427,202 +561,16 @@ ] } }, - "name": "query0" - }, - { - "type": 1, - "content": { - "json": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." - }, - "name": "querytext1" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query1" - }, - { - "type": 1, - "content": { - "json": "Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." - }, - "name": "querytext2" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query2" - }, - { - "type": 1, - "content": { - "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information." - }, - "name": "querytext3" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query3" + "name": "query18" } ] }, "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", - "value": "tab0" + "value": "tab1" }, - "name": "tab0" + "name": "tab1" }, { "type": 12, @@ -809,7 +757,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab1Success", + "name": "Tab2Success", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -828,7 +776,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab1Total", + "name": "Tab2Total", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -847,7 +795,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab1Percent", + "name": "Tab2Percent", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -858,7 +806,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "round(100*{Tab1Success}/{Tab1Total})" + "resultVal": "round(100*{Tab2Success}/{Tab2Total})" } } ] @@ -876,13 +824,13 @@ "json": "## Hybrid" }, "customWidth": "50", - "name": "tab1title" + "name": "tab2title" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab1Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab2Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", "size": 3, "queryType": 8, "visualization": "tiles", @@ -1288,9 +1236,9 @@ "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", - "value": "tab1" + "value": "tab2" }, - "name": "tab1" + "name": "tab2" }, { "type": 12, @@ -1309,9 +1257,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query19Stats", + "name": "Query12Stats", "type": 1, - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -1325,9 +1273,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query19FullyCompliant", + "name": "Query12FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query19Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query12Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -1337,9 +1285,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query20Stats", + "name": "Query13Stats", "type": 1, - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -1353,9 +1301,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query20FullyCompliant", + "name": "Query13FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query20Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query13Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -1365,9 +1313,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query21Stats", + "name": "Query14Stats", "type": 1, - "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -1381,9 +1329,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query21FullyCompliant", + "name": "Query14FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query21Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query14Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -1393,9 +1341,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query22Stats", + "name": "Query15Stats", "type": 1, - "query": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -1409,9 +1357,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query22FullyCompliant", + "name": "Query15FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query22Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query15Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -1421,26 +1369,63 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab2Success", + "name": "Query16Stats", "type": 1, + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}" - } - } - ] + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" }, { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab2Total", + "name": "Query16FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query16Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query17Stats", + "type": 1, + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query17FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query17Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Tab3Success", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -1451,7 +1436,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}" + "resultVal": "{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}" } } ] @@ -1459,7 +1444,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab2Percent", + "name": "Tab3Total", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -1470,7 +1455,26 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "round(100*{Tab2Success}/{Tab2Total})" + "resultVal": "{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}" + } + } + ] + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Tab3Percent", + "type": 1, + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "round(100*{Tab3Success}/{Tab3Total})" } } ] @@ -1485,16 +1489,16 @@ { "type": 1, "content": { - "json": "## Segmentation" + "json": "## Internet" }, "customWidth": "50", - "name": "tab2title" + "name": "tab3title" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab2Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab3Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", "size": 3, "queryType": 8, "visualization": "tiles", @@ -1526,15 +1530,15 @@ { "type": 1, "content": { - "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information." + "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information." }, - "name": "querytext19" + "name": "querytext12" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1583,20 +1587,20 @@ ] } }, - "name": "query19" + "name": "query12" }, { "type": 1, "content": { - "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." + "json": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information." }, - "name": "querytext20" + "name": "querytext13" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1645,20 +1649,20 @@ ] } }, - "name": "query20" + "name": "query13" }, { "type": 1, "content": { - "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." + "json": "Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." }, - "name": "querytext21" + "name": "querytext14" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1707,20 +1711,20 @@ ] } }, - "name": "query21" + "name": "query14" }, { "type": 1, "content": { - "json": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." + "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." }, - "name": "querytext22" + "name": "querytext15" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1769,16 +1773,140 @@ ] } }, - "name": "query22" + "name": "query15" + }, + { + "type": 1, + "content": { + "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information." + }, + "name": "querytext16" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query16" + }, + { + "type": 1, + "content": { + "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." + }, + "name": "querytext17" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] + } + } + ] + } + }, + "name": "query17" } ] }, "conditionalVisibility": { "parameterName": "VisibleTab", "comparison": "isEqualTo", - "value": "tab2" + "value": "tab3" }, - "name": "tab2" + "name": "tab3" }, { "type": 12, @@ -1797,9 +1925,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query18Stats", + "name": "Query0Stats", "type": 1, - "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -1813,9 +1941,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query18FullyCompliant", + "name": "Query0FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query18Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query0Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -1825,26 +1953,91 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab3Success", + "name": "Query1Stats", "type": 1, + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "{Query18Stats:$.Success}" - } - } - ] - }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab3Total", + "name": "Query1FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query1Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query2Stats", + "type": 1, + "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query2FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query2Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query3Stats", + "type": 1, + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "crossComponentResources": [ + "{Subscription}" + ], + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources" + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Query3FullyCompliant", + "type": 1, + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query3Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 8 + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Tab4Success", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -1855,7 +2048,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query18Stats:$.Total}" + "resultVal": "{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}" } } ] @@ -1863,7 +2056,7 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Tab3Percent", + "name": "Tab4Total", "type": 1, "isHiddenWhenLocked": true, "timeContext": { @@ -1874,7 +2067,26 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "round(100*{Tab3Success}/{Tab3Total})" + "resultVal": "{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}" + } + } + ] + }, + { + "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", + "version": "KqlParameterItem/1.0", + "name": "Tab4Percent", + "type": 1, + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "criteriaData": [ + { + "criteriaContext": { + "operator": "Default", + "resultValType": "expression", + "resultVal": "round(100*{Tab4Success}/{Tab4Total})" } } ] @@ -1889,16 +2101,16 @@ { "type": 1, "content": { - "json": "## PaaS" + "json": "## Hub and spoke" }, "customWidth": "50", - "name": "tab3title" + "name": "tab4title" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab3Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab4Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", "size": 3, "queryType": 8, "visualization": "tiles", @@ -1930,15 +2142,15 @@ { "type": 1, "content": { - "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." + "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information." }, - "name": "querytext18" + "name": "querytext0" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1987,176 +2199,144 @@ ] } }, - "name": "query18" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab3" - }, - "name": "tab3" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ + "name": "query0" + }, { - "type": 9, + "type": 1, "content": { - "version": "KqlParameterItem/1.0", + "json": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." + }, + "name": "querytext1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", "crossComponentResources": [ "{Subscription}" ], - "parameters": [ - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query23Stats", - "type": 1, - "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query23FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query23Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Tab4Success", - "type": 1, - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "{Query23Stats:$.Success}" - } - } - ] - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Tab4Total", - "type": 1, - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "{Query23Stats:$.Total}" + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" } } - ] - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Tab4Percent", - "type": 1, - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 }, - "criteriaData": [ - { - "criteriaContext": { - "operator": "Default", - "resultValType": "expression", - "resultVal": "round(100*{Tab4Success}/{Tab4Total})" - } + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] } - ] - } - ], - "style": "pills", - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" + } + ] + } }, - "name": "TabInvisibleParameters" + "name": "query1" }, { "type": 1, "content": { - "json": "## Virtual WAN" + "json": "Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." }, - "customWidth": "50", - "name": "tab4title" + "name": "querytext2" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"Column1\\\": \\\"{Tab4Percent}\\\", \\\"Column2\\\": \\\"Percent of successful checks\\\"}\",\"transformers\":null}", - "size": 3, - "queryType": 8, - "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "Column1", - "formatter": 4, - "formatOptions": { - "min": 0, - "max": 100, - "palette": "redGreen" + "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "size": 4, + "queryType": 1, + "resourceType": "microsoft.resourcegraph/resources", + "crossComponentResources": [ + "{Subscription}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "id", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } }, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" + { + "columnMatch": "compliant", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "1", + "representation": "success", + "text": "Success" + }, + { + "operator": "==", + "thresholdValue": "0", + "representation": "failed", + "text": "Failed" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "unknown", + "text": "Unknown" + } + ] } } - }, - "subtitleContent": { - "columnMatch": "Column2" - }, - "showBorder": true + ] } }, - "customWidth": "50", - "name": "TabPercentTile" + "name": "query2" }, { "type": 1, "content": { - "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." + "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information." }, - "name": "querytext23" + "name": "querytext3" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2205,7 +2385,7 @@ ] } }, - "name": "query23" + "name": "query3" } ] }, @@ -2233,65 +2413,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query12Stats", - "type": 1, - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query12FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query12Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query13Stats", - "type": 1, - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", - "crossComponentResources": [ - "{Subscription}" - ], - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources" - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query13FullyCompliant", - "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query13Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 8 - }, - { - "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", - "version": "KqlParameterItem/1.0", - "name": "Query14Stats", + "name": "Query19Stats", "type": 1, - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -2305,9 +2429,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query14FullyCompliant", + "name": "Query19FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query14Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query19Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -2317,9 +2441,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query15Stats", + "name": "Query20Stats", "type": 1, - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -2333,9 +2457,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query15FullyCompliant", + "name": "Query20FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query15Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query20Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -2345,9 +2469,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query16Stats", + "name": "Query21Stats", "type": 1, - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -2361,9 +2485,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query16FullyCompliant", + "name": "Query21FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query16Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query21Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -2373,9 +2497,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query17Stats", + "name": "Query22Stats", "type": 1, - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", + "query": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())", "crossComponentResources": [ "{Subscription}" ], @@ -2389,9 +2513,9 @@ { "id": "daf05c62-1d5b-4325-b241-d7ee468f23eb", "version": "KqlParameterItem/1.0", - "name": "Query17FullyCompliant", + "name": "Query22FullyCompliant", "type": 1, - "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query17Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", + "query": "{\"version\":\"1.0.0\",\"content\":\"{\\\"value\\\": \\\"{Query22Stats:$.FullyCompliant}\\\"}\",\"transformers\":null}", "isHiddenWhenLocked": true, "timeContext": { "durationMs": 86400000 @@ -2412,7 +2536,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}" + "resultVal": "{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}" } } ] @@ -2431,7 +2555,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}" + "resultVal": "{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}" } } ] @@ -2465,7 +2589,7 @@ { "type": 1, "content": { - "json": "## Internet" + "json": "## Segmentation" }, "customWidth": "50", "name": "tab5title" @@ -2506,139 +2630,15 @@ { "type": 1, "content": { - "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information." - }, - "name": "querytext12" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query12" - }, - { - "type": 1, - "content": { - "json": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information." - }, - "name": "querytext13" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", - "size": 4, - "queryType": 1, - "resourceType": "microsoft.resourcegraph/resources", - "crossComponentResources": [ - "{Subscription}" - ], - "gridSettings": { - "formatters": [ - { - "columnMatch": "id", - "formatter": 0, - "numberFormat": { - "unit": 0, - "options": { - "style": "decimal" - } - } - }, - { - "columnMatch": "compliant", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "icons", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "1", - "representation": "success", - "text": "Success" - }, - { - "operator": "==", - "thresholdValue": "0", - "representation": "failed", - "text": "Failed" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "unknown", - "text": "Unknown" - } - ] - } - } - ] - } - }, - "name": "query13" - }, - { - "type": 1, - "content": { - "json": "Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." + "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information." }, - "name": "querytext14" + "name": "querytext19" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2687,20 +2687,20 @@ ] } }, - "name": "query14" + "name": "query19" }, { "type": 1, "content": { - "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." + "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." }, - "name": "querytext15" + "name": "querytext20" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2749,20 +2749,20 @@ ] } }, - "name": "query15" + "name": "query20" }, { "type": 1, "content": { - "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information." + "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." }, - "name": "querytext16" + "name": "querytext21" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2811,20 +2811,20 @@ ] } }, - "name": "query16" + "name": "query21" }, { "type": 1, "content": { - "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." + "json": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." }, - "name": "querytext17" + "name": "querytext22" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -2873,7 +2873,7 @@ ] } }, - "name": "query17" + "name": "query22" } ] }, diff --git a/workbooks/alz_checklist.en_network_tabcounters_template.json b/workbooks/alz_checklist.en_network_tabcounters_template.json index 0e437e214..fc3e6e62f 100644 --- a/workbooks/alz_checklist.en_network_tabcounters_template.json +++ b/workbooks/alz_checklist.en_network_tabcounters_template.json @@ -41,7 +41,7 @@ "dependsOn": [], "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"cefaac0c-d207-4c42-9a7d-75d2f86d1f7d\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"87c13089-5aaf-44df-95a0-1037fa8ea326\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid\",\n \"subTarget\": \"tab1\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"f8da229c-21e4-41e4-93f9-a0db2edfc8fd\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation\",\n \"subTarget\": \"tab2\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"bda372ef-4c44-4dfa-b744-8112289085a1\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS\",\n \"subTarget\": \"tab3\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"f5c27a70-6301-4cba-89c3-9f69fc37893f\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN\",\n \"subTarget\": \"tab4\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"44cda46e-7086-4d59-870d-691604dbe547\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet\",\n \"subTarget\": \"tab5\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"ed560364-b2db-4766-80be-67632a817e9d\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan\",\n \"subTarget\": \"tab6\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab0title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab0Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab1title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab1Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22Stats\",\n \"type\": 1,\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab2title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab2Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab3title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab3Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query23Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query23Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query23Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab4title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab4Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext23\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query23\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab5title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab5Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Success}+{Query11Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Total}+{Query11Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab6title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab6Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", + "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"9481f56b-abfd-4262-8a7c-d9a1f738d1e3\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"254839ab-5719-49ba-9056-ba52ddbfbf0e\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS\",\n \"subTarget\": \"tab1\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"080e94dc-2a70-4423-9de4-58f6ce9dee18\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid\",\n \"subTarget\": \"tab2\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"21719327-f800-4e78-a6cf-30a6e3ea37f9\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet\",\n \"subTarget\": \"tab3\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"456aa0e5-3657-4627-9b74-36ebdd0233a4\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke\",\n \"subTarget\": \"tab4\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"16f325de-6441-4e8b-8719-a16b31b56ffd\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation\",\n \"subTarget\": \"tab5\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"74fbb015-3f4b-4617-b0d4-d0e557c3a0a4\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan\",\n \"subTarget\": \"tab6\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query23FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query23Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query23Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query23Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab0title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab0Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext23\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query23\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query18FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query18Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query18Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab1title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab1Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation))| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query8Stats:$.Success}+{Query9Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query8Stats:$.Total}+{Query9Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab2title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab2Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query12FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query12Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query13FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query13Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query14FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query14Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query15FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query15Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query16FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query16Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query17FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query17Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query12Stats:$.Success}+{Query13Stats:$.Success}+{Query14Stats:$.Success}+{Query15Stats:$.Success}+{Query16Stats:$.Success}+{Query17Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query12Stats:$.Total}+{Query13Stats:$.Total}+{Query14Stats:$.Total}+{Query15Stats:$.Total}+{Query16Stats:$.Total}+{Query17Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab3Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab3Success}/{Tab3Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab3title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab3Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query1Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query1Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab4Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab4Success}/{Tab4Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab4title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab4Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query19FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query19Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query20FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query20Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query21FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query21Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22Stats\",\n \"type\": 1,\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg)| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query22FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query22Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query19Stats:$.Success}+{Query20Stats:$.Success}+{Query21Stats:$.Success}+{Query22Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query19Stats:$.Total}+{Query20Stats:$.Total}+{Query21Stats:$.Total}+{Query22Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab5Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab5Success}/{Tab5Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab5title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab5Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query10FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query10Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query11FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query11Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Success}+{Query11Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query10Stats:$.Total}+{Query11Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab6Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab6Success}/{Tab6Total})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"TabInvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"customWidth\": \"50\",\n \"name\": \"tab6title\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"Column1\\\\\\\": \\\\\\\"{Tab6Percent}\\\\\\\", \\\\\\\"Column2\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 3,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"Column1\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n },\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"Column2\"\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"TabPercentTile\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]" diff --git a/workbooks/alz_checklist.en_network_workbook.json b/workbooks/alz_checklist.en_network_workbook.json index f5319f09d..31606ed67 100644 --- a/workbooks/alz_checklist.en_network_workbook.json +++ b/workbooks/alz_checklist.en_network_workbook.json @@ -70,43 +70,43 @@ "style": "tabs", "links": [ { - "id": "88960169-4e71-4469-bb9f-7fe506dcc995", + "id": "081f3d57-3bc2-4f33-8742-1e932f031913", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Internet", + "linkLabel": "Hub and spoke", "subTarget": "tab0", - "preText": "Internet", + "preText": "Hub and spoke", "style": "primary" }, { - "id": "bd47742a-bc2a-4fff-9a20-fe9bd6fcc48a", + "id": "24c0b94a-bf12-45a5-bb10-73b50835225a", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "IP plan", + "linkLabel": "PaaS", "subTarget": "tab1", - "preText": "IP plan", + "preText": "PaaS", "style": "primary" }, { - "id": "4459248d-85c5-4a68-be0b-6eafb7a1465f", + "id": "36297861-96c4-4393-a4c1-54ce3121f843", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Virtual WAN", + "linkLabel": "Internet", "subTarget": "tab2", - "preText": "Virtual WAN", + "preText": "Internet", "style": "primary" }, { - "id": "252e8c43-5445-4d49-87cb-5f13c83341ce", + "id": "a1e106ad-57c7-41e3-a977-741dea3c5670", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hybrid", + "linkLabel": "IP plan", "subTarget": "tab3", - "preText": "Hybrid", + "preText": "IP plan", "style": "primary" }, { - "id": "9a063e90-4430-49a2-80c4-122bf5676aa1", + "id": "3825edc7-7e68-48e4-9397-131ba188013a", "cellValue": "VisibleTab", "linkTarget": "parameter", "linkLabel": "Segmentation", @@ -115,21 +115,21 @@ "style": "primary" }, { - "id": "75c1ad0d-db2b-4790-b07b-5d23227bf0d1", + "id": "d5c3f2f6-303f-4a8e-bacf-131e19c1f7b0", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Hub and spoke", + "linkLabel": "Virtual WAN", "subTarget": "tab5", - "preText": "Hub and spoke", + "preText": "Virtual WAN", "style": "primary" }, { - "id": "e0a39b3d-70a4-4ac9-8ed5-18897f323044", + "id": "6e188e69-7e5c-4bbb-8f47-32767258825d", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "PaaS", + "linkLabel": "Hybrid", "subTarget": "tab6", - "preText": "PaaS", + "preText": "Hybrid", "style": "primary" } ] @@ -145,22 +145,22 @@ { "type": 1, "content": { - "json": "## Internet" + "json": "## Hub and spoke" }, "name": "tab0title" }, { "type": 1, "content": { - "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information." + "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information." }, - "name": "querytext12" + "name": "querytext0" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -209,20 +209,20 @@ ] } }, - "name": "query12" + "name": "query0" }, { "type": 1, "content": { - "json": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information." + "json": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." }, - "name": "querytext13" + "name": "querytext1" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -271,20 +271,20 @@ ] } }, - "name": "query13" + "name": "query1" }, { "type": 1, "content": { - "json": "Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." + "json": "Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." }, - "name": "querytext14" + "name": "querytext2" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -333,20 +333,20 @@ ] } }, - "name": "query14" + "name": "query2" }, { "type": 1, "content": { - "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." + "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information." }, - "name": "querytext15" + "name": "querytext3" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -395,20 +395,42 @@ ] } }, - "name": "query15" + "name": "query3" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab0" + }, + "name": "tab0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## PaaS" + }, + "name": "tab1title" }, { "type": 1, "content": { - "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information." + "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." }, - "name": "querytext16" + "name": "querytext18" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -457,20 +479,42 @@ ] } }, - "name": "query16" + "name": "query18" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab1" + }, + "name": "tab1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Internet" + }, + "name": "tab2title" }, { "type": 1, "content": { - "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." + "json": "Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information." }, - "name": "querytext17" + "name": "querytext12" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -519,42 +563,20 @@ ] } }, - "name": "query17" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab0" - }, - "name": "tab0" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## IP plan" - }, - "name": "tab1title" + "name": "query12" }, { "type": 1, "content": { - "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." + "json": "Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information." }, - "name": "querytext10" + "name": "querytext13" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -603,20 +625,20 @@ ] } }, - "name": "query10" + "name": "query13" }, { "type": 1, "content": { - "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." + "json": "Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." }, - "name": "querytext11" + "name": "querytext14" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -665,42 +687,20 @@ ] } }, - "name": "query11" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab1" - }, - "name": "tab1" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Virtual WAN" - }, - "name": "tab2title" + "name": "query14" }, { "type": 1, "content": { - "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." + "json": "Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information." }, - "name": "querytext23" + "name": "querytext15" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -749,42 +749,20 @@ ] } }, - "name": "query23" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab2" - }, - "name": "tab2" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Hybrid" - }, - "name": "tab3title" + "name": "query15" }, { "type": 1, "content": { - "json": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information." }, - "name": "querytext4" + "name": "querytext16" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -833,20 +811,20 @@ ] } }, - "name": "query4" + "name": "query16" }, { "type": 1, "content": { - "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information." + "json": "For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information." }, - "name": "querytext5" + "name": "querytext17" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -895,20 +873,42 @@ ] } }, - "name": "query5" + "name": "query17" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab2" + }, + "name": "tab2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## IP plan" + }, + "name": "tab3title" }, { "type": 1, "content": { - "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information." + "json": "Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." }, - "name": "querytext6" + "name": "querytext10" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -957,20 +957,20 @@ ] } }, - "name": "query6" + "name": "query10" }, { "type": 1, "content": { - "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." + "json": "Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this." }, - "name": "querytext7" + "name": "querytext11" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1019,20 +1019,42 @@ ] } }, - "name": "query7" + "name": "query11" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab3" + }, + "name": "tab3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Segmentation" + }, + "name": "tab4title" }, { "type": 1, "content": { - "json": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this." + "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information." }, - "name": "querytext8" + "name": "querytext19" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1081,20 +1103,20 @@ ] } }, - "name": "query8" + "name": "query19" }, { "type": 1, "content": { - "json": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information." + "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." }, - "name": "querytext9" + "name": "querytext20" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1143,42 +1165,20 @@ ] } }, - "name": "query9" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab3" - }, - "name": "tab3" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Segmentation" - }, - "name": "tab4title" + "name": "query20" }, { "type": 1, "content": { - "json": "Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information." + "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." }, - "name": "querytext19" + "name": "querytext21" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1227,20 +1227,20 @@ ] } }, - "name": "query19" + "name": "query21" }, { "type": 1, "content": { - "json": "Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information." + "json": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." }, - "name": "querytext20" + "name": "querytext22" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1289,20 +1289,42 @@ ] } }, - "name": "query20" + "name": "query22" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab4" + }, + "name": "tab4" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Virtual WAN" + }, + "name": "tab5title" }, { "type": 1, "content": { - "json": "Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information." + "json": "For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this." }, - "name": "querytext21" + "name": "querytext23" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1351,20 +1373,42 @@ ] } }, - "name": "query21" + "name": "query23" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab5" + }, + "name": "tab5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Hybrid" + }, + "name": "tab6title" }, { "type": 1, "content": { - "json": "The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this." + "json": "Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext22" + "name": "querytext4" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1413,42 +1457,20 @@ ] } }, - "name": "query22" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab4" - }, - "name": "tab4" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Hub and spoke" - }, - "name": "tab5title" + "name": "query4" }, { "type": 1, "content": { - "json": "If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information." + "json": "Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information." }, - "name": "querytext0" + "name": "querytext5" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1497,20 +1519,20 @@ ] } }, - "name": "query0" + "name": "query5" }, { "type": 1, "content": { - "json": "When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." + "json": "Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information." }, - "name": "querytext1" + "name": "querytext6" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1559,20 +1581,20 @@ ] } }, - "name": "query1" + "name": "query6" }, { "type": 1, "content": { - "json": "Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information." + "json": "Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this." }, - "name": "querytext2" + "name": "querytext7" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1621,20 +1643,20 @@ ] } }, - "name": "query2" + "name": "query7" }, { "type": 1, "content": { - "json": "Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information." + "json": "Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this." }, - "name": "querytext3" + "name": "querytext8" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1683,42 +1705,20 @@ ] } }, - "name": "query3" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab5" - }, - "name": "tab5" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## PaaS" - }, - "name": "tab6title" + "name": "query8" }, { "type": 1, "content": { - "json": "Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this." + "json": "If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information." }, - "name": "querytext18" + "name": "querytext9" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 0, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1767,7 +1767,7 @@ ] } }, - "name": "query18" + "name": "query9" } ] }, diff --git a/workbooks/alz_checklist.en_network_workbook_template.json b/workbooks/alz_checklist.en_network_workbook_template.json index b513bdeba..977c554d8 100644 --- a/workbooks/alz_checklist.en_network_workbook_template.json +++ b/workbooks/alz_checklist.en_network_workbook_template.json @@ -41,7 +41,7 @@ "dependsOn": [], "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"88960169-4e71-4469-bb9f-7fe506dcc995\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"bd47742a-bc2a-4fff-9a20-fe9bd6fcc48a\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan\",\n \"subTarget\": \"tab1\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"4459248d-85c5-4a68-be0b-6eafb7a1465f\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN\",\n \"subTarget\": \"tab2\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"252e8c43-5445-4d49-87cb-5f13c83341ce\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid\",\n \"subTarget\": \"tab3\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"9a063e90-4430-49a2-80c4-122bf5676aa1\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation\",\n \"subTarget\": \"tab4\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"75c1ad0d-db2b-4790-b07b-5d23227bf0d1\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke\",\n \"subTarget\": \"tab5\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"e0a39b3d-70a4-4ac9-8ed5-18897f323044\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS\",\n \"subTarget\": \"tab6\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext23\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query23\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"name\": \"tab3title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"name\": \"tab4title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"name\": \"tab5title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"name\": \"tab6title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", + "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Landing Zone Review - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"081f3d57-3bc2-4f33-8742-1e932f031913\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hub and spoke\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Hub and spoke\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"24c0b94a-bf12-45a5-bb10-73b50835225a\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"PaaS\",\n \"subTarget\": \"tab1\",\n \"preText\": \"PaaS\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"36297861-96c4-4393-a4c1-54ce3121f843\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Internet\",\n \"subTarget\": \"tab2\",\n \"preText\": \"Internet\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"a1e106ad-57c7-41e3-a977-741dea3c5670\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"IP plan\",\n \"subTarget\": \"tab3\",\n \"preText\": \"IP plan\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"3825edc7-7e68-48e4-9397-131ba188013a\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Segmentation\",\n \"subTarget\": \"tab4\",\n \"preText\": \"Segmentation\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"d5c3f2f6-303f-4a8e-bacf-131e19c1f7b0\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Virtual WAN\",\n \"subTarget\": \"tab5\",\n \"preText\": \"Virtual WAN\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"6e188e69-7e5c-4bbb-8f47-32767258825d\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Hybrid\",\n \"subTarget\": \"tab6\",\n \"preText\": \"Hybrid\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hub and spoke\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If using Route Server, use a /27 prefix for the Route Server subnet. Check [this link](https://learn.microsoft.com/azure/route-server/quickstart-configure-route-server-portal#create-a-route-server-1) for further information.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'RouteServerSubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"When connecting spoke virtual networks to the central hub virtual network, consider VNet peering limits (500), the maximum number of prefixes that can be advertised via ExpressRoute (1000). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | summarize peeringcount = count() by id | extend compliant = (peeringcount < 450) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Consider the limit of routes per route table (400). Check [this link](https://learn.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#azure-resource-manager-virtual-networking-limits) for further information.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/routetables' | mvexpand properties.routes | summarize routeCount = count() by id | extend compliant = (routeCount < 360) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use the setting 'Allow traffic to remote virtual network' when configuring VNet peerings. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-network-manage-peering) for further information.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | project id, peeringName=properties_virtualNetworkPeerings.name, compliant = (properties_virtualNetworkPeerings.properties.allowVirtualNetworkAccess == True) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## PaaS\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't enable virtual network service endpoints by default on all subnets. Check [this link](https://learn.microsoft.com/azure/app-service/networking-features) for further information.. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/?source=learn) can help to educate yourself on this.\"\n },\n \"name\": \"querytext18\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets = properties.subnets | mv-expand subnets | project id = subnets.id, resourceGroup, VNet = name, serviceEndpoints = subnets.properties.serviceEndpoints, compliant = (isnull(subnets.properties.serviceEndpoints) or array_length(subnets.properties.serviceEndpoints) == 0) | order by compliant asc | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query18\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Internet\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Bastion in a subnet /26 or larger. Check [this link](https://learn.microsoft.com/azure/bastion/bastion-faq#subnet) for further information.\"\n },\n \"name\": \"querytext12\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureBastionSubnet' | extend compliant = (subnetPrefixLength <= 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query12\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use FQDN-based network rules and Azure Firewall with DNS proxy to filter egress traffic to the Internet over protocols not supported by application rules. Check [this link](https://learn.microsoft.com/azure/firewall/fqdn-filtering-network-rules) for further information.\"\n },\n \"name\": \"querytext13\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.dnsSettings.enableProxy == true) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query13\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure Firewall Premium for additional security and protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext14\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.sku.tier == 'Premium') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query14\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall Threat Intelligence mode to Alert and Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features) for further information.\"\n },\n \"name\": \"querytext15\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.threatIntelMode == 'Deny') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query15\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure Azure Firewall IDPS mode to Deny for additional protection. Check [this link](https://learn.microsoft.com/azure/firewall/premium-features#idps) for further information.\"\n },\n \"name\": \"querytext16\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/firewallpolicies' | extend compliant = (properties.intrusionDetection.mode == 'Deny') | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query16\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For subnets in VNets not connected to Virtual WAN, attach a route table so that Internet traffic is redirected to Azure Firewall or a Network Virtual Appliance. Check [this link](https://learn.microsoft.com/azure/virtual-network/virtual-networks-udr-overview) for further information.\"\n },\n \"name\": \"querytext17\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetId=tostring(subnets.id), subnetName=tostring(subnets.name),subnetRT=subnets.properties.routeTable.id | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend hasRT = isnotnull(subnetRT) | distinct id, hasRT, subnetId | join kind=fullouter (resources | where type == 'microsoft.network/virtualnetworks' | mvexpand properties.virtualNetworkPeerings | extend isVWAN=(tolower(split(properties_virtualNetworkPeerings.name, '_')[0]) == 'remotevnettohubpeering') | mv-expand properties.subnets | project id, isVWAN, name, subnetId=tostring(properties_subnets.id), subnetName=tostring(properties_subnets.name) | summarize PeeredToVWAN=max(isVWAN) by id, subnetId | project id, subnetId, isVWANpeer = (PeeredToVWAN == true)) on subnetId | project id=iff(isnotempty(id), id, id1), subnetId=iff(isnotempty(subnetId), subnetId, subnetId1), hasRT, isVWANpeer | extend compliant = (hasRT==true or isVWANpeer==true) | distinct id, subnetId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query17\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## IP plan\"\n },\n \"name\": \"tab3title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use IP addresses from the address allocation ranges for private internets (RFC 1918). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext10\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | project name, id, location, resourceGroup, subscriptionId, cidr = addressPrefix | extend compliant = (cidr matches regex @'^(10\\\\.|172\\\\.(1[6-9]|2[0-9]|3[01])\\\\.|192\\\\.168\\\\.)') | project id, compliant, cidr | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query10\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that IP address space isn't wasted, don't create unnecessarily large virtual networks (for example /16). Check [this link](https://learn.microsoft.com/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-ip-addressing) for further information.. [This training](https://learn.microsoft.com/learn/paths/architect-network-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext11\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/virtualnetworks' | extend addressSpace = todynamic(properties.addressSpace) | extend addressPrefix = todynamic(properties.addressSpace.addressPrefixes) | mvexpand addressSpace | mvexpand addressPrefix | extend addressMask = split(addressPrefix,'/')[1] | extend compliant = addressMask > 16 | project name, id, subscriptionId, resourceGroup, addressPrefix, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query11\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab3\"\n },\n \"name\": \"tab3\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Segmentation\"\n },\n \"name\": \"tab4title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use a /26 prefix for your Azure Firewall subnets. Check [this link](https://learn.microsoft.com/azure/firewall/firewall-faq#why-does-azure-firewall-need-a--26-subnet-size) for further information.\"\n },\n \"name\": \"querytext19\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'AzureFirewallSubnet' | extend compliant = (subnetPrefixLength == 26) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query19\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use at least a /27 prefix for your Gateway subnets. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-howto-add-gateway-resource-manager#add-a-gateway) for further information.\"\n },\n \"name\": \"querytext20\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | project id, subnetName = subnets.name, subnetPrefix = subnets.properties.addressPrefix | extend subnetPrefixLength = split(subnetPrefix, '/')[1] | where subnetName == 'GatewaySubnet' | extend compliant = (subnetPrefixLength <= 27) | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query20\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Don't rely on the NSG inbound default rules using the VirtualNetwork service tag to limit connectivity. Check [this link](https://learn.microsoft.com/azure/virtual-network/service-tags-overview#available-service-tags) for further information.\"\n },\n \"name\": \"querytext21\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/networksecuritygroups' | mvexpand properties.securityRules | project id,name,ruleAction=properties_securityRules.properties.access,rulePriority=properties_securityRules.properties.priority,ruleDst=properties_securityRules.properties.destinationAddressPrefix,ruleSrc=properties_securityRules.properties.sourceAddressPrefix,ruleProt=properties_securityRules.properties.protocol,ruleDirection=properties_securityRules.properties.direction,rulePort=properties_securityRules.properties.destinationPortRange | summarize StarDenies=countif(ruleAction=='Deny' and ruleDst=='*' and ruleSrc=='*' and ruleProt=='*' and rulePort=='*') by id,tostring(ruleDirection) | where ruleDirection == 'Inbound' | project id,compliant=(StarDenies>0) | union (resources | where type=='microsoft.network/networksecuritygroups' | where array_length(properties.securityRules)==0 | extend compliant=false | project id,compliant) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query21\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"The application team should use application security groups at the subnet-level NSGs to help protect multi-tier VMs within the landing zone. [This training](https://learn.microsoft.com/learn/paths/implement-network-security/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext22\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"Resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,name,subnetName=subnets.name,subnetNsg=subnets.properties.networkSecurityGroup | where not (subnetName in ('GatewaySubnet', 'AzureFirewallSubnet', 'RouteServerSubnet', 'AzureBastionSubnet')) | extend compliant = isnotnull(subnetNsg) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query22\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab4\"\n },\n \"name\": \"tab4\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Virtual WAN\"\n },\n \"name\": \"tab5title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"For outbound Internet traffic protection and filtering, deploy Azure Firewall in secured hubs. Check [this link](https://learn.microsoft.com/azure/virtual-wan/virtual-wan-about) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-networking-infrastructure/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext23\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualhubs' | extend compliant = isnotnull(properties.azureFirewall.id) | project id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query23\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab5\"\n },\n \"name\": \"tab5\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Hybrid\"\n },\n \"name\": \"tab6title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using the right SKU for the ExpressRoute/VPN gateways based on bandwidth and performance requirements. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-routing) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier !in ('Basic', 'Standard')| project name, id, subscriptionId, resourceGroup, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure that you're using unlimited-data ExpressRoute circuits only if you reach the bandwidth that justifies their cost. Check [this link](https://learn.microsoft.com/azure/expressroute/plan-manage-cost) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/expressroutecircuits' | extend compliant = (tolower(sku.family) == 'metereddata' or tolower(sku.tier) == 'local') | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Leverage the Local SKU of ExpressRoute to reduce the cost of your circuits, if your circuits' peering location supports your Azure regions for the Local SKU. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-faqs#expressroute-local) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/connections' | where properties.connectionType == 'ExpressRoute' | project id, gwid=tostring(properties.virtualNetworkGateway1.id), circuitid=tostring(properties.peer.id) | join (resources | where type=='microsoft.network/expressroutecircuits' | project circuitid=tostring(id), circuitsku=sku.tier) on circuitid | project id=gwid, compliant = (circuitsku == 'Local') | summarize compliant=max(compliant) by id | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy a zone-redundant ExpressRoute gateway in the supported Azure regions. Check [this link](https://learn.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways) for further information.. [This training](https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources| where type == 'microsoft.network/virtualnetworkgateways'| where properties.gatewayType =~ 'vpn' or properties.gatewayType == 'ExpressRoute'| extend SKUName = properties.sku.name, SKUTier = properties.sku.tier, Type = properties.gatewayType| extend compliant = SKUTier contains 'AZ'| project name, id, subscriptionId, resourceGroup, Type, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use zone-redundant VPN gateways to connect branches or remote locations to Azure (where available). Check [this link](https://learn.microsoft.com/azure/vpn-gateway/create-zone-redundant-vnet-gateway) for further information.. [This training](https://learn.microsoft.com/training/modules/intro-to-azure-vpn-gateway/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworkgateways' | where properties.gatewayType == 'Vpn' | extend compliant = (tolower(properties.sku.name) contains 'az') | distinct id, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you are using a route table in the GatewaySubnet, make sure that gateway routes are propagated. Check [this link](https://learn.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsub) for further information.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/virtualnetworks' | project id,resourceGroup,name,subnets=properties.subnets | mv-expand subnets | project id,resourceGroup,name,subnetName=tostring(subnets.name),routeTableId=tostring(subnets.properties.routeTable.id) | where subnetName == 'GatewaySubnet' | join kind=leftouter (Resources | where type == 'microsoft.network/routetables' | project routeTableName=name,routeTableId=id, disableBgpRoutePropagation=properties.disableBgpRoutePropagation) on routeTableId | project id,compliant = (disableBgpRoutePropagation == False or isnull(disableBgpRoutePropagation)) | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 0,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab6\"\n },\n \"name\": \"tab6\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]" diff --git a/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json b/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json index 3a015b083..a20d2357e 100644 --- a/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json +++ b/workbooks/appdelivery_checklist.en_network_counters_workbook_template.json @@ -357,7 +357,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}" + "resultVal": "{Query1Stats:$.Success}+{Query8Stats:$.Success}" } } ] @@ -376,7 +376,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}" + "resultVal": "{Query1Stats:$.Total}+{Query8Stats:$.Total}" } } ] @@ -414,7 +414,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query1Stats:$.Success}+{Query8Stats:$.Success}" + "resultVal": "{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}" } } ] @@ -433,7 +433,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query1Stats:$.Total}+{Query8Stats:$.Total}" + "resultVal": "{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}" } } ] @@ -471,7 +471,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}" + "resultVal": "{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}" } } ] @@ -490,7 +490,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}" + "resultVal": "{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}" } } ] @@ -528,7 +528,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}+{Query1Stats:$.Total}+{Query8Stats:$.Total}+{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}" + "resultVal": "{Query1Stats:$.Total}+{Query8Stats:$.Total}+{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}" } } ] @@ -547,7 +547,7 @@ "criteriaContext": { "operator": "Default", "resultValType": "expression", - "resultVal": "{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}+{Query1Stats:$.Success}+{Query8Stats:$.Success}+{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}" + "resultVal": "{Query1Stats:$.Success}+{Query8Stats:$.Success}+{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}" } } ] @@ -621,30 +621,30 @@ "style": "tabs", "links": [ { - "id": "5f628b8a-893d-4df9-bdc9-d141576347f1", + "id": "cf0b3103-4467-409c-a9d1-02072d5af267", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Front Door ({Tab0Success:value}/{Tab0Total:value})", + "linkLabel": "Load Balancer ({Tab0Success:value}/{Tab0Total:value})", "subTarget": "tab0", - "preText": "Front Door", + "preText": "Load Balancer", "style": "primary" }, { - "id": "15539446-d759-42b0-8a9e-161bdb3129d8", + "id": "d4cf26ae-3ea8-4eac-a410-aecf04df6466", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Load Balancer ({Tab1Success:value}/{Tab1Total:value})", + "linkLabel": "App Gateway ({Tab1Success:value}/{Tab1Total:value})", "subTarget": "tab1", - "preText": "Load Balancer", + "preText": "App Gateway", "style": "primary" }, { - "id": "476014fd-446e-439b-8b70-0eb6d1f54411", + "id": "6886f8f6-7dfc-4cdd-bf92-1451454b3cec", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "App Gateway ({Tab2Success:value}/{Tab2Total:value})", + "linkLabel": "Front Door ({Tab2Success:value}/{Tab2Total:value})", "subTarget": "tab2", - "preText": "App Gateway", + "preText": "Front Door", "style": "primary" } ] @@ -660,22 +660,22 @@ { "type": 1, "content": { - "json": "## Front Door" + "json": "## Load Balancer" }, "name": "tab0title" }, { "type": 1, "content": { - "json": "Deploy your WAF profiles for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information." + "json": "Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information." }, - "name": "querytext5" + "name": "querytext1" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -724,20 +724,20 @@ ] } }, - "name": "query5" + "name": "query1" }, { "type": 1, "content": { - "json": "Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information." + "json": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information." }, - "name": "querytext6" + "name": "querytext8" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -786,20 +786,42 @@ ] } }, - "name": "query6" + "name": "query8" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab0" + }, + "name": "tab0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## App Gateway" + }, + "name": "tab1title" }, { "type": 1, "content": { - "json": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information." + "json": "Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." }, - "name": "querytext7" + "name": "querytext0" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -848,20 +870,20 @@ ] } }, - "name": "query7" + "name": "query0" }, { "type": 1, "content": { - "json": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information." + "json": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." }, - "name": "querytext9" + "name": "querytext2" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -910,42 +932,20 @@ ] } }, - "name": "query9" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab0" - }, - "name": "tab0" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Load Balancer" - }, - "name": "tab1title" + "name": "query2" }, { "type": 1, "content": { - "json": "Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information." + "json": "Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." }, - "name": "querytext1" + "name": "querytext3" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -994,20 +994,20 @@ ] } }, - "name": "query1" + "name": "query3" }, { "type": 1, "content": { - "json": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information." + "json": "Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." }, - "name": "querytext8" + "name": "querytext4" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1056,7 +1056,7 @@ ] } }, - "name": "query8" + "name": "query4" } ] }, @@ -1076,22 +1076,22 @@ { "type": 1, "content": { - "json": "## App Gateway" + "json": "## Front Door" }, "name": "tab2title" }, { "type": 1, "content": { - "json": "Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." + "json": "Deploy your WAF profiles for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information." }, - "name": "querytext0" + "name": "querytext5" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1140,20 +1140,20 @@ ] } }, - "name": "query0" + "name": "query5" }, { "type": 1, "content": { - "json": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." + "json": "Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information." }, - "name": "querytext2" + "name": "querytext6" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1202,20 +1202,20 @@ ] } }, - "name": "query2" + "name": "query6" }, { "type": 1, "content": { - "json": "Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." + "json": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information." }, - "name": "querytext3" + "name": "querytext7" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1264,20 +1264,20 @@ ] } }, - "name": "query3" + "name": "query7" }, { "type": 1, "content": { - "json": "Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." + "json": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information." }, - "name": "querytext4" + "name": "querytext9" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -1326,7 +1326,7 @@ ] } }, - "name": "query4" + "name": "query9" } ] }, diff --git a/workbooks/appdelivery_checklist.en_network_counters_workbook_template_template.json b/workbooks/appdelivery_checklist.en_network_counters_workbook_template_template.json index be61bdea7..a3db7610e 100644 --- a/workbooks/appdelivery_checklist.en_network_counters_workbook_template_template.json +++ b/workbooks/appdelivery_checklist.en_network_counters_workbook_template_template.json @@ -41,7 +41,7 @@ "dependsOn": [], "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"value::all\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9Stats\",\n \"type\": 1,\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query1Stats:$.Success}+{Query8Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query1Stats:$.Total}+{Query8Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookTotal\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}+{Query1Stats:$.Total}+{Query8Stats:$.Total}+{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookSuccess\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}+{Query1Stats:$.Success}+{Query8Stats:$.Success}+{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookPercent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"InvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"50\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 4,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"WorkbookPercent\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"SubTitle\",\n \"formatter\": 1\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"ProgressTile\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"5f628b8a-893d-4df9-bdc9-d141576347f1\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Front Door ({Tab0Success:value}/{Tab0Total:value})\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Front Door\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"15539446-d759-42b0-8a9e-161bdb3129d8\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Load Balancer ({Tab1Success:value}/{Tab1Total:value})\",\n \"subTarget\": \"tab1\",\n \"preText\": \"Load Balancer\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"476014fd-446e-439b-8b70-0eb6d1f54411\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"App Gateway ({Tab2Success:value}/{Tab2Total:value})\",\n \"subTarget\": \"tab2\",\n \"preText\": \"App Gateway\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Front Door\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy your WAF profiles for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Load Balancer\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## App Gateway\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", + "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"crossComponentResources\": [\n \"value::all\"\n ],\n \"parameters\": [\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query0FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query0Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard')| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query1FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query1Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query2FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query2Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query3FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query3Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4Stats\",\n \"type\": 1,\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query4FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query4Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5Stats\",\n \"type\": 1,\n \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query5FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query5Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6Stats\",\n \"type\": 1,\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query6FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query6Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7Stats\",\n \"type\": 1,\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query7FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query7Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8Stats\",\n \"type\": 1,\n \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query8FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query8Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9Stats\",\n \"type\": 1,\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId| summarize Total = count(), Success = countif(compliant==1), Failed = countif(compliant==0) | extend SuccessPercent = iff(Total==0, 100, 100*toint(Success)/toint(Total)) | extend FullyCompliant = iff(SuccessPercent == 100, 'Yes', 'No') | project Query1Stats=tostring(pack_all())\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Query9FullyCompliant\",\n \"type\": 1,\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"value\\\\\\\": \\\\\\\"{Query9Stats:$.FullyCompliant}\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"queryType\": 8\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query1Stats:$.Success}+{Query8Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query1Stats:$.Total}+{Query8Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab0Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab0Success}/{Tab0Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab1Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab1Success}/{Tab1Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Success\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Total\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Tab2Percent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{Tab2Success}/{Tab2Total})\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookTotal\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query1Stats:$.Total}+{Query8Stats:$.Total}+{Query0Stats:$.Total}+{Query2Stats:$.Total}+{Query3Stats:$.Total}+{Query4Stats:$.Total}+{Query5Stats:$.Total}+{Query6Stats:$.Total}+{Query7Stats:$.Total}+{Query9Stats:$.Total}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookSuccess\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"{Query1Stats:$.Success}+{Query8Stats:$.Success}+{Query0Stats:$.Success}+{Query2Stats:$.Success}+{Query3Stats:$.Success}+{Query4Stats:$.Success}+{Query5Stats:$.Success}+{Query6Stats:$.Success}+{Query7Stats:$.Success}+{Query9Stats:$.Success}\"\n }\n }\n ]\n },\n {\n \"id\": \"daf05c62-1d5b-4325-b241-d7ee468f23eb\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"WorkbookPercent\",\n \"type\": 1,\n \"isHiddenWhenLocked\": true,\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"criteriaData\": [\n {\n \"criteriaContext\": {\n \"operator\": \"Default\",\n \"resultValType\": \"expression\",\n \"resultVal\": \"round(100*{WorkbookSuccess}/{WorkbookTotal})\"\n }\n }\n ]\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\"\n },\n \"name\": \"InvisibleParameters\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"50\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"{\\\\\\\"WorkbookPercent\\\\\\\": \\\\\\\"{WorkbookPercent}\\\\\\\", \\\\\\\"SubTitle\\\\\\\": \\\\\\\"Percent of successful checks\\\\\\\"}\\\",\\\"transformers\\\":null}\",\n \"size\": 4,\n \"queryType\": 8,\n \"visualization\": \"tiles\",\n \"tileSettings\": {\n \"titleContent\": {\n \"columnMatch\": \"WorkbookPercent\",\n \"formatter\": 4,\n \"formatOptions\": {\n \"min\": 0,\n \"max\": 100,\n \"palette\": \"redGreen\"\n }\n },\n \"subtitleContent\": {\n \"columnMatch\": \"SubTitle\",\n \"formatter\": 1\n },\n \"showBorder\": true\n }\n },\n \"customWidth\": \"50\",\n \"name\": \"ProgressTile\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"cf0b3103-4467-409c-a9d1-02072d5af267\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Load Balancer ({Tab0Success:value}/{Tab0Total:value})\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Load Balancer\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"d4cf26ae-3ea8-4eac-a410-aecf04df6466\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"App Gateway ({Tab1Success:value}/{Tab1Total:value})\",\n \"subTarget\": \"tab1\",\n \"preText\": \"App Gateway\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"6886f8f6-7dfc-4cdd-bf92-1451454b3cec\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Front Door ({Tab2Success:value}/{Tab2Total:value})\",\n \"subTarget\": \"tab2\",\n \"preText\": \"Front Door\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Load Balancer\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## App Gateway\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Front Door\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy your WAF profiles for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]" diff --git a/workbooks/appdelivery_checklist.en_network_workbook_template.json b/workbooks/appdelivery_checklist.en_network_workbook_template.json index 89f1c971e..209ef28d7 100644 --- a/workbooks/appdelivery_checklist.en_network_workbook_template.json +++ b/workbooks/appdelivery_checklist.en_network_workbook_template.json @@ -70,30 +70,30 @@ "style": "tabs", "links": [ { - "id": "859ab144-3622-4d05-b136-7645bc35e634", + "id": "0bc350c3-4440-4a1e-8fd6-93908d0310a4", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "App Gateway", + "linkLabel": "Load Balancer", "subTarget": "tab0", - "preText": "App Gateway", + "preText": "Load Balancer", "style": "primary" }, { - "id": "0cb15dec-00a2-4875-b24f-76ded7c35981", + "id": "8f11ce82-4b27-4aac-ba3e-259508a3bf95", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Load Balancer", + "linkLabel": "Front Door", "subTarget": "tab1", - "preText": "Load Balancer", + "preText": "Front Door", "style": "primary" }, { - "id": "d2f756b1-ce30-4266-bedb-4997d700121b", + "id": "1dc46cf5-faee-4946-9409-04d5347a4717", "cellValue": "VisibleTab", "linkTarget": "parameter", - "linkLabel": "Front Door", + "linkLabel": "App Gateway", "subTarget": "tab2", - "preText": "Front Door", + "preText": "App Gateway", "style": "primary" } ] @@ -109,22 +109,22 @@ { "type": 1, "content": { - "json": "## App Gateway" + "json": "## Load Balancer" }, "name": "tab0title" }, { "type": 1, "content": { - "json": "Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." + "json": "Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information." }, - "name": "querytext0" + "name": "querytext1" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -173,20 +173,20 @@ ] } }, - "name": "query0" + "name": "query1" }, { "type": 1, "content": { - "json": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." + "json": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information." }, - "name": "querytext2" + "name": "querytext8" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -235,20 +235,42 @@ ] } }, - "name": "query2" + "name": "query8" + } + ] + }, + "conditionalVisibility": { + "parameterName": "VisibleTab", + "comparison": "isEqualTo", + "value": "tab0" + }, + "name": "tab0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Front Door" + }, + "name": "tab1title" }, { "type": 1, "content": { - "json": "Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." + "json": "Deploy your WAF profiles for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information." }, - "name": "querytext3" + "name": "querytext5" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -297,20 +319,20 @@ ] } }, - "name": "query3" + "name": "query5" }, { "type": 1, "content": { - "json": "Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." + "json": "Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information." }, - "name": "querytext4" + "name": "querytext6" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -359,42 +381,20 @@ ] } }, - "name": "query4" - } - ] - }, - "conditionalVisibility": { - "parameterName": "VisibleTab", - "comparison": "isEqualTo", - "value": "tab0" - }, - "name": "tab0" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 1, - "content": { - "json": "## Load Balancer" - }, - "name": "tab1title" + "name": "query6" }, { "type": 1, "content": { - "json": "Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information." + "json": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information." }, - "name": "querytext1" + "name": "querytext7" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -443,20 +443,20 @@ ] } }, - "name": "query1" + "name": "query7" }, { "type": 1, "content": { - "json": "Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information." + "json": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information." }, - "name": "querytext8" + "name": "querytext9" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -505,7 +505,7 @@ ] } }, - "name": "query8" + "name": "query9" } ] }, @@ -525,22 +525,22 @@ { "type": 1, "content": { - "json": "## Front Door" + "json": "## App Gateway" }, "name": "tab2title" }, { "type": 1, "content": { - "json": "Deploy your WAF profiles for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information." + "json": "Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." }, - "name": "querytext5" + "name": "querytext0" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -589,20 +589,20 @@ ] } }, - "name": "query5" + "name": "query0" }, { "type": 1, "content": { - "json": "Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information." + "json": "Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." }, - "name": "querytext6" + "name": "querytext2" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -651,20 +651,20 @@ ] } }, - "name": "query6" + "name": "query2" }, { "type": 1, "content": { - "json": "Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information." + "json": "Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." }, - "name": "querytext7" + "name": "querytext3" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -713,20 +713,20 @@ ] } }, - "name": "query7" + "name": "query3" }, { "type": 1, "content": { - "json": "Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information." + "json": "Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this." }, - "name": "querytext9" + "name": "querytext4" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", + "query": "resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed", "size": 4, "queryType": 1, "resourceType": "microsoft.resourcegraph/resources", @@ -775,7 +775,7 @@ ] } }, - "name": "query9" + "name": "query4" } ] }, diff --git a/workbooks/appdelivery_checklist.en_network_workbook_template_template.json b/workbooks/appdelivery_checklist.en_network_workbook_template_template.json index a7ec43477..31ce02bba 100644 --- a/workbooks/appdelivery_checklist.en_network_workbook_template_template.json +++ b/workbooks/appdelivery_checklist.en_network_workbook_template_template.json @@ -41,7 +41,7 @@ "dependsOn": [], "properties": { "displayName": "[parameters('workbookDisplayName')]", - "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"859ab144-3622-4d05-b136-7645bc35e634\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"App Gateway\",\n \"subTarget\": \"tab0\",\n \"preText\": \"App Gateway\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"0cb15dec-00a2-4875-b24f-76ded7c35981\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Load Balancer\",\n \"subTarget\": \"tab1\",\n \"preText\": \"Load Balancer\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"d2f756b1-ce30-4266-bedb-4997d700121b\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Front Door\",\n \"subTarget\": \"tab2\",\n \"preText\": \"Front Door\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## App Gateway\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Load Balancer\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Front Door\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy your WAF profiles for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", + "serializedData": "{\n \"version\": \"Notebook/1.0\",\n \"items\": [\n {\n \"type\": 9,\n \"content\": {\n \"version\": \"KqlParameterItem/1.0\",\n \"parameters\": [\n {\n \"id\": \"497a107e-dde8-433e-b263-35ac8e8f7834\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"Subscription\",\n \"type\": 6,\n \"multiSelect\": true,\n \"quote\": \"'\",\n \"delimiter\": \",\",\n \"typeSettings\": {\n \"additionalResourceOptions\": [\n \"value::all\"\n ],\n \"includeAll\": true,\n \"showDefault\": false\n },\n \"timeContext\": {\n \"durationMs\": 86400000\n },\n \"value\": [\n \"value::all\"\n ]\n },\n {\n \"id\": \"844e4f4e-df51-4e3c-8eaf-0dc78b92c721\",\n \"version\": \"KqlParameterItem/1.0\",\n \"name\": \"OnlyFailed\",\n \"label\": \"Only show failed\",\n \"type\": 2,\n \"typeSettings\": {\n \"additionalResourceOptions\": [],\n \"showDefault\": false\n },\n \"jsonData\": \"[\\r\\n { \\\"value\\\":true, \\\"label\\\":\\\"True\\\" },\\r\\n { \\\"value\\\":false, \\\"label\\\":\\\"False\\\", \\\"selected\\\":true }\\r\\n]\"\n }\n ],\n \"style\": \"pills\",\n \"queryType\": 0,\n \"resourceType\": \"microsoft.operationalinsights/workspaces\"\n },\n \"name\": \"WorkbookSelectors\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"If you set \\\"Only show failed\\\" to \\\"Yes\\\", the different queries will only show items that have failed their compliance checks.\",\n \"style\": \"info\"\n },\n \"name\": \"InfoBox\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Azure Application Delivery Networking - Network\\n\\n---\\n\\nThis workbook has been automatically generated out of the checklists in the [Azure Review Checklists repo](https://github.com/Azure/review-checklists). This repo contains best practices and recommendations around generic Landing Zones as well as specific services such as Azure Virtual Desktop, Azure Kubernetes Service or Azure VMware Solution, to name a few. This repository of best practices is curated by Azure engineers, but open to anybody to contribute.\\n\\nIf you see a problem in the queries that are part of this workbook, please open a Github issue [here](https://github.com/Azure/review-checklists/issues/new).\"\n },\n \"customWidth\": \"100\",\n \"name\": \"MarkdownHeader\"\n },\n {\n \"type\": 11,\n \"content\": {\n \"version\": \"LinkItem/1.0\",\n \"style\": \"tabs\",\n \"links\": [\n {\n \"id\": \"0bc350c3-4440-4a1e-8fd6-93908d0310a4\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Load Balancer\",\n \"subTarget\": \"tab0\",\n \"preText\": \"Load Balancer\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"8f11ce82-4b27-4aac-ba3e-259508a3bf95\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"Front Door\",\n \"subTarget\": \"tab1\",\n \"preText\": \"Front Door\",\n \"style\": \"primary\"\n },\n {\n \"id\": \"1dc46cf5-faee-4946-9409-04d5347a4717\",\n \"cellValue\": \"VisibleTab\",\n \"linkTarget\": \"parameter\",\n \"linkLabel\": \"App Gateway\",\n \"subTarget\": \"tab2\",\n \"preText\": \"App Gateway\",\n \"style\": \"primary\"\n }\n ]\n },\n \"name\": \"Tabs\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Load Balancer\"\n },\n \"name\": \"tab0title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using the Standard SKU for your Azure Load Balancers. Check [this link](https://learn.microsoft.com/azure/load-balancer/load-balancer-overview) for further information.\"\n },\n \"name\": \"querytext1\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/loadbalancers' | project id, compliant=(tolower(sku.name) == 'standard') | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query1\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use Azure NAT Gateway instead of Load Balancer outbound rules for better SNAT scalability. Check [this link](https://learn.microsoft.com/azure/nat-gateway/nat-overview#outbound-connectivity) for further information.\"\n },\n \"name\": \"querytext8\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/loadbalancers' | extend countOutRules=array_length(properties.outboundRules) | extend compliant = (countOutRules == 0) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query8\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab0\"\n },\n \"name\": \"tab0\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## Front Door\"\n },\n \"name\": \"tab1title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy your WAF profiles for Front Door in 'Prevention' mode. Check [this link](https://learn.microsoft.com/azure/web-application-firewall/afds/waf-front-door-policy-settings) for further information.\"\n },\n \"name\": \"querytext5\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/frontdoorwebapplicationfirewallpolicies' | project policyName=name, policyId=id,policySku=sku.name, links=properties.securityPolicyLinks, enabledState=properties.policySettings.enabledState, mode=properties.policySettings.mode | mvexpand links | extend securityPolicy=links.id | extend securityPolicyParts=split(securityPolicy, '/') | extend profileId=strcat_array(array_slice(securityPolicyParts, 0, -3), '/') | project id=profileId, compliant=((enabledState=='Enabled') and (mode=='Prevention')), enabledState, mode | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query5\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Disable health probes when there is only one origin in an Azure Front Door origin group. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#disable-health-probes-when-theres-only-one-origin-in-an-origin-group) for further information.\"\n },\n \"name\": \"querytext6\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups/origins' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups')) | extend originGroupId = substring(id, 0, indexof(id, '/origins')) | join kind=inner (cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend originGroupName = name | extend hasHealthProbe = isnotnull(properties.healthProbeSettings)) on $left.originGroupId == $right.id | summarize numberOrigins = count() by originGroupId, subscriptionId, frontDoorId, hasHealthProbe, originGroupName | extend compliant = not(numberOrigins == 1 and hasHealthProbe) | project id = frontDoorId, compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query6\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use HEAD health probes with Azure Front Door, to reduce the traffic that Front Door sends to your application. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-head-health-probes) for further information.\"\n },\n \"name\": \"querytext7\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/origingroups' | extend frontDoorId = substring(id, 0, indexof(id, '/origingroups/')) | extend compliant = (isnull(properties['healthProbeSettings']['probeRequestType']) or toupper(properties['healthProbeSettings']['probeRequestType']) == 'HEAD') | project compliant, id=frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query7\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Use managed TLS certificates with Azure Front Door. Reduce operational cost and risk of outages due to certificate renewals. Check [this link](https://learn.microsoft.com/azure/frontdoor/best-practices#use-managed-tls-certificates) for further information.\"\n },\n \"name\": \"querytext9\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"cdnresources | where type =~ 'microsoft.cdn/profiles/customdomains' | extend frontDoorId = substring(id, 0, indexof(id, '/customdomains')) | extend compliant = (isnull(properties['tlsSettings']['certificateType']) or tolower(properties['tlsSettings']['certificateType']) =~ 'customercertificate') | project compliant, id = frontDoorId | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query9\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab1\"\n },\n \"name\": \"tab1\"\n },\n {\n \"type\": 12,\n \"content\": {\n \"version\": \"NotebookGroup/1.0\",\n \"groupType\": \"editable\",\n \"items\": [\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"## App Gateway\"\n },\n \"name\": \"tab2title\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Ensure you are using Application Gateway v2 SKU. Check [this link](https://learn.microsoft.com/azure/application-gateway/overview-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext0\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type == 'microsoft.network/applicationgateways' | project id, compliant = properties.sku.name in ('Standard_v2', 'WAF_v2') | project id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query0\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Your Application Gateways v2 should be deployed in subnets with IP prefixes equal or larger than /24. Check [this link](https://learn.microsoft.com/azure/application-gateway/configuration-infrastructure#size-of-the-subnet) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext2\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type=='microsoft.network/applicationgateways' | extend subnetId = tostring(properties.gatewayIPConfigurations[0].properties.subnet.id) | project id, subnetId | join (resources | where type=='microsoft.network/virtualnetworks' | project id,subnets=properties.subnets | mv-expand subnets | mv-expand subnets.properties.addressPrefixes | project id, subnetId = tostring(subnets.id), prefix1 = subnets.properties.addressPrefix, prefix2 = subnets.properties.addressPrefixes | mv-expand prefix2 | extend prefix = iff(isnotnull(prefix1), prefix1, prefix2) | extend subnetPrefixLength = split(prefix, '/')[1])on subnetId | extend compliant = (subnetPrefixLength <= 24 or subnetPrefixLength == 64) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query2\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Configure autoscaling with a minimum amount of instances of two. Check [this link](https://learn.microsoft.com/azure/application-gateway/application-gateway-autoscaling-zone-redundant) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext3\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(properties.autoscaleConfiguration) and properties.autoscaleConfiguration.minCapacity >= 2) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query3\"\n },\n {\n \"type\": 1,\n \"content\": {\n \"json\": \"Deploy Application Gateway across Availability Zones. Check [this link](https://learn.microsoft.com/azure/reliability/migrate-app-gateway-v2) for further information.. [This training](https://learn.microsoft.com/learn/paths/secure-application-delivery/) can help to educate yourself on this.\"\n },\n \"name\": \"querytext4\"\n },\n {\n \"type\": 3,\n \"content\": {\n \"version\": \"KqlItem/1.0\",\n \"query\": \"resources | where type =~ 'microsoft.network/applicationGateways' | extend compliant = (isnotnull(zones) and array_length(zones) > 1) | distinct id,compliant | extend onlyFailed = {OnlyFailed:label} | where compliant == 0 or not (onlyFailed == 1) | project-away onlyFailed\",\n \"size\": 4,\n \"queryType\": 1,\n \"resourceType\": \"microsoft.resourcegraph/resources\",\n \"crossComponentResources\": [\n \"{Subscription}\"\n ],\n \"gridSettings\": {\n \"formatters\": [\n {\n \"columnMatch\": \"id\",\n \"formatter\": 0,\n \"numberFormat\": {\n \"unit\": 0,\n \"options\": {\n \"style\": \"decimal\"\n }\n }\n },\n {\n \"columnMatch\": \"compliant\",\n \"formatter\": 18,\n \"formatOptions\": {\n \"thresholdsOptions\": \"icons\",\n \"thresholdsGrid\": [\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"1\",\n \"representation\": \"success\",\n \"text\": \"Success\"\n },\n {\n \"operator\": \"==\",\n \"thresholdValue\": \"0\",\n \"representation\": \"failed\",\n \"text\": \"Failed\"\n },\n {\n \"operator\": \"Default\",\n \"thresholdValue\": null,\n \"representation\": \"unknown\",\n \"text\": \"Unknown\"\n }\n ]\n }\n }\n ]\n }\n },\n \"name\": \"query4\"\n }\n ]\n },\n \"conditionalVisibility\": {\n \"parameterName\": \"VisibleTab\",\n \"comparison\": \"isEqualTo\",\n \"value\": \"tab2\"\n },\n \"name\": \"tab2\"\n }\n ],\n \"$schema\": \"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"\n}", "version": "1.0", "sourceId": "[parameters('workbookSourceId')]", "category": "[parameters('workbookType')]"