From f65be228dab063390edb4ee59eaaefb5e2b50774 Mon Sep 17 00:00:00 2001 From: jtdauria-shi Date: Fri, 5 Dec 2025 15:02:39 -0500 Subject: [PATCH 01/15] Added break glass overview file --- docs/SHIELD/Reference/Break-Glass-Overview.md | 3 +++ mkdocs.yml | 1 + 2 files changed, 4 insertions(+) create mode 100644 docs/SHIELD/Reference/Break-Glass-Overview.md diff --git a/docs/SHIELD/Reference/Break-Glass-Overview.md b/docs/SHIELD/Reference/Break-Glass-Overview.md new file mode 100644 index 0000000..440348b --- /dev/null +++ b/docs/SHIELD/Reference/Break-Glass-Overview.md @@ -0,0 +1,3 @@ +🚧 This section is coming soon. + +Break Glass documentation will be published here once it is finalized! \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index a548ae6..e83c1e3 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -223,6 +223,7 @@ nav: - Configure Managed Identity: SHIELD/Reference/Settings/Configure-Managed-Identity.md - Debug Mode: SHIELD/Reference/Settings/Debug-Mode.md - Environment Variables: SHIELD/Reference/Settings/Environmental-Variables-Reference.md + - Break Glass Overview: SHIELD/Reference/Break-Glass-Overview.md - Uninstall: SHIELD/Reference/Uninstall.md - Data Gateway: From 2d7f1afce414ce36d554d623fea082a2e62771ef Mon Sep 17 00:00:00 2001 From: jtdauria-shi Date: Wed, 10 Dec 2025 16:11:47 -0500 Subject: [PATCH 02/15] Added 18 Conditional Access Policy Files and Folders + Navigation --- .../Enterprise/Compliance.md | 7 +++++ .../Conditional-Access/Enterprise/Location.md | 7 +++++ .../Conditional-Access/Enterprise/MDCA.md | 7 +++++ .../Conditional-Access/Enterprise/MFA.md | 7 +++++ .../Privileged/Authentication-Methods.md | 7 +++++ .../Privileged/Block-Non-Priv.md | 7 +++++ .../Privileged/Compliance.md | 7 +++++ .../Disable-CA-Resilience-Downgrade.md | 7 +++++ .../Privileged/Hardware-Enforcement.md | 7 +++++ .../Privileged/Join-Type.md | 7 +++++ .../Privileged/Legacy-Auth.md | 7 +++++ .../Conditional-Access/Privileged/Location.md | 7 +++++ .../Conditional-Access/Privileged/MFA.md | 7 +++++ .../Privileged/OS-Enforcement.md | 7 +++++ .../Privileged/Session-Persistence.md | 7 +++++ .../Privileged/Sign-In-Risk.md | 7 +++++ .../Privileged/Token-Binding.md | 7 +++++ .../Privileged/User-Risk.md | 7 +++++ docs/SHIELD/Reference/Break-Glass-Overview.md | 2 ++ mkdocs.yml | 27 +++++++++++++++++-- 20 files changed, 153 insertions(+), 2 deletions(-) create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Location.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MDCA.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MFA.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Authentication-Methods.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Block-Non-Priv.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Compliance.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Disable-CA-Resilience-Downgrade.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Hardware-Enforcement.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Join-Type.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Legacy-Auth.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Location.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/MFA.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/OS-Enforcement.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Session-Persistence.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Token-Binding.md create mode 100644 docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Location.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Location.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Location.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MDCA.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MDCA.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MDCA.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MFA.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MFA.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MFA.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Authentication-Methods.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Authentication-Methods.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Authentication-Methods.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Block-Non-Priv.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Block-Non-Priv.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Block-Non-Priv.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Compliance.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Compliance.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Compliance.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Disable-CA-Resilience-Downgrade.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Disable-CA-Resilience-Downgrade.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Disable-CA-Resilience-Downgrade.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Hardware-Enforcement.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Hardware-Enforcement.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Hardware-Enforcement.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Join-Type.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Join-Type.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Join-Type.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Legacy-Auth.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Legacy-Auth.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Legacy-Auth.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Location.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Location.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Location.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/MFA.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/MFA.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/MFA.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/OS-Enforcement.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/OS-Enforcement.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/OS-Enforcement.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Session-Persistence.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Session-Persistence.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Session-Persistence.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Token-Binding.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Token-Binding.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Token-Binding.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md new file mode 100644 index 0000000..53821f0 --- /dev/null +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md @@ -0,0 +1,7 @@ +**Name**: +**Description**: +**Why It's Important**: +**Recommendations**: +**License Requirements**: +**Learn More**: +**Disclaimer**: \ No newline at end of file diff --git a/docs/SHIELD/Reference/Break-Glass-Overview.md b/docs/SHIELD/Reference/Break-Glass-Overview.md index 440348b..50b3cd6 100644 --- a/docs/SHIELD/Reference/Break-Glass-Overview.md +++ b/docs/SHIELD/Reference/Break-Glass-Overview.md @@ -1,3 +1,5 @@ +# Break Glass Account Overview + 🚧 This section is coming soon. Break Glass documentation will be published here once it is finalized! \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index e83c1e3..763f8dc 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -153,7 +153,30 @@ nav: - Overview: SHIELD/Deploy/index.md - Deployment: SHIELD/Deploy/Deployment/index.md - Usage Guide: SHIELD/Deploy/Usage-Guide.md - - Reference: SHIELD/Deploy/Reference/index.md + - Reference: + - Reference: SHIELD/Deploy/Reference/index.md + - Architecture: + - Conditional Access: + - Enterprise: + - Compliance: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md + - Location: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Location.md + - Microsoft Defender for Cloud Applications (MDCA): SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MDCA.md + - Multi-Factor Authentication (MFA): SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MFA.md + - Privileged: + - Authentication Methods: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Authentication-Methods.md + - Block Non-Privileged: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Block-Non-Priv.md + - Compliance: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Compliance.md + - Disable Conditional Access Resilience Downgrade: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Disable-CA-Resilience-Downgrade.md + - Hardware Enforcement: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Hardware-Enforcement.md + - Join Type: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Join-Type.md + - Legacy Authentication: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Legacy-Auth.md + - Location: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Location.md + - Multi-Factor Authentication (MFA): SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/MFA.md + - Operating System Enforcement: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/OS-Enforcement.md + - Session Persistence: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Session-Persistence.md + - Sign-in Risk: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md + - Token Binding: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Token-Binding.md + - User Risk: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md - Troubleshooting: SHIELD/Deploy/Troubleshooting.md - Defend: @@ -223,7 +246,7 @@ nav: - Configure Managed Identity: SHIELD/Reference/Settings/Configure-Managed-Identity.md - Debug Mode: SHIELD/Reference/Settings/Debug-Mode.md - Environment Variables: SHIELD/Reference/Settings/Environmental-Variables-Reference.md - - Break Glass Overview: SHIELD/Reference/Break-Glass-Overview.md + - Break Glass: SHIELD/Reference/Break-Glass-Overview.md - Uninstall: SHIELD/Reference/Uninstall.md - Data Gateway: From f0e3b2096af7dbbb048017a7c348a9d0889da41d Mon Sep 17 00:00:00 2001 From: jtdauria-shi Date: Thu, 11 Dec 2025 11:52:26 -0500 Subject: [PATCH 03/15] Added content to enterprise policies --- .../Enterprise/Compliance.md | 38 +++++++++++++++---- .../Conditional-Access/Enterprise/Location.md | 37 ++++++++++++++---- .../Conditional-Access/Enterprise/MDCA.md | 37 ++++++++++++++---- .../Conditional-Access/Enterprise/MFA.md | 36 ++++++++++++++---- 4 files changed, 120 insertions(+), 28 deletions(-) diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md index 53821f0..9d56a54 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md @@ -1,7 +1,31 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Compliance + +## Description + +This policy enforces that enterprise-class users must authenticate using a device that meets compliance standards defined in Intune. + +## Why It's Important + +Requiring compliant devices ensures that only endpoints with approved configurations, security controls, and health status can access corporate resources. This policy helps prevent access from unmanaged or misconfigured devices, reducing the risk of data leakage, malware propagation, and unauthorized access. It supports a zero-trust model by validating device posture before granting access. + +## Recommendations: + +- **Communicate** the requirement for compliant devices and provide remediation guidance. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test device** compliance enforcement and validate Intune reporting. +- **Maintain** a rollback plan for operational resilience. +- **Enforce** the policy broadly after successful validation. + + +## License Requirements + +- Microsoft Entra ID P1 +- Microsoft Intune + +## Learn More + +- [Require device compliance with Conditional Access](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance){:target="_blank"} + +
+ +--- \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Location.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Location.md index 53821f0..a4170d1 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Location.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Location.md @@ -1,7 +1,30 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Location + +## Description + +This policy blocks enterprise identity authentication attempts from specific geographic regions identified as high-risk, based on IP geolocation. + +## Why It's Important + +Certain countries pose elevated cybersecurity threats due to geopolitical instability, regulatory concerns, or known malicious activity. This policy uses a named location filter to prevent sign-ins from these regions, helping to enforce geo-fencing and reduce exposure to unauthorized access attempts. It supports a zero-trust strategy by ensuring authentication only occurs from trusted geographic zones. + +## Recommendations + +- **Communicate** the geo-fencing policy and list of blocked regions. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test** location-based access behavior and validate named location filters. +- **Maintain** a rollback plan for access continuity. +- **Enforce** the policy broadly after successful validation. + + +## License Requirements + +- Microsoft Entra ID P1 + +## Learn More + +- [Block access by location](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-by-location){:target="_blank"} + +
+ +--- \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MDCA.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MDCA.md index 53821f0..6a5388d 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MDCA.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MDCA.md @@ -1,7 +1,30 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Microsoft Defender for Cloud Applications (MDCA) + +## Description + +This policy integrates Microsoft Defender for Cloud Apps (MDCA) with enterprise identity access to enable real-time monitoring and control over user sessions. + +## Why It's Important + +MDCA provides visibility into user activity and enforces session-level controls across cloud applications. By enabling this integration, the policy allows for conditional access enforcement based on risk signals, user behavior, and compliance status. It helps detect anomalies, prevent data exfiltration, and apply granular access restrictions, strengthening enterprise security posture without disrupting productivity. + +## Recommendations + +- **Communicate** the integration of MDCA and its impact on session monitoring. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test** session control behavior and validate MDCA enforcement. +- **Maintain** a rollback plan for operational flexibility. +- **Enforce** the policy broadly after successful validation. + +## License Requirements + +- Microsoft Entra ID P1 +- Microsoft Defender for Cloud Apps + +## Learn More + +- [Conditional Access app control in Microsoft Defender for Cloud Apps](https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-intro-aad){:target="_blank"} + +
+ +--- \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MFA.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MFA.md index 53821f0..a0c6439 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MFA.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MFA.md @@ -1,7 +1,29 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Multi-Factor Authentication (MFA) + +## Description + +This policy enforces multi-factor authentication (MFA) for enterprise identities during sign-in to reduce the risk of identity compromise. + +## Why It's Important + +Passwords alone are insufficient to protect privileged access. This policy ensures that users in key enterprise groups must verify their identity using a second factor, such as a mobile app or hardware token, before accessing any cloud application. By excluding break-glass accounts, it maintains emergency access while enforcing strong authentication for all other users, supporting a zero-trust security model + +## Recommendations + +- **Communicate** the MFA requirement and provide setup guidance. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test** MFA enforcement and user experience across platforms. +- **Maintain** a rollback plan for access continuity. +- **Enforce** the policy broadly after successful validation. + +## License Requirements + +- Microsoft Entra ID P1 + +## Learn More + +- [Require multifactor authentication for all users](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-mfa-strength){:target="_blank"} + +
+ +--- \ No newline at end of file From dd62d594fc70f6d3c16f94bcc00b878607732255 Mon Sep 17 00:00:00 2001 From: jtdauria-shi Date: Thu, 11 Dec 2025 15:58:11 -0500 Subject: [PATCH 04/15] Added content to privileged policies --- .../Enterprise/Compliance.md | 2 +- .../Privileged/Authentication-Methods.md | 36 ++++++++++++++---- .../Privileged/Block-Non-Priv.md | 36 ++++++++++++++---- .../Privileged/Compliance.md | 37 +++++++++++++++---- .../Disable-CA-Resilience-Downgrade.md | 36 ++++++++++++++---- .../Privileged/Hardware-Enforcement.md | 36 ++++++++++++++---- .../Privileged/Join-Type.md | 36 ++++++++++++++---- .../Privileged/Legacy-Auth.md | 36 ++++++++++++++---- .../Conditional-Access/Privileged/Location.md | 36 ++++++++++++++---- .../Conditional-Access/Privileged/MFA.md | 36 ++++++++++++++---- .../Privileged/OS-Enforcement.md | 36 ++++++++++++++---- .../Privileged/Session-Persistence.md | 36 ++++++++++++++---- .../Privileged/Sign-In-Risk.md | 37 +++++++++++++++---- .../Privileged/Token-Binding.md | 36 ++++++++++++++---- .../Privileged/User-Risk.md | 37 +++++++++++++++---- 15 files changed, 410 insertions(+), 99 deletions(-) diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md index 9d56a54..998e2ef 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md @@ -12,7 +12,7 @@ Requiring compliant devices ensures that only endpoints with approved configurat - **Communicate** the requirement for compliant devices and provide remediation guidance. - **Stage** the rollout with a pilot group and exclude critical accounts. -- **Test device** compliance enforcement and validate Intune reporting. +- **Test** device compliance enforcement and validate Intune reporting. - **Maintain** a rollback plan for operational resilience. - **Enforce** the policy broadly after successful validation. diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Authentication-Methods.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Authentication-Methods.md index 53821f0..fb19959 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Authentication-Methods.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Authentication-Methods.md @@ -1,7 +1,29 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Authentication Methods + +## Description + +This policy enforces a specific set of acceptable authentication methods Entra ID sign-in, based on authentication strength. Only users in the included groups can authenticate, and only if they use approved authentication methods. + +## Why It's Important + +This policy enforces strong authentication methods for Entra ID sign-ins, ensuring SHIELD limits privileged access to approved, phishing-resistant factors only. + +## Recommendations + +- **Communicate** the enforcement of strong authentication methods and provide setup guidance. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test** authentication strength enforcement and validate exclusions. +- **Maintain** a rollback plan for access continuity. +- **Enforce** the policy broadly after successful validation. + +## License Requirements + +- Microsoft Entra ID P1 + +## Learn More + +- [Conditional Access authentication strengths](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths){:target="_blank"} + +
+ +--- \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Block-Non-Priv.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Block-Non-Priv.md index 53821f0..3f1e2ed 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Block-Non-Priv.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Block-Non-Priv.md @@ -1,7 +1,29 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Block Non-Privileged + +## Description + +This policy prevents non-privileged users from signing in to privileged devices—specifically those designated for sensitive operations. It ensures that only authorized, privileged identities can access high-trust endpoints, reducing the risk of lateral movement, data exposure, or misuse of privileged infrastructure. + +## Why It's Important + +This policy restricts privileged devices to privileged identities only, ensuring SHIELD prevents unauthorized users from accessing sensitive endpoints and reducing the risk of lateral movement. + +## Recommendations + +- **Communicate** the restriction of privileged devices to privileged users only. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test** access behavior across user types and validate exclusions. +- **Maintain** a rollback plan for operational flexibility. +- **Enforce** the policy broadly after successful validation. + +## License Requirements + +- Microsoft Entra ID P1 + +## Learn More + +- [Conditional Access: Filter for devices](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices){:target="_blank"} + +
+ +--- \ No newline at end of file diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Compliance.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Compliance.md index 53821f0..f46e61e 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Compliance.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Compliance.md @@ -1,7 +1,30 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Compliance + +## Description + +This policy enforces that privileged devices must be compliant with their Intune compliance policies before they can access any cloud applications + +## Why It's Important + +This policy ensures privileged devices meet Intune compliance requirements before accessing cloud apps, allowing SHIELD to block noncompliant or insecure endpoints from sensitive resources. + +## Recommendations + +- **Communicate** the requirement for compliant devices and provide remediation guidance. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test** device compliance enforcement and validate Intune reporting. +- **Maintain** a rollback plan for operational resilience. +- **Enforce** the policy broadly after successful validation. + +## License Requirements + +- Microsoft Entra ID P1 +- Microsoft Intune + +## Learn More + +- [Require device compliance with Conditional Access](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance){:target="_blank"} + +
+ +--- diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Disable-CA-Resilience-Downgrade.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Disable-CA-Resilience-Downgrade.md index 53821f0..d05a91c 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Disable-CA-Resilience-Downgrade.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Disable-CA-Resilience-Downgrade.md @@ -1,7 +1,29 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Disable Conditional Access Resilience Downgrade + +## Description + +This policy prevents Microsoft Entra Conditional Access resilience features from automatically downgrading security requirements during service outages or disruptions. It ensures that privileged identities remain protected even when Microsoft services experience availability issues. Instead of relaxing controls, organizations are expected to use break-glass accounts for emergency access. + +## Why It's Important + +This policy ensures Conditional Access requirements are never weakened during outages, allowing SHIELD to maintain strong protection for privileged identities and rely on break-glass accounts for continuity. + +## Recommendations + +- **Communicate** the removal of resilience fallback and reinforce break-glass access procedures. +- **Stage** the rollout with a pilot group and validate emergency access. +- **Test** behavior during service disruptions and confirm policy enforcement. +- **Maintain** a rollback plan for operational continuity. +- **Enforce** the policy broadly after successful validation. + +## License Requirements + +- Microsoft Entra ID P1 + +## Learn More + +- [Conditional Access: Resilience defaults](https://learn.microsoft.com/en-us/entra/identity/conditional-access/resilience-defaults){:target="_blank"} + +
+ +--- diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Hardware-Enforcement.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Hardware-Enforcement.md index 53821f0..b6a5447 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Hardware-Enforcement.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Hardware-Enforcement.md @@ -1,7 +1,29 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Hardware Enforcement + +## Description + +This policy ensures that only approved and commissioned hardware is allowed to authenticate to Entra ID. It blocks access from any device that does not meet specific manufacturer, model, and custom attribute criteria—enforcing strict control over the physical devices used by privileged identities. + +## Why It's Important + +This policy enforces that only approved hardware can access privileged accounts, allowing SHIELD to block untrusted or rogue devices and maintain strict control over sensitive operations. + +## Recommendations + +- **Communicate** the restriction to approved hardware and provide verification guidance. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test** hardware enforcement and validate device attribute filtering. +- **Maintain** a rollback plan for operational flexibility. +- **Enforce** the policy broadly after successful validation. + +## License Requirements + +- Microsoft Entra ID P1 + +## Learn More + +- [Conditional Access: Filter for devices](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices){:target="_blank"} + +
+ +--- diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Join-Type.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Join-Type.md index 53821f0..bd900cb 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Join-Type.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Join-Type.md @@ -1,7 +1,29 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Join Type + +## Description + +This policy ensures that only devices joined directly to Microsoft Entra ID (formerly Azure AD) are allowed to authenticate privileged identities. It blocks access from hybrid-joined or Bring Your Own Device (BYOD) endpoints, helping prevent unauthorized or unmanaged devices from injecting into privileged workflows. + +## Why It's Important + +This policy restricts privileged access to Entra ID-joined devices only, ensuring SHIELD blocks unmanaged or hybrid endpoints from being used to compromise sensitive workflows. + +## Recommendations + +- **Communicate** the restriction to Entra ID-joined devices and provide transition guidance. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test** device join type enforcement and validate exclusions. +- **Maintain** a rollback plan for operational flexibility. +- **Enforce** the policy broadly after successful validation. + +## License Requirements + +- Microsoft Entra ID P1 + +## Learn More + +- [Conditional Access: Filter for devices](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices){:target="_blank"} + +
+ +--- diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Legacy-Auth.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Legacy-Auth.md index 53821f0..f0ee218 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Legacy-Auth.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Legacy-Auth.md @@ -1,7 +1,29 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Legacy Authentication + +## Description + +This policy blocks the use of legacy authentication protocols—such as Exchange ActiveSync and other non-modern clients—for privileged identities. + +## Why It's Important + +This policy blocks legacy authentication for privileged identities, helping SHIELD prevent attackers from exploiting outdated protocols that bypass modern security controls like MFA. + +## Recommendations + +- **Communicate** the deprecation of legacy authentication and provide transition guidance. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test** for legacy protocol usage and validate enforcement. +- **Maintain** a rollback plan for operational continuity. +- **Enforce** the policy broadly after successful validation. + +## License Requirements + +- Microsoft Entra ID P1 + +## Learn More + +- [Block legacy authentication with Conditional Access](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-legacy-authentication){:target="_blank"} + +
+ +--- diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Location.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Location.md index 53821f0..f907897 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Location.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Location.md @@ -1,7 +1,29 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Location + +## Description + +This policy blocks privileged identity authentication attempts from a set of problematic world regions, as defined by a named location based on IP geolocation. It helps prevent access from countries associated with elevated cybersecurity risks, geopolitical concerns, or regulatory restrictions. + +## Why It's Important + +This policy blocks privileged access attempts from high-risk or restricted regions, helping SHIELD reduce exposure to malicious activity and comply with geographic access requirements. + +## Recommendations + +- **Communicate** the geo-fencing policy and list of blocked regions. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test** location-based access behavior and validate named location filters. +- **Maintain** a rollback plan for access continuity. +- **Enforce** the policy broadly after successful validation. + +## License Requirements + +- Microsoft Entra ID P1 + +## Learn More + +- [Block access by location](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-block-by-location){:target="_blank"} + +
+ +--- diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/MFA.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/MFA.md index 53821f0..dd2b2fb 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/MFA.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/MFA.md @@ -1,7 +1,29 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Multi-Factor Authentication (MFA) + +## Description + +This policy enforces Multi-Factor Authentication (MFA) for privileged users during sign-in to Entra ID. It significantly reduces the risk of identity compromise by requiring a second factor of authentication beyond just a password. + +## Why It's Important + +This policy enforces MFA for privileged users, helping SHIELD prevent account compromise by requiring an additional factor beyond passwords. + +## Recommendations + +- **Communicate** the MFA requirement and provide setup guidance. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test** MFA enforcement and user experience across platforms. +- **Maintain** a rollback plan for access continuity. +- **Enforce** the policy broadly after successful validation. + +## License Requirements + +- Microsoft Entra ID P1 + +## Learn More + +- [Require multifactor authentication for all users](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-mfa-strength){:target="_blank"} + +
+ +--- diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/OS-Enforcement.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/OS-Enforcement.md index 53821f0..d02c753 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/OS-Enforcement.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/OS-Enforcement.md @@ -1,7 +1,29 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Operating System Enforcement + +## Description + +This policy ensures that only devices running Windows are allowed to authenticate to Entra ID It blocks access from all other operating systems, helping enforce a standardized and secure platform for privileged access. + +## Why It's Important + +This policy restricts privileged access to Windows devices only, enabling SHIELD to enforce a standardized platform and reduce risks from unmanaged or unsupported operating systems. + +## Recommendations + +- **Communicate** the change and explain the Windows-only access requirement. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test** platform access behavior and validate exclusions. +- **Maintain** a rollback plan for operational continuity. +- **Enforce** the policy broadly after successful validation + +## License Requirements + +- Microsoft Entra ID P1 + +## Learn More + +- [Conditional Access: Filter for devices](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-condition-filters-for-devices#common-scenarios){:target="_blank"} + +
+ +--- diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Session-Persistence.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Session-Persistence.md index 53821f0..231ffee 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Session-Persistence.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Session-Persistence.md @@ -1,7 +1,29 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Session Persistence + +## Description + +This policy disables persistent browser sessions for privileged users, ensuring that identity revalidation occurs as frequently as possible. It helps reduce the risk of unauthorized access due to session hijacking or stale authentication tokens. + +## Why It's Important + +This policy requires privileged users to reauthenticate frequently, helping SHIELD reduce the risk of session hijacking and misuse of stale tokens. + +## Recommendations + +- **Communicate** the change to users, highlighting the impact on session behavior. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test** authentication frequency and user experience. +- **Maintain** a rollback plan to address potential disruptions. +- **Enforce** the policy broadly after successful validation. + +## License Requirements + +- Microsoft Entra ID P2 + +## Learn More + +- [Configure adaptive session lifetime policies](https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-session-lifetime){:target="_blank"} + +
+ +--- diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md index 53821f0..3601ede 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md @@ -1,7 +1,30 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Sign-in Risk + +## Description + +This policy blocks access to Entra ID for users whose sign-in attempts are flagged with any level of risk—low, medium, or high. It’s designed to prevent access from potentially compromised or suspicious sign-in sessions, especially for privileged users. + +## Why It's Important + +This policy blocks risky sign-ins for privileged users, allowing SHIELD to prevent access from potentially compromised sessions and reduce the chance of account takeover. + +## Recommendations + +- **Communicate** the policy change and its impact on risky sign-ins. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test** sign-in behavior and risk detection accuracy. +- **Maintain** a rollback plan for quick recovery if needed. +- **Enforce** the policy broadly after successful validation. + +## License Requirements + +- Microsoft Entra ID P2 +- Microsoft Defender for Cloud Apps + +## Learn More + +- [Require multifactor authentication for elevated sign-in risk](https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-risk-based-sign-in){:target="_blank"} + +
+ +--- diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Token-Binding.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Token-Binding.md index 53821f0..25b2039 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Token-Binding.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Token-Binding.md @@ -1,7 +1,29 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# Token Binding + +## Description + +This policy is designed to prevent token theft from Microsoft Exchange Online (EXO) and SharePoint Online (SPO) clients by enforcing secure session controls for privileged users. + +## Why It's Important + +This policy protects against token theft by binding access tokens to secure sessions, ensuring attackers cannot reuse stolen tokens to bypass SHIELD identity and access controls. + +## Recommendations + +- **Communicate** the policy change and its impact to affected users. +- **Stage** the rollout by piloting with a small, controlled group. +- **Test** functionality and user experience across supported platforms. +- **Maintain** a rollback plan to quickly respond to any issues. +- **Enforce** the policy broadly once validated and stable. + +## License Requirements + +- P2 License + +## Learn More + +- [Token Protection in Microsoft Entra Conditional Access](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-token-protection){:target="_blank"} + +
+ +--- diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md index 53821f0..61901f1 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md @@ -1,7 +1,30 @@ -**Name**: -**Description**: -**Why It's Important**: -**Recommendations**: -**License Requirements**: -**Learn More**: -**Disclaimer**: \ No newline at end of file +# User Risk + +## Description + +This policy blocks access to Entra ID for users who are flagged with any level of user risk—low, medium, or high—as determined by Microsoft Entra ID’s risk detection engine. It’s designed to protect privileged access by preventing authentication from accounts that may be compromised. + +## Why It's Important + +This policy blocks privileged access for accounts flagged with user risk, helping SHIELD prevent compromised identities from authenticating and protecting sensitive operations. + +## Recommendations + +- **Communicate** the policy change and how user risk affects access. +- **Stage** the rollout with a pilot group and exclude critical accounts. +- **Test** risk detection accuracy and user impact. +- **Maintain** a rollback plan for rapid response to issues. +- **Enforce** the policy broadly after successful validation. + +## License Requirements + +- Microsoft Entra ID P2 +- Microsoft Defender for Cloud Apps + +## Learn More + +- [User risk detections](https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#user-risk-detections){:target="_blank"} + +
+ +--- From 4495f3cf8c0acc7c8021c448e8fcc6a8f25f7482 Mon Sep 17 00:00:00 2001 From: jtdauria-shi Date: Fri, 12 Dec 2025 10:42:31 -0500 Subject: [PATCH 05/15] Updated licenses requirements for user risk and sign-in risk --- .../Architecture/Conditional-Access/Privileged/Sign-In-Risk.md | 3 +-- .../Architecture/Conditional-Access/Privileged/User-Risk.md | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md index 3601ede..d1f0f84 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md @@ -18,8 +18,7 @@ This policy blocks risky sign-ins for privileged users, allowing SHIELD to preve ## License Requirements -- Microsoft Entra ID P2 -- Microsoft Defender for Cloud Apps +- Microsoft Entra ID P2 and a standalone license for Microsoft Defender for Cloud Apps ## Learn More diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md index 61901f1..e4bf22d 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md @@ -18,8 +18,7 @@ This policy blocks privileged access for accounts flagged with user risk, helpin ## License Requirements -- Microsoft Entra ID P2 -- Microsoft Defender for Cloud Apps +- Microsoft Entra ID P2 and a standalone license for Microsoft Defender for Cloud Apps ## Learn More From 757ab418a0a030bb1bf2cf3510f4b8b947badebc Mon Sep 17 00:00:00 2001 From: jtdauria-shi Date: Thu, 8 Jan 2026 14:50:49 -0500 Subject: [PATCH 06/15] Added Content to Break Glass Overview and Restructured Folders --- .../Conditional-Access}/Compliance.md | 0 .../Conditional-Access}/Location.md | 0 .../Enterprise/Conditional-Access}/MDCA.md | 0 .../Enterprise/Conditional-Access}/MFA.md | 0 .../Authentication-Methods.md | 0 .../Conditional-Access}/Block-Non-Priv.md | 0 .../Conditional-Access}/Compliance.md | 0 .../Disable-CA-Resilience-Downgrade.md | 0 .../Hardware-Enforcement.md | 0 .../Conditional-Access}/Join-Type.md | 0 .../Conditional-Access}/Legacy-Auth.md | 0 .../Conditional-Access}/Location.md | 0 .../Privileged/Conditional-Access}/MFA.md | 0 .../Conditional-Access}/OS-Enforcement.md | 0 .../Session-Persistence.md | 0 .../Conditional-Access}/Sign-In-Risk.md | 0 .../Conditional-Access}/Token-Binding.md | 0 .../Conditional-Access}/User-Risk.md | 0 docs/SHIELD/Reference/Break-Glass-Overview.md | 83 ++++++++++++++++++- mkdocs.yml | 40 ++++----- 20 files changed, 102 insertions(+), 21 deletions(-) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Enterprise => SHIELD/Enterprise/Conditional-Access}/Compliance.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Enterprise => SHIELD/Enterprise/Conditional-Access}/Location.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Enterprise => SHIELD/Enterprise/Conditional-Access}/MDCA.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Enterprise => SHIELD/Enterprise/Conditional-Access}/MFA.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Privileged => SHIELD/Privileged/Conditional-Access}/Authentication-Methods.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Privileged => SHIELD/Privileged/Conditional-Access}/Block-Non-Priv.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Privileged => SHIELD/Privileged/Conditional-Access}/Compliance.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Privileged => SHIELD/Privileged/Conditional-Access}/Disable-CA-Resilience-Downgrade.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Privileged => SHIELD/Privileged/Conditional-Access}/Hardware-Enforcement.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Privileged => SHIELD/Privileged/Conditional-Access}/Join-Type.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Privileged => SHIELD/Privileged/Conditional-Access}/Legacy-Auth.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Privileged => SHIELD/Privileged/Conditional-Access}/Location.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Privileged => SHIELD/Privileged/Conditional-Access}/MFA.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Privileged => SHIELD/Privileged/Conditional-Access}/OS-Enforcement.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Privileged => SHIELD/Privileged/Conditional-Access}/Session-Persistence.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Privileged => SHIELD/Privileged/Conditional-Access}/Sign-In-Risk.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Privileged => SHIELD/Privileged/Conditional-Access}/Token-Binding.md (100%) rename docs/SHIELD/Deploy/Reference/Architecture/{Conditional-Access/Privileged => SHIELD/Privileged/Conditional-Access}/User-Risk.md (100%) diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/Compliance.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/Compliance.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Location.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/Location.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Location.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/Location.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MDCA.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/MDCA.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MDCA.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/MDCA.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MFA.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/MFA.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MFA.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/MFA.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Authentication-Methods.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Authentication-Methods.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Authentication-Methods.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Authentication-Methods.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Block-Non-Priv.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Block-Non-Priv.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Block-Non-Priv.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Block-Non-Priv.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Compliance.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Compliance.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Compliance.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Compliance.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Disable-CA-Resilience-Downgrade.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Disable-CA-Resilience-Downgrade.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Disable-CA-Resilience-Downgrade.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Disable-CA-Resilience-Downgrade.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Hardware-Enforcement.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Hardware-Enforcement.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Hardware-Enforcement.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Hardware-Enforcement.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Join-Type.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Join-Type.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Join-Type.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Join-Type.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Legacy-Auth.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Legacy-Auth.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Legacy-Auth.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Legacy-Auth.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Location.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Location.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Location.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Location.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/MFA.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/MFA.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/MFA.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/MFA.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/OS-Enforcement.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/OS-Enforcement.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/OS-Enforcement.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/OS-Enforcement.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Session-Persistence.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Session-Persistence.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Session-Persistence.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Session-Persistence.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Sign-In-Risk.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Sign-In-Risk.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Token-Binding.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Token-Binding.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Token-Binding.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Token-Binding.md diff --git a/docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/User-Risk.md similarity index 100% rename from docs/SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md rename to docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/User-Risk.md diff --git a/docs/SHIELD/Reference/Break-Glass-Overview.md b/docs/SHIELD/Reference/Break-Glass-Overview.md index 50b3cd6..9b382ea 100644 --- a/docs/SHIELD/Reference/Break-Glass-Overview.md +++ b/docs/SHIELD/Reference/Break-Glass-Overview.md @@ -1,5 +1,84 @@ # Break Glass Account Overview -🚧 This section is coming soon. +## Overview -Break Glass documentation will be published here once it is finalized! \ No newline at end of file +A break glass account, or [emergency access account](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access){:target="_blank"}, is a highly privileged, unlicensed, emergency access mechanism used to regain access to critical resources that can be used to recover systems. Typically, when standard administrative accounts are unavailable, due to outages, conditional access misconfiguration, Multi-Factor Authentication (MFA) failures, or account lockouts. + +--- + +## Getting Started + + +It is strongly recommended to maintain two break glass accounts. One account is designated as the primary and the other as a backup. This provides a fail-safe mechanism should the primary account be inaccessible for any reason. + +- Break glass accounts need to be excluded from all security controls. +- These accounts must retain full functionality at all times. Any restrictions could lead to critical outages and operational disruptions. +- Be sure to test the account login immediately after creation to ensure validity. + +--- + +## Storage Methods + +### Offline Physical Storage + +A break glass packet should be enclosed in a sealed, tamper-evident, waterproof container stored in a physically secured location such as a company safe, safe deposit box, or vault. + +#### Break Glass Packet + +Each break glass packet should include two of the following printed out: + +- Account username and password +- Detailed login instructions including the specific account to access such as "entra.microsoft.com", "portal.azure.com", "admin.microsoft.com". +- Two FIDO2 keys (YubiKeys are recommended); one primary and one backup in case the primary key breaks. Both break glass accounts should be stored on each security key. + - **Note**: Multi-Factor Authentication (MFA) is mandatory, even for emergency access accounts. + - PINs for FIDO2 (Fast IDentity Online 2) pins need to be randomly generated and included on the papers. For more information about FIDO2, see [What is FIDO2?](https://www.microsoft.com/en-us/security/business/security-101/what-is-fido2?msockid=0ab1f8f5d40c6fac3a72ee5cd5e96e90){:target="_blank"} + - **Note**: You can have multiple FIDO2 credentials stored on a single security key. + +#### Passwords + +- Passwords must be a minimum of 32 characters; 64 characters are recommended, although the longer the password the better. +The password should not be human generated. It must be completely randomly generated by a credential vaulting solution and set on the account. +- Passwords should be printed using a monospaced typeface, such as Consolas. + - This prevents confusing similar-looking characters such as the numeral zero (0) and the uppercase letter 'O', as well as the numeral one (1), lowercase 'L' (l) and uppercase 'i' (I). Since the passwords are long, it is easy to input the wrong character and not know where you made the mistake. +- Passwords must be changed immediately after every usage session (after emergency is resolved). + +#### Printing + +- Use a Secure Printer + - Print passwords only on a printer that does not store printed materials. + - Most multi-function printers (MFPs) have internal storage that retains print jobs in plain text. + - If using an MFP, remove and securely erase the hard drive after printing. +- Ensure Privacy During Printing + - Confirm that no security cameras are directed toward the printer. + - Cameras can capture printed content, and anyone with access to footage could obtain privileged credentials. + - Ensure that unauthorized personnel are not present during printing. + - Ensure that people are not present with Eidetic (photographic) memory/total recall or are familiar with fast memorization techniques. +- Print and Store Copies + - Print two copies of the packet for each break glass storage location. + - Store the copies inverted relative to each other to minimize the impact of water damage. + - If water damage occurs, it typically affects only part of the packet, allowing reconstruction from unaffected sections. + - If you do not have a secondary location, consider using a safe deposit box. +- Maintain Redundancy + - Keep two complete sets in each location to ensure availability if one set is damaged. + +--- + +## Additional Considerations + +### Auditing + +Break glass accounts should be monitored and audited as much as possible. It is essential to track all activities associated with these accounts, as they operate without restrictions. + +- Break glass accounts should not be excluded from auditing controls. + + +### Notifications + +Notifications must be set up inside of the security information and event management (SIEM) solution of your choice to ensure timely alerts. Notifications should include phone calls, emails, and text messages sent to everyone in the chain, especially the person in charge of information technology, such as the Chief Information Officer (CIO), Chief Information Security Officer (CISO), Director of Information Technology (IT), or equivalent. All security personnel must be alerted if there is: + +- Any successful sign-in from a break glass account +- Any password reset or modification + +**Note**: Notifications may take up to 5 minutes after authentication, due to limitation in log analytics if using Microsoft Sentinel. + +--- \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 763f8dc..57fbaa7 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -156,27 +156,29 @@ nav: - Reference: - Reference: SHIELD/Deploy/Reference/index.md - Architecture: - - Conditional Access: + - SHIELD: - Enterprise: - - Compliance: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Compliance.md - - Location: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/Location.md - - Microsoft Defender for Cloud Applications (MDCA): SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MDCA.md - - Multi-Factor Authentication (MFA): SHIELD/Deploy/Reference/Architecture/Conditional-Access/Enterprise/MFA.md + - Conditional Access: + - Compliance: SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/Compliance.md + - Location: SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/Location.md + - Microsoft Defender for Cloud Applications (MDCA): SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/MDCA.md + - Multi-Factor Authentication (MFA): SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/MFA.md - Privileged: - - Authentication Methods: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Authentication-Methods.md - - Block Non-Privileged: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Block-Non-Priv.md - - Compliance: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Compliance.md - - Disable Conditional Access Resilience Downgrade: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Disable-CA-Resilience-Downgrade.md - - Hardware Enforcement: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Hardware-Enforcement.md - - Join Type: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Join-Type.md - - Legacy Authentication: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Legacy-Auth.md - - Location: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Location.md - - Multi-Factor Authentication (MFA): SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/MFA.md - - Operating System Enforcement: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/OS-Enforcement.md - - Session Persistence: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Session-Persistence.md - - Sign-in Risk: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Sign-In-Risk.md - - Token Binding: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/Token-Binding.md - - User Risk: SHIELD/Deploy/Reference/Architecture/Conditional-Access/Privileged/User-Risk.md + - Conditional Access: + - Authentication Methods: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Authentication-Methods.md + - Block Non-Privileged: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Block-Non-Priv.md + - Compliance: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Compliance.md + - Disable Conditional Access Resilience Downgrade: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Disable-CA-Resilience-Downgrade.md + - Hardware Enforcement: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Hardware-Enforcement.md + - Join Type: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Join-Type.md + - Legacy Authentication: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Legacy-Auth.md + - Location: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Location.md + - Multi-Factor Authentication (MFA): SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/MFA.md + - Operating System Enforcement: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/OS-Enforcement.md + - Session Persistence: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Session-Persistence.md + - Sign-in Risk: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Sign-In-Risk.md + - Token Binding: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Token-Binding.md + - User Risk: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/User-Risk.md - Troubleshooting: SHIELD/Deploy/Troubleshooting.md - Defend: From 41241122f19daf03856aadb600edb9d827e58bd9 Mon Sep 17 00:00:00 2001 From: jtdauria-shi Date: Thu, 8 Jan 2026 17:00:24 -0500 Subject: [PATCH 07/15] Added SHIELD Installation and Update Suggestions from Copilot --- .../Conditional-Access/Compliance.md | 2 +- .../Authentication-Methods.md | 2 +- .../Conditional-Access/Compliance.md | 2 +- .../Conditional-Access/OS-Enforcement.md | 4 +- docs/SHIELD/Discover/Installation.md | 110 ++++++++++++++++++ .../azure_cost_estimation_table.jpg | Bin 0 -> 62335 bytes .../shield_discover_module_data_flow.jpg | Bin 0 -> 51608 bytes docs/SHIELD/Reference/Break-Glass-Overview.md | 4 +- mkdocs.yml | 3 +- 9 files changed, 119 insertions(+), 8 deletions(-) create mode 100644 docs/SHIELD/Discover/Installation.md create mode 100644 docs/SHIELD/Discover/assets/images/screenshots/azure_cost_estimation_table.jpg create mode 100644 docs/SHIELD/Discover/assets/images/screenshots/shield_discover_module_data_flow.jpg diff --git a/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/Compliance.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/Compliance.md index 998e2ef..b69bfb1 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/Compliance.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/Compliance.md @@ -8,7 +8,7 @@ This policy enforces that enterprise-class users must authenticate using a devic Requiring compliant devices ensures that only endpoints with approved configurations, security controls, and health status can access corporate resources. This policy helps prevent access from unmanaged or misconfigured devices, reducing the risk of data leakage, malware propagation, and unauthorized access. It supports a zero-trust model by validating device posture before granting access. -## Recommendations: +## Recommendations - **Communicate** the requirement for compliant devices and provide remediation guidance. - **Stage** the rollout with a pilot group and exclude critical accounts. diff --git a/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Authentication-Methods.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Authentication-Methods.md index fb19959..8ada825 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Authentication-Methods.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Authentication-Methods.md @@ -2,7 +2,7 @@ ## Description -This policy enforces a specific set of acceptable authentication methods Entra ID sign-in, based on authentication strength. Only users in the included groups can authenticate, and only if they use approved authentication methods. +This policy enforces a specific set of acceptable authentication methods for Entra ID sign-in, based on authentication strength. Only users in the included groups can authenticate, and only if they use approved authentication methods. ## Why It's Important diff --git a/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Compliance.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Compliance.md index f46e61e..32ce73a 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Compliance.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Compliance.md @@ -2,7 +2,7 @@ ## Description -This policy enforces that privileged devices must be compliant with their Intune compliance policies before they can access any cloud applications +This policy enforces that privileged devices must be compliant with their Intune compliance policies before they can access any cloud applications. ## Why It's Important diff --git a/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/OS-Enforcement.md b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/OS-Enforcement.md index d02c753..29dc392 100644 --- a/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/OS-Enforcement.md +++ b/docs/SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/OS-Enforcement.md @@ -2,7 +2,7 @@ ## Description -This policy ensures that only devices running Windows are allowed to authenticate to Entra ID It blocks access from all other operating systems, helping enforce a standardized and secure platform for privileged access. +This policy ensures that only devices running Windows are allowed to authenticate to Entra ID. It blocks access from all other operating systems, helping enforce a standardized and secure platform for privileged access. ## Why It's Important @@ -14,7 +14,7 @@ This policy restricts privileged access to Windows devices only, enabling SHIELD - **Stage** the rollout with a pilot group and exclude critical accounts. - **Test** platform access behavior and validate exclusions. - **Maintain** a rollback plan for operational continuity. -- **Enforce** the policy broadly after successful validation +- **Enforce** the policy broadly after successful validation. ## License Requirements diff --git a/docs/SHIELD/Discover/Installation.md b/docs/SHIELD/Discover/Installation.md new file mode 100644 index 0000000..a55ed2a --- /dev/null +++ b/docs/SHIELD/Discover/Installation.md @@ -0,0 +1,110 @@ +# Overview and Installation Requirements + +!!! info "Security Considerations" + While this application requires sensitive permissions to conduct the automated scan, by self-hosting the application, SHI does not represent a supply chain risk or path to compromise a customer environment via the SHIELD platform, as there is no control maintained beyond the initial point of installation. All code being run to conduct the automated discovery is available for code & security reviews prior to engagement upon request. Permissions exist for both the user initiating the report & the application itself. Code review is available upon request. + +## Overview + +This application is a self-hosted application that exists in the customer tenant on an Azure App Service, collecting and processing the requisite data only within the customer tenant before provided abstracted & fully anonymized data results back to SHI for reporting. All requirements can be set up by the delivery team or customer prior to engagement. + +--- + +## Requirements + +- New Azure Subscription +(SHIELD Installer will handle below, not required by customer if using Installer) +- Powershell: + - Latest [v7](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell){:target="_blank"} installed (ideally from the [Microsoft Store](https://www.microsoft.com/store/productId/9MZ1SNWT0N5D?ocid=pdpshare){:target="_blank"}) + - Modules: [Az](https://www.powershellgallery.com/packages/Az){:target="_blank"}, [Microsoft.Graph.Beta](https://www.powershellgallery.com/packages/Microsoft.Graph.Beta){:target="_blank"} + - Scripts: [Grant-MIGraphPermission](https://www.powershellgallery.com/packages/Grant-MIGraphPermission){:target="_blank"} +- Blank Azure App Service (Web App) + - OS: Linux + - Minimum SKU: P0v4 + - Runtime Stack: Node 24 LTS + - Resource Group Name: SHIELD + - Azure Cost Estimate associated: + +![Azure Cost Estimation Table](/SHIELD/Discover/assets/images/screenshots/azure_cost_estimation_table.jpg) + +- Permissions + - The User logging in to SHIELD: Discover requires either Global Admin or the following: + - Global Reader + - Security Administrator + - User Administrator + - **The service principal (System Assigned Managed identity is recommended) must be granted**: + - `Owner` for the Azure Subscription assigned to app + - `AppRoleAssignment.ReadWrite.All` + - `Application.ReadWrite.All` + - Additional permissions will be self-assigned by the app to save time and begin data collection, the extent of which can be found [here](https://docs.shilab.com/SHIELD/Prerequisites/Required-Graph-API-Permissions/){:target="_blank"}. +- **Network Inspection excluded for Microsoft Traffic** + - According to [Microsoft Documentation](http://aka.ms/pnc){:target="_blank"}, Traffic Inspection of any kind via a tool like Palo, Zscaler, or nginx (caching) violates Microsoft’s Terms & Conditions (as well as each major cloud provider) as traffic that was decrypted and is heading to Microsoft is indistinguishable from man in the middle attacks. + - As a result, all traffic inspected is promptly dropped by Microsoft. As we rely on Azure Networking for SHIELD to run, this prevents SHIELD from functioning. + - Please validate that **ALL** Microsoft traffic is excluded from any form of Network Inspection: this is a requirement for SHIELD to function, as it is against Microsoft’s terms and conditions. + +--- + +## Data Security + +### SHI Lab Azure Architecture + +- Regulatory compliance standards: [https://servicetrust.microsoft.com/](https://servicetrust.microsoft.com/){:target="_blank"} +- Encryption at rest (mandatory) +- Encryption in transit (mandatory) + - Quantum resistant algorithms only + - Latest TLS version for resource only +- CRUD Audit + - SQL Audit is enabled too +- Access Audit (Mandatory) +- Full micro-segmentation (address/port enforcement for all resources) +- Data-store behind API, no internet access +- SSO Access Only (no cred vaulting workarounds, pure modern SSO, credential-less only) +- MFA for all authentication is mandatory +- Human-free production-only design + - Access to the Production environment is limited to only highly critical incidents. +- Debug access is severely limited +- No Operating Systems + - Pure Serverless + - Always up to date + - No custom execution except for designed workload (no viruses possible) + - No update downtime + - Vulnerability patching done before public announcement of vulnerability + - Self-healing + +### Miscellaneous Considerations + +- No customer data is used in any environment except for production +- Environment is only production only, reducing surface area of attack + - No dev or test environments + - Prod only via ring deployment and feature flags +- All tooling can run locally so that no production access is required for testing, development and debugging +- No on-premise systems, all resources are cloud only including end user compute/systems +- Hardware supply chain is strictly enforced +- Surface devices are only allowed at all levels of end user compute +- Firmware credentials are set to cert auth on all endpoints +- Device source code available for review: [https://microsoft.github.io/mu/](https://microsoft.github.io/mu/){:target="_blank"} + +--- + +## Data Structure + +### High-level Data Flow Diagram + +SHIELD: Discover does not collect PII or similar data – it is only focused on the scope of configurations within the Microsoft security stack, and not on any private employee or customer data. Specifics on what data collected is listed in the next section. +As a self-hosted application, data collected lives in the customer environment until it is anonymized and sent to SHIELD’s database via the Data Gateway. The Data Gateway structure is available to review upon request. + +![SHIELD Discover Module Data Flow](/SHIELD/Discover/assets/images/screenshots/shield_discover_module_data_flow.jpg) + +### Example Data Structure & Output + +SHIELD Discover collects the following data: + +- Tenant ID +- Principal ID that saved the report +- Principal ID that ran the report +- Principle Object ID + - Assigned License – The Service Plan IDs of the license(s) that are assigned (direct or indirect) to the specific principal + - Assigned Services – The service configuration assignment determining ‘benefitting’ from a service. This includes the service configuration type if possible (feature, such as ‘Conditional Access,’ a service within the Entra ID license) + - Consumed Services – Usage telemetry retrieved to indicate if the specific principal is consuming/using the service, regardless of license status + + +For a complete look at the Data Structure, please refer to the below block or utilize [SwaggerEditor](https://editor-next.swagger.io/){:target="_blank"} for rendering. \ No newline at end of file diff --git a/docs/SHIELD/Discover/assets/images/screenshots/azure_cost_estimation_table.jpg b/docs/SHIELD/Discover/assets/images/screenshots/azure_cost_estimation_table.jpg new file mode 100644 index 0000000000000000000000000000000000000000..bf95752383600316e284a68554b0afdb5b9829dc GIT binary patch literal 62335 zcmeFZ2~?A3w>BI_r4ATntWrs9Mbrpsm7zsQoDh{FP7onNS`nFq94kYBB##vpAw{Yd zc!fd~1w;suAw(f0%2=fsW+Vt9K}3d-gduq#(|^kzI@rT z<*N)0SA4Q&)tWV{SFK)cwAOf?(c1NESFc`YzHYsVshOGC8l=Ui=BA$-o0^#}zR3~; z@H5MnuUx)-rK!6Qt}y&$<*L=-8`$d*OP3fJEL~=>c-P>&so?8~W$Tw4fARIc6(%QsFx-5}bk|R} zAAIuV{<4>5C)?#)cAxw4>dIB-7N2g|XuZ{D+x8vy4vtRWeCvGRpxYt$!$*#uI_>R) zKjZ5ccs}Sta7bv_<*4YGSaMu^;a_c6ImkzU>o=CByGWK8$`G8&^!v%+4uQ@chE!x|Sde{(V{h zSlNGC*Ltw7rOTEXEHhkO*OH~N;4)ahZ21>ouQ1+s!tjSnCYyKt^oi;I+YicKuKaTM zNx9j%AKO=%Z?P9!D;Agb=gR)yE$r(5r%YMswDw@7p+1pist|*tDd=YC;>r!U3tl%bGRyRc3QIlWz)^&92YRNsS&vxe z;vk2Vq4M5FhGE!3;dRO-GiFX5*ZJqt%v=3V1x=798a-BvS5~%ZjG~8H4I8QtmFui~ zE4Q(|lf2kRPPLxbBfKkU(*92MuS;a7@o6wac~7poHk-4`|G)u-g=R~L*U>8x7_zNtq%rTFPk)j>z*>^s*>CpYk~;%8_ob#`&29--`zo873*_jAatUf5dX zEcAo#?Sv%0JDD1*NNuYgL1{B&drCZa^q=Ll2X#&U&||kb^jzm)v`4ZxlzLA62m3() zO5&LyuBLSd78=ObMma^U-fmsAAQCV~wVA$wyQCjWIrZ^qK=E(OJ~+wz4(C-gfJJ<-An*39qfS z*5tjHQ>2KYp34QxLtfcA7hz>|thvDtn^ufjK;4Ws+Vi?|gfvAG)#wa45eVvXH*)3; zJt7?X1WuH!y(j)QinTr@b7Q%zBie{?OzoP#phtAtfbUkju_Ep-P1y!6^aqR(YR=uJ zz&9cdHKy_a7AA=m{V_}B(-Wab^t`-KqdUwOQd9MaTgMGMEAfJW71|q`B}2&dA9Y`J z&LNGlH3e@tsK{qsDs2&e?8(Lcs%oSat&3+N5B}NC1s(W^oY+MByn^UB-CXa83rq0U zBMM62q*N}Mti<2>$fz7mblE58G|-$og$o~A>J=V#g@s&8%>5wGsWcPZpdRtl+YOQTX%*`z38W;CLFIgT=IRtN)i{VM=%h8AgGqag-TEEqrflw+o zQBs3k<$tV7PA(rl(pRwC>30TJ+Yb$ywUbAczsW}vH3U846CUFMOm7 znhlcTdsd?6EK|S6;y*+&3R)~(E6dR%6t59#UW#T;TNAbEas#e1I7yEXTVi1Xuf&Z`Q>wo6+H9)UBQBEezSbiWTJIwx@_3u{h^yp} z&Pg}0pKH!^I`|4B_79W{Ql)x?Eul4*_3SYsFJ&9JGlA5j(ucUL+*c>#X2?p~EPPw-Yoojt}89r+25)f6${s=X2bqO?7Y)p!c}%xM%XC4DiOIs|E7@)e^J0m= z<0tt9&t0u{*uLlMm2NXr18hAaEll(45-G4rn4?Uok{A2#v-n99${de14^OaTJQ~AZ ztP0a3UfPYi`REbBR6n_w^ot?JXBww&%BAJA3z2D$YTOO2=#9ud? ziOg4%$-CX*%e_j_UQu3(mk32{10~gE?X%&3gk4HcL z{F!3e36Fx1p0DCKy@cDSb6Wv&=@I;@E3S?yGnng8B{GS(BiuPRX+=&6OlpV^E8#d> z)dnjQ*vViakt!cA*epH*VS2(1T*Q^+-9t8sJZD|I$nuIznx$HQpTb=%%)c4tatNe-@fA4O84236EZdN`0*E3HTGDf~5?rh4b43>Ug= zP@g6zGz_|w%VP?~0#ovCe|~a)SyDsRj|6Q6Ni!{!fgAbrjH2bu!z^&Sp*(ADMOBx5 ztbF8sm0xNB)7WjNr-cYg7mYBHiF$;2r63iH)FZB?9WLwIIop&=ATy39uOAhvoeFxP zj4ONm(5uF6Vq*mB)7QUM%1k= zWL>Rc{X)*Hg|K*{_qK0nPuBUvDw9h7<@do}8Be)!>Qm(Kmss0p^4eUw1oJ8RY7fS7 z#!KFM)!!AsTPHr)?LP8c9`|8AR4GVw@s@Ws&>TBAE`)m_8+TUc{!Jc-Z`)O%a!+Q+ zpcl%nYL*l!Zbc7$M>Km>){Uy47BV}8TTW0}fmp$FK1qk$YnAVI0S*jEYz(mMbSMtG zZHtkft4`jk9xut(#m}IUQ6RS7;90@1Tx?d{mLSdH%-1tPoi0x2GEctXi>Ut&e`GzP z9wp4ILz!tpOX2XNRox|1v*8Z4-0V|q4{|!qb4;a*^wc99XLYMSu#x?NFWagfVAI7c z3;6E-r|FXF-pU-C)-pOtG~d_G2l%vLo>C{r-HO5`TUm5!+{NmVuF8bDf#r1&BfU80 zU(iAp9U6KNk87|bB?+gvJV&)*;^vH=K_oI%elf03r+(+5s?sACX^eCS8ePYqMt{^J z=0+`aSJGcmTw&1zjhiBqPC*BUJ`SxG-3UIzvYq?nw#$I%$1_zmQ^Y%0Tvw$`Z-c@x z%k+rza6O(I-fx7ecLGpZF>bNmCOsObvQ^epKq51S7$a=15BNe6nJ$)k)emly2TfJz z5ue}V9x0^eqV?B<@7nIBths`_dIU_#9ERkeD<)x{PIsD@@v6FoxXudA#Ou!oL z<4T-4`3Z6LJ2<@2%1p7*k3G5ZLhZSX>A@YqoiI7QI(7eEs}^6C?u(AfVl{e?^jOCm zrJ~BO|J|{hGaS`=OBo&s5I}Wt0t5!8Yy9=GEm%a3^_f(a4IBOO zE576P+RG~XMS4W<-^rdU9Js4qk66AGeu<_ww%PjgW%PK&!t0cIJp$mh3r1Y!k%O^mqN2dH#8nU zSO_h@Qy66tUbjP3#~M9?if*U;ASU1}$-&3lWchb2J$~mF1#HUhhTgtQ+Y2m+9+kFX zEc9_m{I!kg4;nIB6QZ-yS2C^82A5=u$Oqv{b+VUVPt3h`!Q}wf|TxYGjhcqPKIaU1L4i1g7fJ z<^$0t&}YY3&-t?JB`qZ3fjSd%akJk+es~o}e)i}>RmHBtx8B)0-!EnFTJ;EoZWUr~ z2m0kKs^7A1W9jpUeWDQTHu)fHeYPh`P|+8#o7$Sjj}_>Iwo#BVF2n@B#%6b!U9mfK7)jW z!zR*8M+Fsu51lc;>k-mk50IxgG8Cbu)*be)G5tr+WSnt`*e`fp$sN!mTo_Pm`4!it zDKikAZ>9NG{^PKFS=Ue(+dtO#g6Ez??MzyGY&1tU>2({DaSF!xR`zNEVw|?4%f&$w zu>!r4Ca}BrIJ6&gFMH}@vOk9;+G~}*n5N*uq=p1V(><|2zK&-rzfk-H4FyAWM+&X0 z13;u+>Rba2&vk3;VDWtozC!Vt@+)HK$&XHV`iO+_u$ziq;0RvJK>Q6V2^U_tnjtM3 zkI4!hhz2i!9Z8C+Y|0s`=PP5sGJ~@sp!&aNQ-SPr|D+t`2VX#2tytJ2()< z|55Dt4g&Fa54z1ILVXhUdVw+q9=o(FN_!!KG>J|yd>e7{G$Zz1$`<^)4n5)pG!(UD z@-#l3Vy%5haZmt8=->HySvS{-`4Mte-ji6K<~&P=_|r9|!jUhuY|4hXxW|ql!C-mI zwbxi?y~!m}ISZ8U_);0zT!X&7sJ$lwtRvI`usP{kHPo=-T(@my>(Q~2l8XV|Rtw|9 zwAPz{!ecbFn)fxUVWM?^D|eG5ZRJ_thVn^;bqZnriRhhBRx@?n@WBZ;Q^bF{&hi^l zof`d`ua!<}HWdp)oF{8e+U}o1I($wXrZO73XGoK-R_tH}W;o(jEo%V2d%U8XDGlnj z(`jlbU7`vYdUqdL`j~}-Un&aSV4EKvj&Gd1^}vx)M6_clYd*c*(VaczQZwMl($0Co znTl*T*dKF!h*!nyVo}^F)zs92+{e=uP72K%#tvw5cFACSz;+PxKp3@DtSx>NnuSc} z{$K|J;}_p@oeHfRd{A@U_j>h+&jttr^?tI?sJMVJoccvH#yAu|J?~Ss;F;YLyOTfD z@>*vOq=H3CJWag8sN^K^wvao9>x@70J_q2uIZ^6SK)%yxJCcEs74*h8$XU_^F>4b! zOSP{};~=T^IR3P&|0vgk`t7FAg=%cuRJo=M8Wv3+H>_^=4cMVD;#}kIeln4H`>--A z;x|tDBlJvpL$)YbO|*`~*RzB*b$WzJiKNTE)uO>iXwer`UEPZ*=|Ee$@~PID5J2C> zbky5yMuV$jC2nHMtlKE~2(d?zPGCW|v(L#2+^tETkqvNkOZ-u3xKP1bvQ1-=IAPP5 z4OY7qmU}s#h46)D=_xmmjs8i;YTV*7iqw1IaDe1%O1KfF`-(y`GE<`SyFYcPT^Sfhw=I1Gs7AIoq@{y8Fl>B1yo}(%hY#F8Gj=? zLEQ48Q^s`o=JqCndJM!fkU**$5%Feb5+#aV_|p`{un2C7?kchO@OP_xY$aJ1+ZAc1 zgdXPAOo5~-N`!P{b|g9r-xV}P+C69e4VLI<4keXX2T23;86D<&Bx=d?&ZPR4P*J7^rFT8DCr)K zI#(G#_LZ)V9mm(0lls0(yr z+kQb)Tc_U8f$ZhuDv*W_J*KVp*LYsFJvnob&6wo)eDxwZc3F+`VpOo(B3j)?hUIZ5 z#A!{fI7#v9Risx% zL#aAlj~KGoBa(=fnMv3$$a%x{r^ftbi5hoPRG9znh72eug8%{ljt)c2Jwew;c?l=# z19tRcTg8IaFsH#8*N<%&+|oJQx)9&O4;BR<0>+091d1lW3$BTzS6+LIE0!M0@M5;^?!dGyoVjuIQS?FYu1Pcqv)_!pWFMfr>5 z&K{8P?x8N1?JPJ~P?u}>Og?oxQ2Rhzr2Q?~Y?7dZDr#QW+@q;9hVWwpVF(MOAOY7S z8fvV{;M+fPdY!E${k6>6M~79$mHbQVourFfty@(*%n*VMV|zj1awMDrH0Az3w8bUt%JNV+lG7i~m5UfEFz^LqwF$8I0w%WCksWOwB+axXf? zu!LM8?fkevyYWXBn^y=liVH0o<3bhx9V?3;h7r<%XPDuFiR=5%zzL1c-uVkGWel@8 zG}k--1AyX;W2JfotP>*CSA`$YE#$(h-dWr6@vW;#?tU51SvPRg$0!bZ#P<`Bb_qKF z@4_Mw7b~LEYW%#jOQ=Fb2Wyk|sUGqEtq$<2w_o#T?OEsYu3-IOq2;f{e$j zgc)TCO3Q?9PM5=mNLzD%#!C~dkfqoxv;lI|RSL!@)!(9?vz9RlPO*_naL?R}Lh8EX ztyPJ*&Ss6*~C5A ze^Pe%9l zSp=(Mtf?OEnTz_58^UZlQ;HL(8EahO&LKhS;Aic@3hUClVZumuq0mm9R#Bx#4CX;E zK+O7#RUC33nakav{x^8F#68*G)3Dyhd8)W1>{Q9gejt1~TW9GJmahR7DhePD;cixw zCUX?o5+S1J3Jam=ftq7L5IrV_dEd=52%W7z~^TmktkCi9(E;l`~*UC&y zf?hp^dv(ujbg4%b7!#eKhh_jf4FT%Brt+q}=u9NuCS0Ou!GmPBvE^B-K^~QC}YFzK=}S*=g`?;M}Oez# z8wKw?5!#LsxyN|b`lIR-Lil1a!?-U!;0$-qie8=U6^ZCKd0Jh(2p(n>e}x7mZ(ool zVXY?uwzj)$SAN5Px--h`nU{0}ls1~|v>Sh$f(Ge{MAXMpUg@ykgjGu~k?)|dcWxy) ziZg5m6*yJ)Is8~|mri;fE}BaqtsOUpe-w6%63*O{{=kd4ZO?xfb02vP3PA}y>i8!7 z^ELdn@6c)C1X;BM?ZM5v;v%j$DrzCQ5Dch2%XAG^;l567iwx6#rvWqEqUK z#*SibgWJJ=;_1+;b)kL{`9H5N9~`t!*`h}ToeDxw80y_2G(!cc3C*`8UzXU=XKV(7$&fyPMDM36|ufj9x5 zaB|mmL!q*t78qAaT(^?YO#Ges>Nn4KPGz2)obSLmsTqwGBdm^9{zY0L0wyT$>4dO{ zB79Ne`uy%|xGd1@*8s0~DGLAfA{`vBwiNRdcj`8gk^AK%DU+PeixLhIUWHE^0|lgL z#h&2{>BG32&OQvW)S_-;N63O_{-`iFj-U&$hE%w#ysP(-be$t*e+o*t=eT^dA@y=Y z7V;|N7+q~HIzYIlYkx-KWlKE&=pF@n&3Wuv4op(->n97FPbR(8Bl@cp{)ASZWNP`~ z$6IPz#H(o%q(slU12{?j^Y)vS-z#*5PE8otO@ov$2@;FC$CV#qx*Wotye7x+QwQ&q zZgM+AMzoH!LrVt;(0lpOE17WyuVpm?j zD1e$_O_a%WwhWN6rRfnDGJAOTnltj+w3`u+)HZeW4G}>zy!V{Rshfaq)dDUT!I511%&$HQzu6_Z6%SC>HO+` zQ~n~h&$65pHqEI>Z|#i{I5s@+2`*)peuf#n$GsxT!?j#H@6RK`hJ&n*9g$tS@is$i z`DNV^Od@U)8LUU--QfjP!1MxID~^qCAjnWJsXyeCi_T>p={eawwK;-6-7@0Yt-KzG zX&{1bHEA|X!g*y3}&3?tw)W#8{n*hBIVW=9Z zbmF(<88I=9=0Z8%_Pv63uizuj2*e>!v2!!39Tk>3gyOY6vw#bF=$h40OWqUBd5DQY zOYJWjrioy_4f{Gk zIOY_Cv;M7kMmMK>lTth_CFSzw9)=al+YCoDYKOB)pN26^?bDJsGU&vnn2Ld|baBLP z>3RaY`r#y$InuBBZfZ_YM|YaU$Ws6bb^1Bo5vQe`#gD}R1hzb-u3TdDWCx+)NzHm6 z-f1n<0dr#`{#K=0n$WlanAqpOWBs$O!QZjdHSj%=inzm>Bhcy*GC(K(-GmKc!LUVU`QtPu4e=`eRe?>l%M2=+z}qeB8FeA4W$U_IrZ?a(9SCrCFh{$4sE z&Ze@oB3M;wb5LGdIP7Ib>xo|ra=9<|sJ&B`dEHI8m0UtIE#k z`bV77N2#r%m%J<3RdSJZrFeqWw^k*-^D#b;Ec0j|>6F_G*`82U;3K*A#V8-Vf zNNgeT-)KgdhE)7%Idjqn7t*ddQ1}vETT)yBr=zrKJjTm_OvS2tWg=W7Ch%9Bg}v%& z#+6-}ld6STXO55`t)ZPJIAL_I#Jv<(xhJDuwDe={#tM>ir$#OKf3m0*s#TV`#&xNiI>oDI1_}NR!p5yslBhigcXQ&3C-@RxDKe7LgudFIgQ&s>xux2e0p(>A|@ z{ml=+*{h}>F6LSjNzhN&FT40Z$kur*GkFIK8c(s3We=`H3D~idM6^x|8LEnVuud9# zKnl~$e98OOUY)aEH+(p^0|vuZ#(fwV-@(VFk3dFL!!_uL$X^cDe32Zp)cn|!nUHPO?rP2x~XkU=0L4_@iw@1!z(Bd1- zH&VGLY_36`dT&{Y9Hd=2PET;!>9K%4kfKmBq5C7Nw3OqQ|A9d&%`dUq?t$B};E#c)9HGfM zRc9W5(9fkBp%L|9TsD+YF2SfLFzUEsYi-aa=Edq>hgXqS+k@t@hwl(2UXr)jw2^42 zGW`Qven8Uu^Q-_#I6S7nf0xqJ`h_}~*73*-G~w*&9b7y#8Nh>G+I;SkU^#0@@Df_} z_Q|{-@n*^9VBHMJ&p;j{O7IcgH5JKE^v49@qvf=@0gdf6zUMT^78O1Dc>&}kB@b@S z50#b!GkaM~vXE2$$Tofs00&oTlf<*qtj-ii7Csnn(;VphzM4%!Zv9Oc(Yc#1sJYNh z%>Dp+Kt2qN>~ZI`_D{=Lzfpd8qH7P>(e8j;>kFgmon1I7Jxqz0G|gdiGS72@R1qU( zNZAN7RBsCZ2=ZenaR|Fg!V$$W<^|<+3+9!Y`A2dM3}8D=Iq^>S2?d=vG+H;Xx^BIfQt;GG-Ji;z z2qNVS)-ba}{@G{#@o(0z{6IZo-d0qJ(f)iyk9g2R^l1m4w_MRHeuT21nZRjv(@*9( z8B8T!C#}a3a33-u}CV>!W=VHgSGJ*Q-vatG}g~gSNIW5s*DSx>r29s$O4DtHJH@GuJ;j$2!WM!`)t-m8s&A!@?AeX?mMlvf zN_qhquoBq6; zBp3w6qht1O%!o+o&Jjpzc7`97#@YO@u=XhA?1#@^al~9e~l5nrMmI zmEhTBAK^zx^_S)}w^<~UT5*~C~s zA>34%MpAsaHv+pQ366GqyGX4;Ha|S4a?d=}7>|Hsl}WH!5o|C7)g7+P@5VNY(T__V zk}DlVvF5Tl&L@mX>_TvT0xpU1DRu{p9rc21hFPeI>hGAb;UsFHx)^tNbcXoavv@i} zJ*Tp@G{XW;+(4{gHAPq`$s}_PR*}mnCXipUi|NIC5~$9Er0xv-ybBX>w+FrZfS5Fr z<;%q=9DO5r&1iC|SSZrPIX29rC!_!%J^z)5r0Se>ZMbFJ%VIrZeMl_Ls-}yZu%jh> z#hryO3mz!*=hv%1WaulNO!;?~o~>&IEr}XexqF=-MBnJ%d#-}$YG;`MDsg&*urJ`0 z`iFV`YPMhnCAf1awA2N+Cv+j@fNF%DgHyWe5p5IWs{q;$XI^oE6#RxB-I~nrI%lC9 zw*v?RgWRl1)p=YQvhgN2S$dn|^Gca;L$s4vtG)$fHCERqu+6|+Lkx1^gf%{c2J-hOc0BSZ zB;-ATkiVzTWJ(!p@HkW6Qnww&K&qa4Q!Zf zw`rZxzE&Si1+vgyRIU%!MXtI^Aw6tVW62NwxwT#F^SVy?rpDCz{ud=6=Yj6wqARou z!6_yEKy?Iww{*1G>Kg^A-V@z$nJK;X{K3l)LVt{AI(9mTvvonc763${Gg>=xA1NRv z)6C?&bTvxj*6Z@MWE0e&%=*A2U9u}=`Dt@TGod$Q(>5)-ZfcF#)>v>7Cgg`2zu=#H z)^Uy#5~IoXvrX@r^v{lI2lvTeWxomEgfgKx$lXs}b#K?9!Y%xm!~Ay{*3j(1MOxx9 zOiROo4kdnr)eeO_-Q~m(IP1h?91ol^8K}Qz>FccqiMN&1)^1gE<{^*<#b3eU=46Rk zP%1wdl@iaY_gV*MH#=3cN0FJ{X=g>geu4(96pSU^1^v>K-V!3H zN{4%`)_kp4QJ5b1z>%JfTxP7JEUhnAc7 zI1eW|I^10?s4kF}!Ggo^buks!;A|ujjo}q>PrqYWN8nR*%{ck31M=1Na&o|j57Vzj zKOR$sm!D=pvJ-b;IqfH~K0(q41}z)L?pC&Itp7fe@wa{o663(C>Qh)Lrdq&)S$?lpLk}MZrk6!|o)9 z`*lY~6ZmUGQ;R~gT9tP)ETGFezy8U7tzhUrvb^|}&RKJzOK05j!1h*>)zi$G$#ji2 z&6p*kf(oz{)ErdkQGb(W5Q8;G)OLl9Zg67g50?u1J)(MWeU36EoCh&lsSJ$zCY|V` zF;Tqdo6?NoQ;qnqY}rjkfo2U)3*Y(ZTp4m_#N^Ho;l+F6g1p_+z5CX4z?=Wn^>-bqp{-Uu*=8W18E8;dFiJkvQh%Iyr0D3+y%zXRI{{YANZ<*?to{Fl zG5=G1>_654TPOqDXtsmoV97E)!pK2}>}$Lv30KESH3ydQpGD{q6X(brjcC$2f^~+g z{e^Ahq{J%>>#1MjEBT5;&!eiZe_%c)rEHIM>55f9ZsnYdU`4?Ga{4|PS1?{hvm!9i zCwZAC8B*hUel3Y#UgL+Dr#GQ0SPhm)D>Ay-YI(P2kGAGvNLdIc1N#LbsWRxaSFTO6 z6ZFx6_yVdx-Ks?06q#x~SmdN5J=TgFbmg{!q}Jq~;d4~Dic)4XK+MUGpn3p398_$G zSFm5SWz(&n`39-CDn%8eeKjP_(puyY?#dkUy2y~SUF`4U5z02& z+8QyM)t)1{phpD$_$4%)KG^=>&pH0tVgK1t0;1IiH2BORMjdh;xmwsrnws2v`s#pg z_~@IIY``DqC)&ev;A=Vy5T}kRk)O5%B9kzV!T~5`mvv1f_2w<9iWZNMGp-AfQbUOs z>`w75(s;?GZ<1;4{{A73SuO$izW&iDkJN0=MHX2>YQU_9mkw^%ct|!m?Mw0LGa0uy z5}67b4Dn68uaa~dRyPMAGsS|`>@)HYwMC6VxWq`iI}>3QT9{wsyU?uJirt}QW54KY zd_?wWaK6sW;rd-*3?CUe?9+W4n-F!H+NvE#sKZ8^bsH<>#c&3+ZtN+1$=jdpRP9wE zRWl}N(%@D_+KZ=JR;%LHO-4`^0c1^`dD`w8>MP=?nhyjjIwe%z+=yBOo#&^T3uhOM z{Q|-qRX)`h63HrarDZ;yLfl2+PvJXID`_iXpHXFG`)r7PaY#_F%N}EYV%!mBvfr88 zIRm;G%IuN}eC}6mv!XTpn~~88mJut@5pHyS$T1eZ*6H+!nkuf!BdeJJ50IFlKx@j- zbxgS76JJ)%JZ#*-e^>3b*vbg*&w%yIMa_XCjT=lDV)c#tZt;w!9I;C;fv6XEidsQk zm~s&`6{6o-3DhRa_ZfntKb@N7eKK7l_Ig$mJ9!kbfN5B)U?PXI-NFMD-VzKW67@Tw2zMTn$qO1j#Z9QY!@QBF*bW|3+m9o|2)j_;#tOudG?bT78{c4%{ zfI906wnN_hvpvo-lrOZh>Yj|QvF*pU7rwbus8zDdh<1xqXeA|Lh;)m#yO*608UhN! zdcKa+S;;TzJM|G+`~OdhDdV=kc_QRntI)z1*7IUIkRBfa|_^?2h&l z%|6ltLGhS;BKAbw)6lf2Nu>iGh8vKwh|>49v7y8LaU}1*$Fjx$~eWQJw7s z*ikbY)Ph{-O`>vQo!8BPt<;3G@}T@T#b{E7WH5maIq-R7CV3pq+G^xY)Dq2dh5Lc> z4(38Qn}AHxQJeB#KX(P| zt^gV?@)OMlZI%Y3IQ3GP`#_AbVls0YP7%g;fr-nbV2TP%>0ZM6%@J~rstMXk?5ePh zzY#BVO>sB&S{&CSVtkJHPdwBz_~+AZoFZGi(Cy&1jdrnp$~d)p#4+BpXV-)JYM@^Q zRZl2~-|^+gkvDQrY9_=ri#pR!rslCU7j5B)JgDbsyXIR(WZA>9ov-3bgoMq6QW5BG z+&vXtL;aS8e4eh)aiP~(x= zSl!&v?@Pi}aGh5ByOBtdkJZ-mF$c?R1|w$AY;IMfb*mP#sU!VI&;qU+Go|Fs(PW7ZO68b9+lzY(VT}Wga z2k=Ay6ek|~TneIjI!KSm^#la*#Cs4}T(WgAGi93r>Q$x=bdD(8?*f&Oq?S}|yT1n7 zN}PW$QZ-tA$Det{m!-VTyYjW>ulM|GKmW3&zx?Pg4EYN`|B4;|BjV9K*&Uqt%9Pcl)?zSUjq>(?BH=q?SH_;BLH{3M!n_r;)T(#6>c`pr$fw4T#3 zN5{f{hJjwTC9Mfk8difkxz}E+T{>&HY>08AinyM{B^JUAPmeP!mi@PtQEX_tGO`~? zCdN~xvL-7Rg<%Sp^bp3p#LGi^V>bpXyOqpK5u@6S6%l2d4~pzmBpLpTA=33hN6_Hh zTz10@b zA^ZSd{bD0SP&5{Mr|>37HOF2m0cTN(UW1`C@Zb_MNwT%}$=S0o)VvW&s$|lY;ZYqY z$42I{v!!4Y?|U<@TDf##H*5Bk_e7uhGU@nC5NC0OX*@q9r!yWZS8r#mbZCl3;i`xH_B#Adscr^(}6K6xR>jyVhE4CI#*Pe5WP8l>R=2L;Nuu6~k=-uya zo1ohppQcUl__MWQlN{Z&k&%Wq|CsfmQo+lQDw&=~mtjGZ4W1g{t+vx6ULoZIH50U# z)W$Ra{*ak}9}W0(*l1>2^JA}rOz5#s-gE2s+|}tMTkB`jw{?Bd%LpRSb``w=jEX;* zq~XE>zOIn}>_c1IVK;}S&r^zvN_>sa*y<6fow16=vtgW)tH9{bHDv~F4Lirm*6xjN zu-7Y#Y~|aX=Q)+ihp{sxP_*2nwELh=7x!SlQplR_$x1b5MSWykolj?NZB<2du(ChZ zExl^bBhTqagyKF2`nS=xYn8&S(?QSJA$PSI=UJa=v!g@Un8dHi`-N(?N#n*XC&xIy zNDpQ7c*km|dex%A`)em&#N$&dE&Y#T%*nS}8j?9w_CRe~UyzsVVV;IP#4}TH8V5Xv zM4FvFiXMhTEuZmk!c9$S##@R_OS4_N=lNG_EyTBqCB?{OnuDBmlj3WW!kq25B;4GZ z^=5FOJ72`tp2Vk8Y+zhq3GGdcZrgJOt>$|rKdd&TNuqA;@RmHw3|>HQ6@fDCQx~Tv zRh;`{3yE&Z;Od`(LZF)G=>5+z*MYSvlIo$g;eOXvMpH42` z2Q!O^;~XKLZqG;h5~kE^8QQ;PTE(+8bLqS(@RT8RclaxpeV}ba(v<%MCe~dBMW>I- za&|_c#C$$~Ky!%zrUv_U8xaj$xUVE!RIxMQn@$ZA<^L>sGmv0EJUTVcJ0ILR}F7xAtAVJ7VY7-@4a78bsg8J(p#u;m!ptaR1#lx;i#F5PY< z;uYv$OrXZ~_C*sD^@t5FX7|T(clKzGX7&J$R9&PBFNSSFrCfr!s_QH2cMoRv4R{oe ze^swCm)N{jA`mkii=XU8E?A>rMh%eyWN|zezjVoedzKnGi`KrU!<<-~4f`(67a`CjTHbSRSd{fgm-clA8Tk zO*!b7gBFU@R-aa8x<~ByWgJVHxV)tXm%^qYVNT;Ia%UrNjUs5Spf>hCv!pEC@fRwi z)wf*~*r@Wp8+3`dj%$^R)8@P20`1r(9~p}8xcrbdS#A$rJ5I^&g~LyY9kXZ~Dd&5+ zhJ|4#C$dg2{5Ww^5L?E&pOfEL9_JnFQA;B+KHNvf{fB15`V9&d2>p--Z^LQpJP$Bc?({Rwf}AbE(Cu5dN6U=J#ovV!Uft$Xf6$3Q z(R~V40UqcgB}yD>#&W-q$1uf&8dqoZbzYb1Vy#!rhhk@px;s^20G{#Zex187_( z^pe@6CQ_<1>LqTiU14#F%E`ib-Y3S9&hrIke2&{vN37a4NN)K~uKHQCyaZk{ccCvZ z_A#js4RM~EkaVtRN1J}fH!!MDbz1Y8(N5|2;rZ8f9~Pe>r*vZy`*n4Ou=~UD1gP_( zLou|OH0=L7Xp);rG5ECqAN}jY(RG|VBADp@JX3qI>e3#lww#*;8Xa#_9U3$1 zy*}~aH(7l?Z%u|q>U!Z3XiD=d0+crN2(~#xaY`~(GnBLY@Oe(>xeV`aUT3YHW3|md zpH8F#Qt~D!bhRK+x1*hcD|`}5Qt4S#Z{S2g#Pk|Yl*tQQH@jWnxH z6*afsJ%qzoIKrITSd`T)%BoM-W@VvZT&HXT5Nn_FZC>ApM@K$X@D*)_m*miJa|+Lz z{KOya2jffOUF{KB!|DU4XDAubebW@>m==uj|5%&HMGpz2SRPKn6kVlwh+7zjaMgfs zPm`Flr3QK?n(C1?*Ce|fSaE%5&mmGJ`PSIUQIg!(Z3akSpb+}vqe0I$*7hE(y&p_! z>g6r(;5rnAZ!FCY1Y@zaw+7NopjuT-#9{}Vlb80iRq=*DJv(aBPKgzpAtEDdgRxZ%qi=K8PjX;m=Ym{*WTrGd3giLegWj`Lf zO=i3l3a(XZk4ACWT^KItLm*YBmFfIJkvIzf8(cqZ4<6xE8DNrlpvxikTmq`D0~=_ZTIDG@*^bvCSe0)n)tSzW$e2kQVn?a+}7!7BWy=_@x9?H zPO?+W&ek$Bh$}b}9JeAr+^G9E#XI5It#JNz&O?kUed0sf4N$&wA13wnHb$^QvjCPi z)SMtmv!A!$AbP&368N-CeB{Rzox%;ixrA?Z-(Np zU~lH-Rd8?VdeDEfq~KST7lUqQzkeDsU(7DJqG7LQf6Jk&?DM@nocPkRB9DLXdG3AoUtxGie*Av# z`+dK|XMpU~Y{Qxco)&10$&CkF53BR$a!P?#L2zTEN%$y?-Y^iR-AYS_vy5d(2Pi@; z$2FsDoYT*kwm$0i*ttzMD^+T-1ub(g5_(IywjKXO>|y;JATmjvv@@qC^P4Kl$n-o<1W8 zx!U-*I1fsShEUt#JR$cI=xC4fhH;zY1Mmu5(`MqZdDiE@3zY?jLr6(K(H0VFWB_F; zO)=B!no?Q~UwW@$R4jy}#h-`fx+EHTzdxpB3+&=ymytG<3*ph5H#U^JEBnbc?O|cOwv2>OR>_rt3N#X?!}FJSahwMTOdOF!HyS$uBK7^myeu2G-a%fLu0%XA_*RhaYiDq-VszKB zR2~J~zW02L@tz>Vnw!ZqU1{Iap%io7J z8#BQ5;S18gbo=-Y6F-?mniT{sxW#!am#t@+r0)U*&^%=wZVmYeRDfv3WiTw}i0j6@ z7?$zOP$7rH3&}n$1XPUjLVhKHtTP}CZq2-J(6U*M1(SH%(lB3N@GcVtBr23=*;aro z7Nz$gU3eM}aNYbqkDQ}lg%o$6Zfxma97v+^r+XuW+P`Lv9_PIYeJUD6{)HQv@FubB z&rX^U=QRz~^dd_h!Il{!x*7s+O^UA0bA;)YJ2zt84|N|N;P=N6O)xDU$P%Pw6xDM3 zx2nxE7|-ZrnUYZTk#bec4>F3+E`2)&c&F*D?sm@v>a3kX{oXACki}n}!cbK=QpgNt zx6jv_QckX&;OabW)kL^MpHm%P{4Me3MuZL0)QVHwvh=_29amL0`Af(4A_{@F{wSw` z747O@cU(WFr)8pe;Wp|Eiu7y`RaUVF5XQBP$^E&$a9?pk585`Lj~Nt$07#=g{LNQ9e$V>k>7nx(wKLHIw#GX>2G5=0K_)?*LvM=2&XOq5U*1B z#>fH*M`41P_U*=N44s5R7(!)A9ifgP9#6Px0)L_2CF{8U_b0Cy&;M95QtWK3wuP;W z!A4yoo3o%9clSCRxRAbWbkkBmzL?^S3(QU5l2V8FUm5A&ng08LGBk1|r*%;b(wZ24 zgs~Xu8I7x<7O)^#t9?-EDVF=JzqNRvK@cMe0(FQnj)Ku%gYL-&em|?l{t*x_`k85B z>IBa7CT(Ae*))eO_BPs2&o(hu8UhrsHKLlk^{-pA5CtkhyYZ|Qyy!S`v@o7gU~rv^LLQXs0B|gSJvQm5>wrN%J&YaH_UR?&a&zLrFtvF*S&@% z>d|989_?oy^7`3GQ5|9?`AF;n@*_)xqzP)^Z&1HxGTZI`%(p!+*||#_C!%XHudpu4 zDu7L~imr;W-~U8r6;n?ZOjJ%q<_FV_&qJ{~*>5Rvw}FJ8CXP`W>hZoT;ogbRr*RC* z%^Q(qfm$~V%cY$mrl&Y(D}-rwiPB9ECF|>Jcia)Y0>#<|llgAgA?SwUD&sQJ7Oa&h z#VUCFXC<7hIO&3TXGFZkWTnz^S3_1QGh+fn5Ar1q4-99iyBC zuy+|gzH)z^7|#xvy#rE0E+7t#5io+YmTCFkn5o;5@(#?2+yKg&RXA70@U;IqtJseS zwS~!MAR$TY1sbp$)csdHP@jd9{L%IKeQ@^LiM6PKErF(;AhfEOyIy#}cct<|g7C?T zkcgYeVK}9=f|;u}h(IIhs{PMZIQRFtcgMdb@Fb?XZ6zSHReR3>NiC?&@-k!fvDWad zHIEB*0AW9PVgW@(po|#9vUM21ZMe0Kz3H*>&dJXC7qu+>GyCbhR1$Bl{7mL%l~|w6 zF@ZHot+!laIGNkR|EPag@lik7XHV28Qe*mIk(9tg3OzQ`M7J#WmNXQP4mWdkh3ST^ z;j8<|f%k$B_RUV%B9Hn#rY<^NX`n$P_pJ-1cen^clTY~#>^#)9aOj#q z`U8kYB@Orbho6;Y?WF9$s4H2w20p4l9qO6ZCLe1ztl&^1WhTja{^wAsqTNz-sQZUH z_4|qorQ2_87jKA**vBw#jS`J5l@K^N-ulD!HFf;D$NUk@#Ei+ z6Hr%8-x-cwYTeW0v-kd>#}(%3(^a1L#YSD?LQvyrd2Vw%DzlI zD&Dszz=99m2qD6!x40rza1~ACF;C2C@B+A~^vm;&mO{Ok7>EkY3P96CPJuNq>ZV49 z5ov|6=FK(_cA{5HaE+C$Xnjw8Ry>Hg*LEE?AFxNXG$M!PXEo0sM9!jQ6Uz|rw8Ds%pCNIU4dVSP2os6Lo2m*~Bw2Dl$NV_fZD9};sw5AHVNvP;;h z?LN$M{%e3Z>BWtrb%Fsl0`RDh$V2#_mHqlrS*sV;vNjquz`k9|c-eR?%CL-Bx3%AI~%uI6G{T_;dB)h&0m{+R_C+#_%QMsZsd21_+6U+jwPq ztRlYkgrhuu|0+RN4YDuyX+26+%dSd5n2&1#NqOrS{8L&)b`#IjWf1gV1hkKW_}AsC zwQnKj-s;}Dmwlt?hRn!IKbxFl-t%2Rj7xuN^g#HanXM;hm_D|dvx8`p0`oUhll>n$ z@P5;Od=vxPGNITekjTR68f&>Kts&r3Q6KvbHU^tt6!lA8O&ACZ@OLH~Jx?IIwFV;> zC|3iNzb%yeJOzr9zJ6> z-ZZ_*0MX+jhiF;>cHx(ogMoIxq!q~aa`ZnN{2J7dYNV#G)5dGIO89o@91eA=4 zAeY{@RJx75o}n%7c8lFf!5voj)tr)3jvRZ@@05depJH5yl7h1^A@(e&m4k+#W099x zBpgO9)4rbXMzHG^Fh5lYqS|$#MBUiZo{u??%X8wC%t`{$noOGjys9F^wNVkRU+11g zX-*=7vnirfEqk7WXm;GJ*{plJeaZu6dB^k49m&1+38y=jT_k zR}X%P4dAyvipCyaK=FVoDEk0J(?pX`DSXjQqHF2pBx2aZ%sBh!`qK+lUYa{Bvy^{F z8zH~c|3vLM424^yJ~dg__Ie*eIGU1FDKt20&A~gU1<%TCi=T4~@34Eyx&k0|x2H*ZYf`tI%;D%-pIxg~QmV z#&W)kzq(bvy)5~ROyeN{R1!*-i)=O$U}i4jYF`N)N;M80@>L8A(b*S#N^?K%?1G8% zlG}#6>4||=P{m28r~*tU)dm8f_CIi`;R&P?v4Lo+0E-yLK5YEcWVh$z+utlj+czo| zM&^+u+_ywYAmO&p|KzXR=uM8RsR)0n`v z!Qr&RcTG?#oIP|i(dQ=t#jzgW{$i(iS2pivkVv{LIFPtb#L<426(;xe{Z6EQk5W(+;3f_L??+)wnW0vO7)rLShIQ8nF(j@<(oW ziYz8q0rQAx+Gv4ZJhl|3y<)sOC%c%w?^2kTo_Ms^X(6_2v~8vY)Di3%fd+F9hzA`Z z?RfGHR1)@${-}8Up?YdDKeoEIG9!bb_F`W}dXxN5XzVU3O>ok4=k&0CPBy7l>HEQK zOrI^c%pJBLkx#EhNB|Bf6DT5A(hm^zIkpH!vSujjVA zEpjs=;`M?j3?~XR%BeV0{(>&VP3d=qnG#hu+K%hzmX!IC^>Q3cOtO4Z&u$4g|N1=< zI_MEex{fpiRhj|?rtfBHPbO)HjdxiMz7IrLQu?zLX{PO6mhtAfoj-msBLIMxD_fHI z!7T2g@3pL1_NRuEIBTeGxCzTn=UA@BpWCA?XU$vWj<)E$?y#c5$t3+5R>c5>d6pu` zX3Y(ROJ^2aBfkHgE!&q!D-rI`r^wumMbT{gEEa-~xqOv@=*We(KDgrhsyB(_nzvzpNOK`|R?wXA1 zaqkQd-Iqsxo5vrn2F-c99KI__u-|yMmbIm|Nz`bfJLdf|c`sD5uOfN2Y;nI~>9nCo z1qGC;g~}Df%j({!IE{xU57Z=dD?L>>fgshZt#-+rhfTBLYv@jt=9~Vb$GfNJC>Z~G zy}R}%#ZTJ#Cuq8-s!_jrv^V08b-SdB+4EosA}E$Pffk!hCzh9Ey|3Hg zRVp4Y4Ez(wZPZU?NhOI}SmFN*pmXFa_ywYyRV7p!kc0jR?1Rh0c0BdAxR-r*4}iq? z8;>LLd?Dlz)be*7?tgd<_Aa;-pL4nei^`Z*-ki^IiuB)=>(Sj7a_qE$k-$vJGJ{{z z2%oT*8vJ^09PX_ZWKzQt?o}&QX@;*) z-S#`>+dJrp(f*aC8A%`}l!Svb((QR|@iGrW`m@`#Mvr_r^o|3ayu{uVIbD0NcCN2cCRal89IWq)j@zLq#GSK`%;cr71o>842 za&Zl^Q(PIGMqwynJ1_(551Y3$IQ!G*JItSln?qc=(v@;*Ckisva>HhfMS@(@LR6)f z0@1R97MuOSY!w6+`WhDDPD?p!x~e>8?H0dJ*lIFJl4U9Spe(Z)lr=dv`w7a1?4+JS zteUXX#9ViEzHM#zD`HSjM^boHB7KCts}E##jI~noK8<s(TsEa$`CQjKW zoblszEabr_R&HB5D|m`B_X(+>b_4r~9+;H}-Xh|4Zz-cWgRRXjHTHvC3uM4Vz3eIO zkl~Q=el6@0bsHF>r#9Dn@-Ec%eHGE;cJjcfM<#H6@e2ageVzBVrNe?N+LX~&nJ5O9 z)!L*hhN<%l@FO7|WV++zyLhyYujjr5HL^u&)I~3nSka$N4nzneL1x#SeF$XmhJH)1 z(Ljr3EN)Ze9LZwxm-`#`cnwY7Kh+E5_mN-H&eev2(<6$F2f7O{aAA_aE1vVeDL!YgN-;WqL1~n%|a4ZQXvKhf@53yJ3<{4sN@(=7O9*3Iv5%GMe5S z5a#@x;^Y5`#GGvRoFOtdtxtP=j}`;rkM}fum$1~QzWAmssJOyDn4Qy+LCZDeqhw02 zS|^0S{a6Lg%cjCBUMa*(wnwUPZO8H#C7k@>jvu*Y8d??Z6t(97;N9tlIiP;hY$qBm z;5BOWueCz6=p=h;-g`>1Vn#9F@Lr}Lz@>g14!k*R-d2ceau8-Q9!fKT%9t@A*3=o3 zYdHFVJ%e$&XX-2Pl&zr2!?;&`_JF1RMJ%n_w$q&&Aoe8c_59Hepuh_@-LLz_CY2~KI42txArEqVi=Y#SRp&yOLfH~-MhEcb2H=V zkBYW{i`@!xF4|)p`N(eAPAKYlKkW?d;(3S>(wjic;HQW>mfaPX=@`$`YVywKl#7yu3Cu9c{r4esT1QP>FOYt`_$?yifMB?_2~jZJLIb!Sr>JqT zR5ns7>tqXg?k1X^^xxMyvCjui8QztfTfhBpf^lwc%wJt}^r`Ak*O)&9`b$Q(5X&emyo+@fq#`SBjCXr9BQy zZ_Zu#mVG7XgV|3WXyf|4DZt$OmF%qvx;Z4w#jW-6eek-^zOu2rCE?!pYGiwP1AB-< zr(LQQL~Toiyjp39*I<4xnDf?x2k}A>xml(zjW3eTN+&;<9dv9={8ufskCcd|!$gsn zmR_TGWDT)Wo9tiHD?%pM`Pez`U-a!+cOp(o*BXI*VG36e30pmZEoeb)Htf0Fq@!A? z^MMuB>9Vkv5g%n^C`gc~^Av|+)Ut7@59obXb8tJR_+$+1F(J3!MVi-;S(W(4{8h1= zv9u4<_c2{Z-d3O@R#_=CwRN@ISJylWVj>4>O3>vKe5 zq02e#BD>@y)jQ}PfWcIfQM8E7GBXT97*Llu3ZE~suOXer3sspu7&rZtfqu4>TayiW zPUj(s&@u{T$P%b^GprlFP~=?L)0x0UTRwf?9-Z{*ft`Y_hD?r3&zY({Y<`VI)Mg<+ zhhPaB2h%#=gX=j&#(^N&4p)9(JVoH86AalXaJGV&N!T_1XN_vqMeu$W{-M2f%`cPA zWL)14W?3`5ei1kcUoor@^TGkTc2D=*0-VG0!cp-hj-Tkd|O-5m?@0!+XnNyo_xd=K;}wn1o#i zB&z9OsEgTh)fL!kzBSHY5Zt@**patl12dS>k%yXFR>{`hIAbF?NyI{(fjJ zSu`hr_U_baN=UaGbUl4SJ#1?}0!;qT(&(QBhGv}MO>zY&OgizH6jF-WC; zk|9t_Z(x2}(OkgWouv4?oc3dvDt&TOSy1iG3@zBWCf!kq%qWe2H7d%6Kt9RpdS zSDjO=@(7(5$tL6Yvt=fq$?znQk{qGjH++sxyH48M3{zJlpVjXb8w=h6$}E79O@lKs z4!nzZ@IACM8mGt7z%dn5rf=?OC9@Rgasx@RlMt zfX}TyvHfL)#MYP_=C^*ytjmc^rd$ zWHUgi5fFaK=hd48)_fo%*YsC{K5T?N4X#EQxX=w6G6xrunqZtT-DN81XFPk%Q|D&D z6z)K5zpic^-?)*lK!Pf%FRmw7WC?K#2v0JZnOAA(xSV(6n%K zumO(kq5LraL%qc!47VteK;pW3_60D`*Ua@Wo+sfp0CkMu!GSURdl~umsbRadDpJ)x z{j{f`qh@pgKMs;iuyi(p!eRp^@xEZzy=8{>#Hs{hm;1?8D-D}8j(6TW=iZfJ+bO?X z-?i{rpWcfPHpdut+tMakV3o#2=|0qfIaHwZ+yP-Hf}KU@_cS^7UukD$qPRX`lgUF3%OJxaMAv5@)N1Y8&B4jwk9djb046t&>-qc#=#9|9 z)>h<3{+k5EjwwubHO{FHC6n!jc~IN2Yi=vh*3`PJa7AfTVi*42J6TT5cJ+8wKDIcEVh_(d%S z$DnZxh!zX@xl37Q8ZZ|zb$i2d!SJHsxoA!HgAQT|Jg(|drj;V`xNL@yRJp4aSZ#p% zqQ)8*UGKAqWbUBc|A=LpCNUt~h=k9-4zk{_zz_roWglm&7iph@BUb$oRU@cI)$|E< zKk0oyC`nB+m=j{haaCz-1^Y5`<(qlS^#St6y#dk0DDIEQPW=FtrYd{&FPeX#+k1p; z0h~{LR+Wb1aqBsZ4Oo9*C25m0cPP_3mc}sR``^?%moiNqsLz!1xU~~0s^*N+`pl8S z4Mo##ED>UQhoFs);tQya(^+Ov_Apwx;QO!Kzy`uVkUU=PT;U5PWRaw6^0^! zl&Og3Y>U17p}-+wnr*+^qAUX`yzBo9gF*=OlC%SgqO%OzoZ50>mgMr&BTb7S>#lVG z6Fb29!-1|l0tc{fhAhQwmM!uMxEuhTz8x&yR}sCObFXDR+~8VWih&ILsNeV&WFF9E zt^k|F&o`9-N(!uqXe{^n4)oC_{h&=uIQocq6}3JdcCp^}_7H8e$Lq_?x41C>PlZu# z75DwzD#zV^D%YD#63!fF{gN4Uc6{hNG!@!@_Qt` zmZ3jdZ~18h233p6iHlh1tW7n?hz%&;)Me|JC>Wn{Y0n_&jo_)4;?R*5887}??XJ2?n7?UiKb@kx z9=5MrFqo+Y7AEuc@D86q&9&M6y&g=0Lz5ly3+|hUkc3?sl}8cqce1K=g1$N-9l~RR zp*yDuC8RU@pMK?pkoUVCD8p`zO%A+qL7;cdob@nE>;a}6|6te&+0v)HxZ5W#j| zSN^iR1fs9!4w}%Nk#f=V?;=S5`Rm_QoG<}zw zx?39Us6r2=X@-?(^3>F^OPq_z-vNbY+rjWV{-)e>HVsD*?X$IP&<~K@TJt<>R`{vm zOqB+iu5jo;qaUj!s&pMK=B=cf_mtyBlnN+`y=V)=nfgADfaPEcW0&GgSA0sGVvbk- z9#rs7n(c~MEc$sy_myou;bo{k4xlX5`GkKk zEDJ8S?DOzV{lUKoxA#UzF$Aj{lAtxvdJB`v~sx;?~vm^<(0y0 z;Y8F{Wye?77|JulX?F~2Gl^a zPjr%#5m(9I4TUmnCE@|r)a>5!mYC~s)Jxq5vq4rS-vxKJcu7ENGu8far^j~y)`YbW z^E(GWD6IZcDnJN#Z&ungk-QZ97Ihg3?&c@nyi;pAQJ;iSil&1UU!5cl?_Z#0;`csr z{5D&$EN8kb`s|x=|MPv?q*$2-%AQ#$7f2*Lf?2}Ozps%XOy)dX3ETUqp?hbA2k&ix zF6b|9*L?(P&jtMV10p=BFu37nNK)-CuJYE3|Giz?Fggr-p0i`f$j{W$&-Abp@Xee{ zT^kdTvf%<_j}!oX%u+mTnt&Y89rKI*2W#rOw= z5Nn0N+3;BEAC%YQe5ZWGLS!RmMBm#V42>k(`L7=K3mN6fQ- zU_t!@MB)EcX8r%k=T^G37JK&lpemvliRnIYMCSai(&P|F4FTwTq6F|eWSN(wQj}#j z>+3MQ{5Bi!9e2&g=E2*T^FL0OyU!@II%xdr`_=8H*Pl| zBHfsc=h6lxBTmV%T+82f;_OKNp%C48<31GB9+)9Uq&10+`5M!YrNv(*?PSi5h;Fy|chy-T-P1mTT`GW8zW9ZP_AB|=Eh(u@zpuB}-*;7bc8B0m?-f2Fce>7p z$sH*eF)bILfHeV|zi#rLJN|b`6wahsdj@@6Mr$wpaU{No*(@k)DQtd!*bZ>?`b=D*Ty6 zd~%)aY*uI@X!Sg+I*`87SZ=^N24MScN&y+3ig+fj8?u^ z^GP3K?Iiyzb?Zfblb*G=>6=>IIIs$=^G&$_<4TuD zbX7YXsY@9(BoE0PNZH39dBc8F)>0f5mad@=IZkl`X#!zx$t!3!xT{u{j|1zB9)wVRGeYMgqbH;y$U0Dc;#VMcj$wylq#|8PMNC(Y!Nb zr9rY9$ja9ShTHo&#lI>Q31;!X3974uIePV$18hkbOs^{MQ zSq|Yn(+{XEu9Si{zXcsRQ!s+lZd;lT)(nR^A*kUq2+Llnp=r}N`Rhgp9Wzuau3v|-J2cj%N=T*>6*SfHdg2p*g4eKL|20(Yz??3z z{__4A{*Ua9RxXcZJg5`M;7$-4%=%(-J{K5Jw=70@-%)QV4hZ?F9SIq@!DO z1iz2aOMYAOtJgsdErFqzHHEX(-STW;r#p!aI7U#;}K@u10yxghYIo4Lu46zhJ!_?^rKjEW)LurU2E(I#JwC-cq( zwlyy~`oV+x9v!Sd>SK&MCc*tmQ15iglv0nPMsw$69d?fR=?1pZD4W8(@p2>%jLdj0h^b*RDccdXWZteCx8{H%$FwYTq|x+B4_n+z zDCn4JFoISk4FsnCZQY^m>yIvMZ+lVsQBC?U2HyrSTCj(7N}<0I`;IGw#CR8;_7`H=~E`J1sl3iSDCLL zVr2WAx=^}z7`16HYpgI~4tpg?TYpg8;Z}v5lWo_6MH~~&UjgL?XdD|+=?$?W68MiO)h*)0`5sqD8$EjRh z+B$R&COz9P?7aTD%+Xz0YyAE_VhwcR&@9nPn)qX7Wtl!hOw~3oF!w&8EkCI)c*<2T zljyX0Jii3%6Um`oZj~w>Xzg$T^T7ZIf$o?*IevWJvu}P?rYL0IJo_|2VuHeRyU0uf zCvG6!AJs;7CpZw-%A9%U6hG94eUC3o5^MVdu8DQuOquM*$&q&^Wy{H-Lt*DF?V-!z z*&%(3E)QQ+Q2i`nWL9U;_|@n_VfwtTw^U)*Te5q%VXN^`rMA9R%NCj1b%HL(;WHot zDV3FMMQ&3Pl*P9T?6GaqJ7BrJ;`mSl7;?VUnQ$O0yG-!HKpmQ`Ep^qTnsBu&-SC|c zmeN?3&PKMo%~lhWBWVq?)afANvt7as1Cz3iJ2Mj|h1L`G`>Ooz^1)CJbV_S@E-!T$ z$crGZuW!W3sa2M_9yzq9;X5uj_1ovml=zJg`o=f*BKM00BLvQKs?gq|<26fj4Y*nt zk025}IGp}_$CL8q5ep+YIpMcCGq6m&Jh{bNs|mPP$8W&Iq4y+B3A4oa?{Xg@4$rW( z1QDaDnxD;f=|oyWX|vCqjBZ+F zhn8IYjsTt%@&_u1{cSsC#tHS?tY`)}^3-o9*1 za=);Mx@dBX*5xyzp@P!Eam_aib!v#PMameIyf@S?Io51i0_B|2>M&sVTK%p*vZ$wDmvpQ>HJOq$+n(?X zfH`AsS+0aK3Wp&&mXdn7x~6A)Ev2xz-lcH7bgYw@OidJZxHlP?GX~Ch@u$%BWPF00 zWqDYA9tu6!>n>0n>cqLXzNl!7$V){0p+|{g`n&k+Kpp;UhawDxeM|__HB)0^yk77& z=iP|dLQ6P8RUT1upXJ1~VmpaG`xSxx5pN<$wPO)A`d!8j`UnM}5|lu~?xHs_>lo>p zOg@_7r2g}uX^THbzfvig1;f$65dg_duvmtuRH5X)8UoOyj}jc~YzQIA9?^yi+Ts@y zX;m}*RU~FW&wRl03Gt7;v?>oT+#oL5AMuA+P%leq7!H8GsFsl2K1M%bW z<@~0I{2#0QL2;O)^DrZEfAa~Xl#O{Izg7z~sm}QRU%VxitnDvq_k+0PO)08F8Ghmu{=Y#gRFL?YOJ9ZuXGMhV|}1W2ZHgbO-4CUQW<|3)LJ|ZzZ|TDjdNB z32m+l5jWl2@+w0x@jFH~>k6ob_{R`iorTNbf7ZP-)fcCS1$9Seh580WNHyQwYh3`r z$sTaz-Fgk7ip{A{a5m&*A}c1SFt!FvyT{J$JwJAR&(f*XD`LYTy@{xWC$(CWa>F6P z5W;f2*r{iyKOFd&hU#hyMkB)*-f;_LnOr(1PHIdNjXs0pg_i~Di_rz}Q*m|Yur0r6 zh+;0JJzhihI0NO#+3RU%w|BT4C0$j|aOM#T%vJtwN+$NbhbYs{&EdrR;30l`$Md4HvHonEygx%f zn8oMXb^t^)hu?^tl?%j3*A|7g0rypWemAzYO)q9pjrvJpt?X)H|F5-_?-7>dgSiJG z8ldYrJy7I_2J_G4ZFwY{K^V+OZmmHzNw;X;m+HS8*LjMHS+o>UPgP9)wPGn@M)aWa znpV#RXaSFL*^+l^L*HWUqUALoKgC@lTv(-X8Xi0m>?Jg;&T8iwfoAVkHS8JRsUBK- z+a-jseFfnfTh{uZ*+IXUIsjv# zGzS-aFxz{}@`wMZLS%p4hjb+s3d4I8-AGvYq`hqcYG9i48PN)!Mqr=@lmn=g3W0ty zya*&;rR?YJ#3|T1DEDwD#{$-b{psK&g<{>}-c7Ur@(`W>!K@v(1DaLrPxCn?50%+X zn6`Dj*ZfdHIhmjG(=nB){bA@88XO${iahYoWa(4hi&nKKT_W8nbkV>3M)gCbxgzOl z5nN%OcH>~(Wpw9={+u>P()!V_X z#2=y_1xz#4E2}iC_GO0~Z~1&zW^5Lyr%Uni(F5hiKs>rnp0GEV3fj^5|+ZUOQ|$t_EFOM9C??zW3WU1zBfKJ z%+_Y5Klf?DVy^a&#i+NSgZ`M&5q}`b2q^E{miFmX+2=ocopNSf z(hyD!nj!RN(r}AugNCT3d(<(s?3!_}BXH`(mjT7cm~6vJK7ByXV$P6xwhb48A%sF` z9~Kfy;A~k%(rc7K1jK-3#BU+w#=Drg z(A-NYCOW|OuA89RY3`i$#$=3!=KRnybyRMU(8CmYjFAQS=_i8aga){}c=Aboj!fH_ z*A?dH#*0SCD ze4-S`jei9@TgmCz;~`UeWG0x`7rX|>9BCcb^g4og2IyLccc??ni~v##;J z)Spk;qj)=YKXd(o8k%~G(@6^4!%> zpmHdbvV3xiYgcgeo;EpBFUIKe#!%M$&0fvHJGbR8#G~4`HXr!cD-65P;Y^?DU9c(a$NR zzqh}C5I1!#$2jt{s6A}+`X$Yf<&f|)(mrf3jC5h&wb$Cocli_1Baa>>m{fE)PYK#? z|9<57A4Tqe`uS3!4?%7I1h>v3zjt0~t}MI^oJY@DjI;;}8H2R1x|0lRc$StB@t`_C zhgf>Ho@^g?Gmf`~%MHuOEBpHZ;s5N_W~6{ot!lFH4=Om!cvjWeTw^Q=ruLrGCKl+G zL_r&SIsn4+GKx5tC1eGf$Q z={L(+>yPjF>95UQKelDuxv&E;$^-n)giMMEhT_1w+xT;TF>Q###B>8C#jK5YiogCc zwlc?XkW>NuJP;d!ZBY?-S5Q* zqz3TmZJ>3%-Pts?gUNkoVRp9jc-(xbuNP4?Ew7X4$m2Fifh{K|ukT({lJyF`cKpJL z4O@Fyj>LucHI=INoq+KbCBYkZ%fnEk3BSN5AfN6gg8ZGU6x{_?OCTl(mPyzTW`$2 zQKne=&xzxI_C0*-51Qq4g?~s~JoAOeXIqMt($J*UOjpl-oGza;_J4meTg~Z6I;55q zh&cW)V%@zSM1+WA;!bmdILLW3_kT1k`rrOK$WNECQ{r{Jdrr(8bLUv>t{)J$e~x)1 z;xPb5+P3$WMaqBnpZ=%6dti(@QKg=~i3GR2>2%~L)AR7!~=R8?@_}?lebXj zAQBGw<1_^qhsBCef#qI{->N6R4!(LIj^3s(j#6(|_Wr7N&?c!ZuaLi%3)b$D`;!{> z_5H=)saHmKV{U)?I4?5kEs)q?kwl&a&%C>~)YOEub1=p>vl&2%_k098HZEhuPT2uB zumrCIp_v5Rum@v;WG;ayUzmKPp|vnUzkbz0jZV7 zP?BQ#?Xp2qmQa6G+JS4UE~<$OsWZG{G|Su*6K4CBb{czsOPjO&wT(A|fe=}8On*vU z>79XgpXz(Y?3f4HdX^0N9x#1FjYU&RFsX4M@8_tefoH__Ey_3DY|VSVxWx6j5X5UH_fw<1AWaB|hE&`6?nie;|1c-&izA&$v5`Tdw%*TET%Jh~@_TuX)r>W& z+K~L<>(jS7+4*v76@hTSqmJ*P_GGGm1+azj9GenyV19_=lBx}#9PtRBK2ucb@U#C+ ztjT+E|4q^&$*Yq1arEh%7ALF zF3C`_+j^oVW?a7}8Z>8au(~BeqLsh)YEr?J^4v_E2{9jv=Rl6KrStB;w5v_B{phs= zPpkJ>G}P&S6tv77ysxLNRGx-9Z=WD-Y`_qrnE|Eyz5Y6BEOH%0=);d~R|>8sKPbFH z+eq~y*@dg0UoQ`R3neK7$|o`T1j74fO{{;ypckrRHgJj8WwOOB15p#zy!k>);@9|0 z`~&}zarI!F7;htJ|HCx7gDhs=GXBlOzfPUjD4!JHM8KL-lzrDXb$gDI^0>|_Xw}M5 z!!AV&v`Qg#h_;vJ-48g;jOm)h21*$b-49GOS@wwj0o%B!q(#YAPK0k(7nhaeJ!PkQ z$$OY5VrB;fvdbOBJO?8yi}U$u^3mV*t&H_Map`}Roro^nG2mHozx|B#L`^fB6Cp9c z3z_%H2*^V28zJqQ_t|l4vZ^}3uBiM=yHvqdev|}5bsbxjT|sU=D_B?S>q zXf|dr7zdSJPgHJ}>vJ0T%7*?15pyHE+SSc#6G#zk2v=XY|Yo85W>Pyd2|%_9<+}T0 z;sRG7ME(k|-;mDGWd-JPt?yBH;NiT!t9bYb?!Phj=21!Kf8T#i+cafVrp{@O(!FQ z>_o;H#m3m{sMttBk@m|hH)v=cR|JG8w0~d8wM_Mo^-YlZ8#^?ird{b;Xa7AZh(_k; z03|s_Ed=gs6I+179%LcHM#(`g|E#b;MTzo+jV>dltyuR24lGh9iY)SD zE;~_z)zJnP$}QMLO+E?snYdZr{Xp$HVtfqmfU2+$@oDWTUL zG-$EV_q{P_;qN_Q7Vp$Y?v9*Aey-$b*T4N(+KkaZK^|GMZr7zV|HvaRhOC$%-+-r* z_6<0AOE~wnM_&3KZz(ViW1c_3UwqL>o`kVX%s(cwKi3XU4JrK-C-qoMB(I>0Mc?@wGFAn+L2_vW9 z*E*>$%B{$oX{241X^}CyexC@j-y?gTAn*LZ;Z=TJyqD`a(<2pxsVj_R>&A8Qw9$Gs z)uL(Sh9f0fn|Otp;IK>O42Bkq2zz)VP4C1FKaZYbxkb(Np^rVBIU!QRrNu;z*kX?q z=?{OvEbn#0I&s#%IQpYdpS;vfq4OTQsb~%@DAb6o$tksL1A%wO9n$uKJ(w!Xq_5tFfgSWM zfDB3gyeC6$d!=7yIvcUjA8Iz2H&b4&mY#w=^M~$$-?J98w%xd;zCz#pMfc9arSm7d z8G3oq!kdOu)GxA4BCH+e4d;PKPcOH-#cxM?{JE|t9;{Ta--`>0qG_T?Zr7;*fyn{j z1y4_Oz#$*Z3qp)9x}uM;j_mnY)h~2Abwy37%yy0|x|a~VpKk4Vh!?c}n2 zagzL9Elfm!W5(ijPtLWx8}o!Go4#Oj@ZAlxGuGY4L@z~YGKf+(LWRgRK~8X%wma@^ z?Ks_%ZfUcYyujJNe+I-daWuVQeexF8RdECSLBaQmwMDoxLQ*r&eK9M&0Uz?aro_x; zugu_mdB=oS8lHO}z_vxht(+DPbauKhyZfx~89bP14mdHWJh&f!ZC0as&#`^S2wF9s zhHka8zq)cRj}-eEt_3Zu2pB-X#e$rB-B2I4ou+Ab#vw$k08!J`#OT@VB!T z3_qEpdLlu)6;2L}w;hQr$h(!B#Z6M5e$L4&#p+W?K=gs_2jhj>cSx8+eChk;4rqaH z^{sWM3N1AZaymU^8WH2cVRg@;XvAOToK|-u!ehRhoSaN!8H;NfqVTd9zsS#-GW;Wy zssXfvMILkA(<2H>3uUd$!r`z)<75wBZ3s^@nnr)Hli0b~ZGW?&UFkhFnemXb-QkGb zrFrTF_F^sfk~%v!@}(dQtOS8``Kl%d1Hi-lXT_R-Rs^}h#IlD(pq^V_`G|g^d(C{$ z&0O%@=0MV52(p#VHp=!2(q^?of6mdDUTX$vwC|OT^-`eXdJRs^2-#iA1~6G+Cdp7+ zA|6Cd6<^uycP{m5sk**ZGp4Kz7jNn$^QR;?qbU|G_2J*!lA|?nuu`7tz`r4=+C^)$ zj={)H4lxo0U_d~NMd>7-T1)(zS{#pmT93gRUmZkBSEtJGt!MT}J zrMYVb-z3Odhh`t`5WcR8aVLPI*ni(}&TDS?jf z$F84m>$N9WvvPk2cCO@P_Fip&ftBLsvO(IY+#o5!h+cgRAG}tX#U_JxACc>?a#Xu0 z=q(mVi9s_MVhVXsuurb)3@~X3eHtj+$rjzv8%2J{vK}F)`u(inq&scJ{zSBrYovWX zr}es*QM@nijfg+qc5vdftJsYj7HwDwZ~XQs=*_f{c6{1&C5ihYL>SklDQbYU_y#aE zxBT>nO7*t@XC%5XU9^P8*GS_=@HR8JueZ|8}RHaubGxV*sTnuT;N^ z@;!oRa5fNI(Gx z_|uDnb;xU{FT@i6yEkX~QD|-$lSDeGCINb~#2)`JHah{YUu02;W^nS9QMSq))xaVG zFj=MmCzO<5GPOL<-aYWEyJ+&#p7uYNrSz;&&ULsk@ke=eP6t%v|e5pjZD9}L(y8Ac*fnb zEbN97v`I6R7f#UrGPtRD#g;}|&$TB+Vx|7g@U2?&V`f8R{e{^UTZTMX4fdBKleKsm zTUm+qQ?$2ctXCWLYWMpRD%)m$-obdulD98jKdtlr+}kH}+U3r<&?ORPG34lSb;{C= zss*#vVS@y-X0m=PSsDp=e5iK;kxyGo+qZtIrM_|~W2>a?iox_^3C4(c2Fd|U1LzVa z=?xEgU)yc`rToCw*~u@G%c9YpuCwJ}0$#uGsL7Z!0iVbUlXR`~QBV?CZe`6CA@%37 zG^JN7op1hSr8tCKew*|6#)^DuN)ORl5#0h`1C1vwo3)t~op3vy~J?JAmTEH;MuSq2H`7;Z zsGPtUfS!m~z}_ss=ivkz4V_;Lc76s3_(y?EK{*gBnx0dr&O>R`DH2TKmr@T)tJS*{ ziPM#(czh55S{KN6+2ywtow5wL0Rxr}-&Ct11MR~-qhAK`w$9I~vfLm*698e$Ecdx~ z0B+#mA*O64n7{VhSm0>uqc}00R@RZnx+hGXB{Sx@hgE0D@3=(0e^ykM0`1FlO_lYx z4q+p*Rm7h^R$L}5dXsApL^3Jwv|Shth19l0{`7RCN@hSjtI5?`K;|bE1`mzeNpOX8 z6OYN03|TkG04`3(sBB(rRG?C(L4mp@SL=oBECz_8h7i zPHKa#f<{I*mBLyaZM#%Jd(2rzE=F+XxE+^0fLYB)3OM5fW3+Z5CWieu2j3VmI?bSq zV0rUbkTQjT>&YtG*Rn7n8uJ4Cq* zmAWVpE##rn5pJTx4-)qu1O#QX$(~2oQgFxPuAG=rMXNtdH=s4NJgoHOhrV>i4q{UL z2UCvG_Ds zSXR=yNHs=>a$lxqfFn5`WvyB{opc$h!Xe+iu&ge)c3N4dRl+MLbDdRz>TL&2xL>@i z+(lB5BfZeUJb>#tgel@i)|LXXdz#u%ujC;`VW-e7Q6~Pg;w2>mOjO3BO4L6<;UnEE zeJ3&UY=RbV$h&fq5~y)gCS#US*mbVKfrOC@@;5E80&k? z-zo=QHjTv}Q%s55+bBjMv3DW!c27IA`=tyoPIa!S_Yfyz>k>LATD6d`(uEqF8|3$^ z#OB7Uv|FU;=A50z=U~Y0xzU?i6`4Kw6c(zmO|Nh`STXM7(c5J`Q*-1l&pzTa$>Z~T zVal3Fy}wNi1tYTb+?iMTJXGSaw!KC>C9v)OO(chBnRlyq(TLtq+AwAFlqc!ux}LRJ zFGQ_3QlG!E7allN*OJAbF?&}t>MLrke-0}hr~fg--l@L$3bMy4ZXvczEaRS^cZoJj zEbQw=$4Ep~%yXhf&zmz#*pKSSk?yTiS}VEoj@md5|7_B(;Lqj8#j3CsFIC2WML5q& z@LBo!RbZN`w#V;Bu#2}qT(PKCXG4>pg<>@c(MLS4*ZgVH&0jCSl~rZAnEV)=M0f=X zDNaL6$gQv~MCZPFkzuPiPY34rvZkiqch80=`BBfj9z^o=kd1SP@n6{^j$&Qz;o2@V&PKD~8sr;Vl6trWBT& z!gcXDfOW=Kl;p>hI4s688jCC3^ovH%m8mgS7~vAO5TX`AInCs?4tsKPRfHN3T(n#E z2Ultk?IN*}I5)6gdf@3!LxyguGuA`gHw_@Dg^89`lp% zJl|xGdp=vHn4v!douvP+G+4E+O}pEDE#%_G-JS8l*RB^$KS0)R?IP|90S6k}o=_vs zNwFkG)URgmc-5cdg8m-)_x37hATs4}X1JpI${cJ(FxMyk?+szta3kjfZt5Tr0o6pZ zhjvN2hq@*0cfUZ9<;(}t88c2jK(Cim9hC|8PK7htf{|vm$@sZ%R#fD<#?KfToz`F77t|>=LY@6d%?x>DD?*MZ~j7 zn$k}TGnj9j4*3v6<=cJc_0viO?dE8qcLV;Xvz!=PRDya3u$9(AWx!Tirgbj+raM_3 zu7HgMN>^5@o#d2c^cy=f5Sm8DeGtu`y>Y} z27C+VD2G^4R@0j981D@c?D{I&d+3 z3q(!0@MiL6k4TXbl+6b!>HX>P!kd`6&JO;p1~9|$g7Q`8RBd31g8BVaFe}9c6JOvT zqV79b2`|?dv(R5&=Gcb;!tcKizt`~OfFYo0ZO%2RY@o%){@nk=^$R6p{Y;|JWB-G2vRI6z*O^f$Q?{NnTL z21U)7ed-g?RYkjN&jLsPxFWhEw__jPz=c`E$5%Pw@<9FpM!(rK`X3&I@(?X=|yL<;!m5{Bz*b$dEUe;6d>7pw-VK;jBOH;fr zCFV@@vM7@1W?4EJM%+~niM0AE%;(^$__}!019kju?(Eb#@>hs@71%|f?J*+OX=EnV zxfmK#^YjH^9FxdqBkqwzt#2!ul(@2R)eLb7pnxwKzwoz z@_VN(<4$`U@BG?txux)xmv$^Sqv{D+mOEbbwMH?bl*c+d)K_>Sd4~_}{CA1M1C%I2 zLpZmITb`?pp|H|%n_Jbvxz^OsmwDNtm9tFshH%s$1RteG4Fs-WN#T(i?!vew!`>jk zbJpV5YkDM=fs?KhNKe?uQFxmOF*fHuKA~fxdFp}DIEH9g*8&BeQ_L`~soNRGE zOTAMVhy{{K?H+Pdp#QeIT%V9j1hQ)X9%g;AK^#6uW_}2e08p6? zQsaP1?R@6>6;Fh6lP7ig299rr@sOD z?F1FH_mmTjWLbucY@lBI;LbE>t=jBs%>4a;QHyYYX8V>uJ>&F#n$B`^U%<5b!6cLn zC1XT1iq0mav25K=%y0_OwXa@z=t`Jw-iW znCEr%OXkhyNCRabAm3IZ7g_(Tcr2EiYnw93<53Go40p29U)W_8M5a=&OPPT8sDcKIer!xUe>jZ7sc8iq2~B~>zTWz?x?cg6uJ zMpg*mVV!<15`@0`u$ZsZ#C7T?O%g&7bCP^ zqzfNGo%l#8slQ-@d@7iS13$ue5ob2zscCCZEco3=4N0BLgnUX zs8|1fo7I=v0?>MBf$6!KnhrX{Rq39^m+EioMGT9>4DmY^Ni ziQ5y$=EhQH+|sDNW^(c?Eji_dPR1wMh)WvDO#Q2(mSom%$$o1=8d#fY`mk~3m;GWjlvD01 z*PvsXUZ*|}p%j_EiteWDUh7okW}-6pTm}CES{5iXQ^bRE zp|y6C+F8+ln`C_jI1DCKAd*euFm)5TAG+w^qzRi6fo#jzUOaXmzaTw(>Oe*R;pgVB z1Wy*r%au27v=Rfwjfl4T94SK_%<_-C8eVz)SFV9g{h3$Hzf%3DQ}?iwpeMVC$DmhY z_{uj)eYNfGTc*6U({9>SV0485jqMd>tGH5-6;xb`!NLA4=kNYL01Q;qP~B5yAb*#& z$V|o!kq>p74Nqp8a)v51&)%I32uz)MK?boWk>9Oid?47i!u8o^07}KmX!RlA$2%aR z!%JK(3ZCe_9thp>E_l1Ewk&FT>C(VglJJXh`pQN~Ko=4B$&H0s!Qg*ePkv~Y-n54D z8fU-WxLBM6b(gK7lL0r3H0&yQX2iOFDgB})M62_3m2 ze$DwSSDdjMy3EU641qdA>?6;2X(>P|Q0;Jig3B+8-9DR=1Fr_&Vy0a+ZmFB;Pz_q+ zS=|{U0%o9~JoY4G1hbhymbl-w#&0X*IyjLdB^w-_c4J?dSOE0@OPU&Ku_CslN^$rs z6ACON^qsw05gavmNZ9&!U60+?5UluPVkwIGEi0=jx4Ldl6AF)>U|%HM4@>#ZvO}2 z+s_b2bqHbpHa-~?eBo2k#HQO$C545|e_c7govQSWzFfP))3Zv61q9=ahNFhH{|Th{ zfBaK#7AZY83{N$@ku=ife?pN?vAv5pFq*A$VW%pqoNLCsC_oZF%~)s!ST2`orQ87B zx6p-@*ru_L>o-W&TM=khQ*nek=fJh1OwHJkwmXV$FPBYo6?3mi)(ZFo2ZRK_p6@$l zpmTs}8#nex<@EF#8Xp(WbY4NoXhLozUQ0UP5AfaC0%LB(J}L19ZGQYO{<|e6X~M~u z(aW3`%Q@P6jvK(b?rq!yI9>EbtR@>6BR;E~blTlFkJg;=b*{9c=DE!>DloS1=5|Ue z;{6vxKm;`mwxHp(&pd zI+Yws==96^&>y*zVkw*1p_QT_HV6 z$km+Y>c)ETScg%Nx#|RA`2%JXK)YEc;>6Spfxxu{4FF%R21@dPnKsd{@2cFa*$)4v z4hmbn(aMa0jrP|vp1e9tZfy8MKLfZ>b~Tzj(vfkt5#_ZVzQyqe;+mZdPQG=6=G6`| z3)F9eX(EgYs8}aGgk>(&RQj&)w=RLNqY$YC(Un$rD zp=c2L)GY3KeV<_Zh7#)zDy%En( z{7Pzen3I^@VZaTbjMvMF|H@W0KMUdDUV0BD*e#u->@koL2RcPW2SxWCHI_C-hRsCS zHzNIVq|v-{?B15DD>(j_)&pn2Adad5%Nu_R+tx?gOt?Sg449%4o#XBe3UYFVPO@sh zLzL&Eorj*EZW!ZdTQtxY_ycUCNv^0y+J2|#ai7Z1ZG-AyKn#3Z8< zHD#;%)MKuXBIg0E^y55yv*?QRbFWryo#qDFTA;<`ke7U>v`*R&WL;LAqWPSHnP`ps z=3A?`J6*qxOp2a;68=g}-^Z0%#|HzpqiC42fz-Rm-rrlIKscRYYs>YKI5HV;9mtrw0hVt( z&wbZWWpja$8KSxUgm4mebXHb3hV32EHhz z1b&;eOM#Ml7ZRQOEhD&cc3SYL&k#65(o}FL3a64b$WV2Jk~XCW7=;Ti@goO@=<;3l z7{bGUcXZBjhOyVaK94taTy+}ibjxX8mbJijjz9B7WQB+Mhl+xNfZT)1l5x+Do6Nb<4WS16yxJ@B?FRckg2YD80}AF+^wqk>iREavz%xM8t=8 zo$@=CdChfu6|sX)9xY?7Jg8qVk zqFwL-Dvc%$`i!Ok$69AKm_cm^(Qlwb=PnK9{Sfm%HY5#fNS73+jfC7OkZHb%KsQ=A zTo|4hewmDao->_Uy{FCdx-Y19-{!i;3}&Vh}^6RfN?J?kZch6f4 zhMp+MEz72&R?vP4j?T5rMDTX@&j0+U1!&vV^1m9!`sFB!n!pSnf{|vU6qhE?=bH$B zc1WdK_!y5%8%86SjP$;qEbqyi$Tu*0BK5gyC{clF)fevKMu;Fqb>GKgmW~>syrf;? z`vLoL2;3GMJ`wH_N|4Y|cKay#s+zAB`R0Kx#A_ys3XT8-fxC!PaPO1$hOm!7$0cZ; zt#hD*`+GX2{F%+PNQ8L=YKcVdRXJ?fo@ynX?p+}hX% zc1uP(rY1U#g;X5A1VUuQ)=yB}g+Y{dPb{feUloH^P0iXMWx3!;RXI)yzg0xhN9ab_ zN5IZ#xp2wdniY5T4)P^s6e|Mc*PI1>5~h~XI53c&rGPcp1Wivr@)hu>8@%}1AzKjX zenZ2oB|27Ve%EdxFfp$epK7HcMUZ_Y=(@mo02v1hkAqrOEDPiEi>ttoSpBij7d z_S0$C>IW<7p+CN?yAhGvmDiOT{kF7vhH40gyiK5n*Cxij)?X*3#RC!fJ|BkJ`Bv<+ ze;pzGR`xrb!J_R0Tx4q2%P6;=R?cs3*RU#0^Q9pdavsBn*Is7$e zGa+!XP*K`~rRF=i!F*~|4x5|JHP6sWO#D}W-)uLv@017x8aZkgl?^oahP*X0<9jf3 zdh$szyNamQZFMT_)ToIE<0qYs5P4EqTO}QOgdOK1O z-sXoG+@)BT9$A!{`oe!`xKu!sMl&fJ?kS8oYRuoXe#2UQB;6AO^KIC+=GfDGMvIt=4`;4_*;iGW7^f))p)UX{{m+_!Ge*IXeUaH$k-{UjCc~E!dqS2E!g5L$PiZ!0?=wV zoM<-4@{ngX3H58U-y!B-%?|~}__9h=PF;M^5ywV@LdF98hY;=RhN`%T)MJAq{guw0 zKUo;IOwFn}abxt8U}vB%L(wCYwa|!%=CU1Af+nYPT{k0inGmH+nJFCFo(DXV`w5x0%uJMTfI*(1XD5tDF-T&}^p_VZ+Y3 zT$S(qo<0ZBL2dV!CA8C`fDgi?BuU0SzrC4nI6CQxVZ|A`1jk=nd{R3XUDN8cmn#4E z6#;T8fEJIY4Fl^=jDf?x5sPE<{b-%5D5v>CMG;PSCF8R#5MD1~cTS(TMmou4?p zJ3OT8^va3{56D(e|=4Q-Ji5}ej5NH3PNUy0q!Jvfg% z3?-98zC4yoJG|;cekJj`JiD=QyucXnbAD}zbUfJeXvT>7wv55irt)5aGimkCOL^5ghRG@UV`RY zoqp(7+dN|r;7gtBZrD4yamJ_A7%3_`QstmN%qs96lRG6J=&e&m)w(~S_J9wU!``la z8$~jJ1d{Hpll3R>M2b`EL`9!k(z|c)|IoC#mGwb}^_Uc=Es!j1WJ4!CNo)D>!2E_p z_x;_T31fHeN^zwfu}W}0Hal%l>j3J}ai@k6r2dph{yW4xpH|En$dB560nt?jG`xr* zkvkYWSm-tpQbEG3?`PeAj6Lt^I*TsVD84#OeF9J92s|qoKu)S^TORG?J6665TRk|T zYqKz<-wfQ%DT&C94Du@Aq|PHfv!-^^rcld?HRzf{6_+SE(Va@_;NGV&&`(O#DgR8| zA*xBdgfbQT=g!nBJ_~>7t2HuuLBG!Y z=p*sQ?@m_kKbR8=LLfHvGk7Lj`Pl6RW3v&nR2F&{zwQauYl!z|+f89eEn2DX%aMAJ zVQQ=X1Ed|qW=@6Kpp zU_hqlsNS^1X7IO@q8N|M17F9izm{cu7+Dp7O*`-(z03dXVgCR4r$UrbV51nj2OPFL zhc!F<-q!Tp;M5P&M~!fc=IUevg>5HgX6~p-tMhN9_4R`em*mk$S?GlXKTfa37wp6} zL7iuEw2g=sQ_>JQf=DFU%RMM+Gh36N3>Qo4P`QrM+A|ZI+M{2lb{ajpgj*30b0*k6 zSfFo(ay+3s))^@`jQ9UlSFh1Oisc_=%5EB!!aBmbJY4d6#h zgDUMWL1kh$c#{o#ZzGpxF>mx7#biH9e-|Aupel3A#zjV;-fOYWV=zKWGHTGVuoYIj zm_7LhpxX=iK&D~*bkkx=OI~ZP8$A)zatm`JcRxD5iXJ{2gO0|lsrf+i6i6c|gng}t z1iN|HQ9ucFa^TdT>Y5qzhA;5uul(6jkcQSqH>cV43MFH$QIA@Gd;g;K`mWJiX`H{8 zP`3`v;6F6D`2%`ZlG;YQqu<&U?WpHJr!!xDZ3m|*{HResDt8=S`&G5K&CiE7Av9yY zs%QNR{RTgJs4^Hu|sEs4)m&fKA2)4hG4 zpsw8~*B6aF-K0&C!&j=$C^lt@k;%9hB1B4N(+$jDA@8=9@}rtL{?kj*=0uK#%QGmi zMQBtH#Z`om%yWDhil5dl4|@5#5~7>G$Wntoms6xSZadvAWc7(jjTMBk%L7C=$M?TO zH^`rZ^^Fd)t&!HvVGWifnaX-1V#Ni&-<+J(PMIwVLcGHztR>aDedyx%Spq}MOiX!$ zE%|jh`3H5l-0XIwZV8sXyRM48{?$|7Z1w;A^}ULM62+gc%Rx^X`(_81f8)=IIa=RM z(QLh%6GaOtu$4K%)Zb{UE*(gF`$aR*zai{0?uBi-B4ir))4G7tUmA0 zzNq+OG4enh_tq$=#&0T5nUm?LZ^>;_iO!mYB0@SJI0E7RYN9iMww2Drl3%;U>il2% zk=s1iJ+!c;;5z?X9Jv@1u=^Oa%u3 zA2Ti%bRf~fpBg}Jhq)gWmDExbvfL^x(s?w<_;x2MIUpxg1E6MqteomcCGrT%b7K5M z)`en1M$08^uHOAe`jyP+3#GiBH=^CmM>jM?b!Rtl5~&h%I;^ft5_rAe`n1mkP%7r& z9=a)k03$Bc7EG?KmgB8q&mDhiOkw?kvceUUA8zd$q=vTPzs;T{u%$A4+e zbyaR3jZzPgy`UU%#yU-U_Z9ANT>)A*mKHV}Q&rL$sFk5GIhyhn(!G`TuQ}V)2*tk8 z?)!`vk+uw6W?T7N1$^<*fS2bv1}M6l7%6neeR5K6N*SkyE_#t}cs;3K7wJm{N5szC zjwUH1C<*i4bNM|WC>GXWU@cNz(J7Vgt-3)>o-p$@S&wC|0E&xdA69Ihw^X;hO~FF5 zXFLXi{)@l#|KY}4YG3>vYOf5kOUq6k=0DTvN|XMJH!!=CGbG9OI025xc&$=JJqmZZ z0AvZrTS+_mSz%(%3dj$b7wD@l*X5jN4`lDoqR}pmE?r>zzLze0>XkkO7ZSD2hk2hN zxaO|MdspaAoycKcIDj&esN{8`EYAJgj>{=a{BsK1l=;12=;!fB>m}?XLZQ|i-DO&o zF+EvR&`S&KEcTeG1~+QW$pqs+`0dER#1pJM(Y z)X4$*uCMj9n5(dOF=!IW(C?@evGKz~Dl=OB-EBw1lwl%HL4SjU;koA&1`nju2tTCl zw8{^4Sv$Ai{3a%fb{Hr#EF#6wC2wZ9L`O9Au;Gbio#o;uQS{8mbtvawCxzy{z{c`i zZ>a2|=zM=C?O*oZxo*_#O7~_b`;Y1)a*1*DB}FPW*PUmGkT$%q3609RR??4=5o=dY zTt=;VroJghK5+2Tf{@xZIJ$z!$7M!$*T`<->%Sf%o~+=1Uz(&&Kpf)7TVgAJyzeG6 z*XSJwH2etEk77(p!8XP79BLspsy^e>hBt zBcO;c0&3RpTy9OOj14rRf_h{IeAby51H@hS-I}cfLeHqG;-M*?uQ2b$FFBs5N7gJk z$9(5cyw0QBqnqNW_L#d)I&niqDMPhrtLR5{^setL&EEn8B7w*@zY{|NFP5f)f1farcb=!^X}ruDox;Ri6h zL*!2L=o7zHk8;?CEY)%Oxl;TH&c4~Otug)?Al_XT{y1n^n@Xwf3J-7GnbKp5d2;Oz zG7&r8h(6k9P3>~}vfOK*m%5&%x{@g@z$$IHGoBD($5Y*t_W zahQ>L+h6zDscMH`0{vQ6YuPD04}70%?QdLq%?7 zqnPjLdj7IkVhf)s)yn+-SUGCPZA;BCm_Tm)QT`>Tcs!@T{BiKLdhXLhttCsR=cYaQ z^%xd)&NP6C>a(yKUxPk9_$`^kybFMq(RBS|~b13rW{n z(aC{Yb9=%5PxMDYimN;MeW9X;(_+efCw+Oq@T(pxS2r8+RTVNX^iNzK^QL-y)fb%Q zvhuRL@`-$BOn`QPsn{@)lcvTD{Y3g_1t@7o=5)BXHO8Gt1lMhd+l{^4o37%#%a<`? z%^bJLW!U!{n1Q>5Fi*YC9lPz*`2wezI&owumjSet5mtFG29**l2L zJILzjsE)D`3o{I4FM)jzO*JWFVac`Fb``1W>Ey*fDgHqTdQ8rMu4xZf!exfIj=#mt3X!1l&aD0RZ|D~L_?_vyvzgN(0-F72Xmh>oYZ z7ZIt$RlBO`3=7UDcBhgwrqE~x7ThGeyx-S2y?ufX4-6fs^mW<>ok46R_kerm?r;Kw+;{9nkc0;(ik;2ff+_Qo#2 zd9H3Xy=IVGbRgcC(Mo@Kz+(6@2)}gkD0d}x;2DGyr($5uh3!SWlFT(+{;t~gx7ABv za84!rLW6CF+)pb|pOB23SJ^6^UO#?Jk>>I{r8n6JxbxmOF!U$hgerNRzvN1U=;!c| z{qSkOGt)y2kS)FvHQbny1S*j--ln#;FGjd;7H7?)3kK@SWz2}I9PPULdi+BJA&k=M zhe=`UV+%~{8OeU!i+vH<4W|uMd3`eg89HG5nsT4H`4eFT#hw3l{*(hcrqRmGL(`h; zJi61aw6g(s{s++QmxhBdh-e|7YdJWs-O*<$j>8%G^>901y6-tjjr z400S6trVS(0aw~4@8FyR4G!byYo@ibE+zJ5+5hQuScUXVpK&`h>F9Jy!U@X%HQVDe zb&n`3Z=Sxh7IId=n*Mt8VjQ`3WEPxPrNFmyAj)c$rel$}cU33DB3`>r zZLY#Uh_uhp4S8fEI`VxLU>ms<6K)6gI-FkWJvmU*t1 zW{Rl}-VegAne!Y3T??XeyI}5U8i-5lD~K* zuf$Y~Gn%Xmm3wp=2V&QbeW~P}>&026Ihh-o6Ql;oboc>l`D}NNZfDeT0d1T6=q^^}bPwo1Myvi=F~hwyEMr3GRtl^*sm+d(%n_T` zMfX2zY?zbWm?d`GnS%b1YXfv?l#c6BTNjTTq84vZ0(2@1qRB;Vz~@m(HESksBw7ql zO;paiZS6bz@()~K;=$RG89ETuSgkZ@rF=I;kcj~ZMEZ+Lb%=W*VOkp5V1ho_1bRTY z82o*b8I}XHrcyQ#>YL9DT2@4OFKp29Z-$PA-!O2H2g8y0ZDYr%R zdCB3EFK75nr>`1WBWrGmp%S)rG+Ld#-w#;zb>8=sk4cm+_J}&+_WAn?nrz#Fy2EV0}HFyD3aVp>e=nA6NFB(TLV7X8UmhM~p zMDB8z7L@Ryca){TI9C`$z5_yaPtjt*?SsHWa;-=Ln;sEER$VtlztsQ54dnC|zfA37 z-bg`xqU&nr`F?bHlEjlH0aC=wCa1l<5mQLrarrSTW&HtmK-TArGoRiyd;wj!01faa z{Ab0ghy}>Lh!EJ8>rq+!TQ&QcV*~85d9pEO12DayesnMzhQSDHKcI1|PS^DoK4Nw* zMl{>U)nC$E0Hsfhf=!l!@u;9Sdn%?)-OMW40+AQ~2`Dv_#!wWp_dJ_Gj z)@{?c=+MZ5 z{gyAl^%><28mT$~6L?m0ycJ-j0kecfzWRKM2fq`+fpuh~qPadk zf)Fqb9(qGFRbGK<;+WrfiQhPG8_S)}EXCHJ0Np^eypn3kC_O{{tMl(GhwY{@vet%C z`twLxLcs=w%L4;nFcfe#o?1Dey51AO#|s3SN#RGL`E!E*X>Dh3Ep)TO_HcZG>5>z^ z@u$*S?7FJ*dg>fYz}FXis?z9yO2TFwtzOE!_YB literal 0 HcmV?d00001 diff --git a/docs/SHIELD/Discover/assets/images/screenshots/shield_discover_module_data_flow.jpg b/docs/SHIELD/Discover/assets/images/screenshots/shield_discover_module_data_flow.jpg new file mode 100644 index 0000000000000000000000000000000000000000..d2eaab8dd8fdaee8336633ba4b6b86fa078efeea GIT binary patch literal 51608 zcmeFZ2Ut_znl~B*q=QH=5|t{UNJm-}qzg!I0xBH@q_;p6lwJe`6r}eWDIxS;M5OoL z1f&EAQUVF#=6`0+`Oe($-kJY7GjpHsxzFrmJv)16?X}js*V=FWz58nBY6WmZLq%N$ zKtMnMc#i)7uI2$s0K#k6{`lfIBK((_l$e-^h?ty&pe4O#M8r=> za2IfmmVl6!;Hnz{1ONz#@uU4?!2h}tT*Hs?IteKmIR(A~{086}0U_ZvBEmmLjjtVq z{~tg^OMLT=$fN6Yx-UrXy3>okO~@hTRIKV?&>KDE5_{YLA74NJfY5jE!@?sXqY{%oCa0u+ z`ka=VmtRm=R9sS8T~iCML)14kc6N35^!9!0|2{T8F*!9oGds7sw*GTtbL-dk4(jOl z@yY2K`uyS#x(EP-|3cQ^DEq(BMT@8F8W9m85y>BP5nS`d7eZPh;yWVOZ$8o`dEriX zSM)6@y<$R6RRU%A=Yxlw$8f3jQym6)+P+88c; zF9^9w zx-SNYvR>=4MIeo2O@#>6vd?2$=(4s4UGoRIKYgt1yVvBF(<2jT;#%iF(kIl_0O_Hs zy@)xM;DrM`6lhR}OEuoa6>H_bAg6JS()(-zIqZQqbk=AJ9Q?v?M^xq-aJZwPkX#pU zV$|T#`@SV)e?=`KN|KmU`HoLW>2;E#u`i=#q76??14P(kMu@fSb~JBs9Ic6AzUA2K zslFC_ETugsvv5s@Lh$J^Y$p*2RSFX&gS0BN0@%-1NScF5#lv3 z?_lp$ekxgG59*OMo2+!fs$1K#57XaN9Ft0+;|eFtSo|93X+BlwbE>AdM7pBrVZ=o) zw%a4QrBmDD6&P(|?}uAgXMWlCB#!SIB0^~M>xkR_bAH}15-$N!DPk_W8ad82idZM- zZ{h{q>pgG2eFa3d_bdP8ZaF#)XCbWA)cEGDfD`#X%dLkMjIpN4Q6U2(3EwVsxt#gw zy^ZxJO>9^JQJMva8s|uDTDm~sb5UoSj@CQr&kzkvn$>Gk3-rDEXD;6lp#m6V#nG}H zm8aiS$P+#&-|dc?58-=d{hED!?2Q;0ZYrlG7?XHc>C_;ZA%dvNhvfJgytMfusA6Jt zP@+~$6S$D5)+KsL#%>q|;LH8z3kdx5iCV>uh#7;~xzwYq{V(H$l2Lr6xBoM3{+Vm} zmon4y?T#7rYQ;~wxh~S4I3Sei4L;KADg*wHEwfBsujG|wq5$2wS)$0#eJ!HpZ~jRp z@TZwag}L&)YgUG>(GO=heE@li-YsQ%J!V~Hdcgm|h2S%!$(8JcrS!y8&+0P`T)&hH zzb0P(d6xT+u;+iNdy9GTZhXLOdAe@nssg-1@B5?w+$Et%IB>vQP z`uGT$vdo)xFJ2edUj{vFs+ASsfjO4^O0pI}r05X?4{wu7gmx>k8lDCDU{2XOh5|;; zrcg8qj_u2^*f(p-X*KqSR?Dn(TG)5q{O<_ z%tl2kJH+yE@#oyFqWxo}<$~+{4LM?Yu17Q1NVm;9q=3GjWU`t|GsiR$3O7*09an%j zD5dzWFw-t8?2Wg)4gdVIwxzkhqSStxcKJJ-H?!N8s~BAeV|@r{S^@*SvCGP^AN@jN z0zB)hp!aRnL#`tqE5M_YO<(nW!{m%Qx#&}(cq^1uXT6-uniYdH>uDZTph|!#l`SWd;p_eS z-9EDmsa{K#E5N(9u4x(53D|L#ED18;)sn$>Xjbx9cPrN5?zY;#E@(Ko<}^A79p0Vb zIF~P`J!W1jDngLYB|5-A~`az#?SUi(*G8$;mR)wgT5wt)QlI zjeUr`>=qwtoS>Qpt4^&^UgRe zXkXjOPw?@}NlkQQ03C3(hV%4p)s%!zsElf~_Z5K7Y3cT)cX663)9-^gZt91m_3K4u zhgowdi0uk6R)K63@&HBCo$?x8jci5_j@)ylj1pn)16-GP{?#@Uk8i#`>*Uw+g-F@f z6<~hXDD=@~wgROS6A0AdBBrrRWT$#t;~i4BU!gPN3P2lW)n&!`%kK(c=Zg_7gJ`1q zQ(Y;p08YZsynDa*qDfYvj1YNr$9g=K^OEpHvw1(~s4UE7lKgwUi03 zg(J&WT}V27$F_m z880aR(ePY)r(~-HnsD7hVTb#JPzHCma`PraB*XHdeBQYJM!s@UDOX^nn5EJcfM^=*H6Mm*EA7(I$a1{nLM> z5J`QRhua##r?G);W7SR{KH-^p|9_``A?SDo*o_~nb(Yn+0z3;&&il`47zBfmhp5wx z!{vus)&{0#qm|jUJh#b=Qj}xW`?phA$};&5!y?x+?rOc*T zGjNkos*|>8Akj${m7mw0DIr^gAFI0D*8(0R!K~+GSkR|KJXaBeD2%vx>9F__V{JX{ zLYPn5XqGw)S08rPCVU?V>(isADKLvm)zM>{8gzhkV3Z&nNv9&{f>oUeAhny2_$7sY zo4I*~z;{#nOpU-i%EJI!D~I5bR4doZFAzu1*jAr#fltRj{9!yOL?@I3H^HHB*fSj? z{`gSmtvE$iU970{$NJ`$PhN{(lOLfo3tPaaiDTFoFo@tJM0ll*MyYJkX)4}s{F$Wy z*{ghlFSIG^@*t!02DgSU)~?R4UV{&H*!=P@Q?UwzH$^bY!`zRq04as7ADyKovldjx zF(Ivim$4AK^|p6VnpY6IH5g@=HE~ut-^A*~%@>?vKZV*wrR6;>x7G$#4aREO(lgl9 zaq|-fH2ecdit9%@XY+64;9qb&&%~n|P;PsS*Ki|Q?Cs1z7vP1A*;&@#Gxg~>+yI!g zRRDV%U9yG@v^os>QrF7gq?)D~WCT8z5ET=1>9rzgq_k()y#m0O!yxV`idENwmF4Sx z!BpB>FYmCQA(%?Y=Zn3i=TuC-1T*AUAnDqyrI%-Gh4)mi06c9gIv2-om&}u^SqK{J z7exEP1?CDcS7N!1;X%9gX3+$*Y%5TqjKkK(!V+9I3XYAprR!gIC%{#VSq?1aF)CP2 zGy-M59{;XctI$tz&`XD6!S$VbsR~yUK^Nop(H3D8r<=o!25wMTX&19kg`jI(a(b~+t<|u+q1sTbs`Js9_zFP5 zwpMJZK&SczI?{z_qqLU(t8ElmThui2-s&>5-*DHQZ@3(9?%cB;7kkHI!GZ7u$$jg$ zi9v7L8Pei?90zCF-LMR7IQ7&J=$=B`#l5mU8oX%wR+E1Pn9jGl0Kk%=E(h=)?Jb=x!Y19$2&}{QJf2sKU_#vzhBp}gzwB5$F=frH(F%mpmo_k-BCk8J0Fn_ zO%j4V=Ss>t?iwY%Iv(`wnKGk>=WP34Q}QhPacI8B!eSt#e%cO;y8^7_UIC6|Ab3IY zb?yrAYo=`UxP@t5I3DcaM&TFVW63&>m0B632F3GF&Fh*+K7p}V>_23YzYbVms&AVc zSQYMxkIlM)<@U@)YYd8mDVL)2(=4<_xM!&=KGdIIXJX%~Fci<@E-vy{o(0+};R?ZL zsz)&D%i2~R6Rh}U7DP*;dnYw5qsei~-F`Ds{kk+q7w=)&Z^%P*>**Q@{N6`ICq^JO z^LG4zl?MYE`2A}$oxPGZ;m9QgI4Y~RC1Bnnu?Mk@V;LJw(t$r1(q2!+we)Z6(kC^4 z)^jO)+=dqtIJ9%%;nu1D*iZq5`O@yqy8Kb;E`9|`n*byLCvl)4diX=({^1}l;lT_- zB-s>Pzi1dfvNF}|o-b1FUi?`1y&*FoK!2A%rNmpPaAH1xZRJFj;;^d+krrD%cfF+! zNauK4+2ivSz%ulGMvxMv{jJ|)O{G8OyjOJ4>T*x<>3?yN} zoZQ_Ky|jE5rPS#MBMNn=)MgHiTVWK@8fN7k>~5X!Hwk_JF3}dKZicB` z%Ct&Za)S%d-_!=cq{E0 z`4*FFh0kUBr~|f|j05wxB^x<1h-1GfvN;$#-A0=J4)V}UMLWZOgN3;#Pv)IJ2`^sY zl)v-kws79~j}5;6&GUCnHvUBTxIAh)>r(TQ%Es`{{oJT~iT|u=@n^0x8^=E}zygOU zmvAg3n4#bw6-Lh}+ZZz7S}H>WU1o*30`|`Sb_i1A*Sj%k^M|mw;{!%bcQ^7uN2nXF zacEmoBNM$ZziX`RZtQT(|6D};1(KIaL3{eZrPW?l*)z>8u3UIeqO6~A&fL*hbbgqt zzE{7D(x*Hc97O|_ZwT))>!`~3$h{pw)bVR($X&H2>xC*|WU53?9VXxsr|PZjiQ_}T z!{3`R7n!=k?5_a&_D<;=Nx$UfcZ$NX?h5eYXw7&UrvRf3ff|dud(y}c+El{!AWw5e z&QKV?<*e%BdGIZqs#m07XR!FgSN9BYZ?PF>66u%{Bo`ZO*=hU%hz94@uEti_TK7}gHY z?&sa)bIp^FuP>K9h?F$)!QIVpDasUNn0jC-_fqw?t#M|a+(fZ@6PGQeU_er`bf3ZA zrJLKZ5-hiVk*ROG5q{E4vua^9bT1wYc|!Lx#-8_j=`uvmPa;;ObG$1pGyfIW(MHYp1kua$*uSVsNwo$tR-CFIuHG2Sy)P&YTnM+BxEQz zs&@pUb-g91%v_m1p)SMy)R6@h=92w0&{JJ1>UMZf$^}7`lDkBi1)205y`;!)TAXp9 zN!QMa|Ca~e8dm_2l4$;Y1?j-d#y1EeD*Pg56VU6LhDgl6x=<3xdtB=dImelHJmQvnOtD>~Oy?<6r6k4NL|H z-eO?rfOgJ>^*+YUj=;5UF3#{ZG)6FYC={so`08pTsU)g&jJ~n8eL%!RYw2TZEl^a3dPrC^8A@e<)*tSg=@XGnKzIu z-rEh@q}bhij|`&qj8$m$5Hhpgyl{9}@8WGl-K1rBh>+>Cn`HIDzE8Ws6RI1sMILk|s)=N~Bz?(aETKXjkO&r?SY=iu+RCslIvM zXo^*2cn_Py(yk3`xoT=unIU0|m|pkcKT>F)K}(3W?C z=YP;)^cqYF{RvtJVkibK`BNi}`_YrD#|#FXr9S*sB_9u;90tCrC#RDM9LXhVjwiZzNZZIGPeF`@Z}&7 zHgXY_T&!QAPsbYdY-B^-^2~i>YFkihIp;fC_)&QG1u*WoEX*cq*Q7C~`h-1(HLb6Q zb-AlwP<)xryw5X#-`r0k&@!|-k`6Ipv>(5cJ_yvBUJ2Dd5|RLIyWOpid=TzVM9I+t z68*i3x27R#U+4Tntq_gl*2%UGE-sL|k0swI)#Yq_iUwJvejMZK#4ma|;HIVH+DU=p z=XDyW>g9s;nz{lv(!B`6Zv9tVlwl>csSm_2}qmtLwX-X7ba#F=RoJ$5(EN1!={j* zWZK`WrHwJyQHp|VNEGPMvB12QJ(`vm)lD5HGhl5NDi9E&4sm!rN>Fjn+1rP+i9=oC zeDKBY*FIox1)!bevuDu)_ZSSNB7*Q;*Pn-gr<)}qoWm{bR*Bp^cHz1tvb2HZl@7gn83%zlp6W8iWV4xM{(kx=&NB(E;UWev;ApVxeX*IJ}i;IX$6GuQ?ux;5rdi zTa5red27KGr@)lOh)&X($ZKUxxElexGov%dX>4pb(fbvbr7>!@m^6c?VW&E&Xc?(fh zB@(m1J>wz0zR?%3mWwiKSk0pMn{yF+=wi0$8rskQgURj<v$I?3VA)DpuQA#}u%c zA^*jOBu-Y+$oAIT#U2N=Z|6bo&c(^kB!T`CZ5~o4Ho(*SK>-H86$O7~Eid%Hyg$Kh zSl_9k?$EGz`SW5o(0^tCty9qFxY{p4+!(iSVdT@2yh?Q24o92yzW?QD? zl;YO`n@3XfJxtzM(dR%*=Py?PlOp!MUG}r+smt0?NS$;WHM$o}fOhVdG0HYsbP!N( zT)$U zsu|SM_2j;{-OkL@M(Pinll*q3t>}uQ*m!F1yFB1(Mb1{p=f6TWE$sR2NpUUQD$o-g zz#3IsN%=#jtuxR(3H_^=8pt(OS1K|id7vL(1<$uHO5 zYp))cA)quTx1>y(Cm>>Fl_}E|o6pP^lr}pLE>}eFJGrp68*5cQs_+ZdXRXU|EpQo= z#@4?W)+|qnFEC9_8+^n`SsLn4#O>*5A7penzhQD0wil}9jUXQ)*3Tba0*TKS#;LQ z$*!nYO~t{>cBsmoa8@4^tBKSMPDop7cBfLsU!EU~A6F^Nz2|Q;JB`GoY#6tkKX`Qv zPx{RVk$Q0jAY+Q{gCd`-<7O*FF)org>1$m8wy`*>^bx2iA z%$K!tQ#4yo07p)lX8vy74RfnS_;jj#p6tEbl=i-G^JzJ@H9;l)(GyKA%b{hx8ib#% zzu@OY#crFonKFi!3gc-zgZ`&73{PZwW%l!**)o=&w7#eLPq zQ21K9wF}SXrNTB${BZN@ZM6QXn(#?_i_n_Gw^)Jkpl(#md-D5g%yXU=+|zHcN^5Gk zfi>WbKFKd?zXe|jVqxM??@x*D$7R9XhYUTN6?r?2+q`m^-QLzhOBGP@cKW7$nd=$rtX|0D8lqH>q#2I46thqbgU}Q^Du5;=@E#oV zbC{ssb;IcAiqw8v1y9F=S(Z(=WqKop%GevZ57I_^za|L0LS~vv-=^C(zSmJie}=%) zmDUMUNlz4zi+1iY#dT0lDB1Td8pFz6d&qTpz7vmXNhBd-7z=!vC=(6DPC6a)wu0 zev&3izmrDpCCgmr&*tYpK`%VSmKuTA(MCEHu_o%T5kS}0#61^1$uNM6Ld!jGVT%5s zbuG?kbfv1+M5D|aUs|yqG_PJ(8s6PpPQu3SS{EC159z84nS#m|5fq@sv%Q4x4)=H3 zXn#(eut*FH@_%P*5Oi_bQ`3JZEwII&7--}&9RZ(*QtgTi1aVEb0w*|W+=1U+@2q_2 zns(gUwz!LCG97^(l{j) zM!FYQ3?lo7=Ot-tE3dg{wv+$D(yS(}0;%V>$FzltEQZBbtbh1Cu)_{M*`PL84QgBY z^m6z4B$;Bgw&tRlYb|66(Rg6zhF3wqL1yqi<3AHcCm>$!X)>~Kv;rP`o|Mn!YvTRP zpF*PevakI&6%v(s8~tC-c2yud$wk&IUA^y0#ko;R|DEpb|BANn?Fb(6;e)!Kx^ACI z@G<|#U-52`h(7}c`Dg2Zj0O?rMH{AuIYo6ZU;J_u$z7z^)qDCU=k?Fb{eMRtf>g+S zB@KdsSix=)1Prj%z4K3m(Ep)<8CJ-jem9;lG)r8pdlJ6%VK9I%H~&9_Vf)kYm4CvU z_LsH`pUiXG9n)V_1Y=(Goy7v|@K3DGKVmQbvvt{S^lz$E?A$xi*9jU;-Y=|}VEi)< zxqr8gKC4aqfedV7Ef+TezvcP@cslZwIEugR^gRrV?YaU$NzkL0InGxA@ck>matBVF z;AIr--<*Itm|X#ee}K;pp|Jpy+_Edc-<<%?F}D5wO>>C_u0LetE5(Nn{&uYTcU_G9 zPnZ95WB*t_<(H3s--Trln&3w9(eJEJ(1VpL0Be8xQ$(VXn}UMQS&ul6LR2^sj{y3; z1jg*?o(@3I4}h1a{O`1sMeI~Cl@-V07exQ=lK(G&@tIU5+05)M7-hUHV|cErYfg*! zloKBC9{}L=#EA8D9t{eLx}AtZ8==VnJ3sRt8Mjz*Sr==ydW=z)d(%Lwqs6>Q$x6)0 z^`Z%QnG26IUlAQsbNaXF@9%%IebxD4a4Rpa=vu2a+Mc7R)K6*!7wK5B>~PA2EDfsJ zyGgoatMam}iG-QAc(YDUY%M5wv38K!#pmKkR)=*s@3PcUOm3?4=1%o}pa^jzh8%F_ z*zBCwS2P&NFg^b~Y-`Vhjc?8)ai84a9Z?M3a8bYl?1LPMz3^KF4)oA(jp-BpV2H!i zP%2ZQR)iZpUG1>|ThdY?x&x(eQa9~w;oH^t{<2&~p~)e2iBNsBH=f<+rKk;& z$VP;GM>b8dxDKPq?nNEEXzo1AVN8f|ZYyBL&0(^4e8J^~x#1>|+yoJ?z?(F&a|pzK z3~N#Nw@_%6=cStL1Pc?s#v-%rzcuD{Rn*IWAvdPjel!?GO`~t~61U7_`2a32&3o?^ zDf0GRx0jBA#;8sNEcNxEy@8r~7wx zj2yDbmuKs;e(&NNp#NJH!!$eq_trKjYe(U&n zL|V~FNJ*Pug1C@1ud4q_pzU$!Wqc99>dO!k6*jdklqb+YtUYD4Q#3L$`S|@m=)V5< z)e$4%m=oSnEU477x9Mlt;%DQDwE{SUkE6Cw{sfZ+&0TZ{MooDY)GzLGjiF^SxlR_r z7e0P#&>x=F6CYJ)GPy5k=X`7St{P2hR1-!FEjry}DKzOlsLQw+=%JDSCH6S&jiZ(#R{*NW!*E=6Cr0kTr=EDPVWGD9ukt)3{$5=DtoAU9N%pHr`>9KGKFPymQU(+njaY zyYB*Lp@%7^L5RU4x$K35A(8V@yHkqHb~a9Nct3i6O*LGB&ClO^5&AS#|~GMt`mM+K0CdzZ=pqlA4j=85O1YQ9*}m90KQs zj)R1{ED%$+quvx{kp(ig>ACyAGd{YJwpWV9(Di52SX}|$JFZ$G1r@IVm}~8pJ2dR6 zo}>>QXQ_45Cqf8@;l^!f)s+_gXZ2IASmA;NCj=X0zF+X;H;mftq_{l7EGN{WQZM-C z2~BJk^_}YG!+A&6uq1a+UxwOob)xwvff>x~?1V>jJDx_Hmj!T5aMY9x+pHrK4%jlO z{h`Kj*q!T8P07Wdi|?*nB{^Y2X5kxogtiO$(2nC?epOtMq6e3sjm0$GT_k7dZ_#%h zw^Wv$W?-=jx9(dgtyLo8HlFhh5vStcAr&{*vK5l>{~06tgZ=#RZLlO==!oxNKx$VOvv53? zHV^&QWw2--Ic00Kl=*b zEp>@5wEcQ&XtOCSgH30W;XwTk!$ffsaFMsduMdxfehcs4I2?+8O`XLu@9R!G{H6V} z9oh&sJFh!B{v|cKRMB4JNB%8|alR`2_Gasr@ak~+iwv_P_m6c}o59|n-K{23QDLn7 zy7AqZb77_9r6?3^c6xpDGs;&9!)7@@0GqwdMB8^;;pOp70_^4Ptn)gGIpC97b)KPV z-ogEuD8EwO3iU-i@Z!j7&U$S#=P-WtSj<5(VHpiGZw*x$b-^Qqja)ZfiidIEW2!EU zMaBXq8Ga9?W9~Vb6=o4{MFsQwjbXZfqm&fgSe-4I{g-a3s#V47HaRlA zQm05EKtS8I+?S{>i<&{}$bhM?$K%b9eC>TqUEuM1CCcwGj~Jfzvm~zh zaq_60)~l!}g_M`SHdu+;(m(A)d!_Zf&p;046wL0BS`HXb2w1YQ>I|t3hrq7GN1NfHK6P1vJF1?Y( z`!)WpHv9i_EaDx__tg0x}F`%Hc#2(RxZ85`O1tnJ6AiZ@wUt%S!` zGCv+S`QFE$w~?U!4XYfm4tX`US!G-oV&Cwh`-w=X#ZX1g%DUh@gpS8)l?we9jZ`&*3 z>z3&C6<}n!*RTA{liR=Z!h|Xfe#QieS+*Ld3bdxj6b#;z?LV`RH_9sxHgz&9ifeNm zj*KgwX03!l?}&7=zl-&3?|TlKFvgKBqwHO^3gV!9Z}-9~0Yc#45xj={aHDMjM9a;mnJRjlX~M8a`o!>E8)E;Zv9 zN6Yx8gMVP9t^kSt zt56K_AMn8fSTAgD_Z76(H-?5=c`fOj{F30%3QJG3s*tpTy!m|%hvcoT3L!J@XBX|w zK09HkP(v`!eE*V|)NtZca0R$M54-re{B3&m*>~`2AP0C;6nbnMT!uD3okaVhKnA$Z z5w6zO2_f2K!`no{0}~(o7|x%VAo}DoX-@lB;-FLd*%^zSH99GMzpemS`uosc!CB~Z z4+0nB+yP!mjsmZ~@GC#Vh(mu&w?aFVz(1$T@pou#9-p%T!=pMw4DlGu%eCQ))A;i= zP4p8tbn)eb+$hk8oxgd7orN}RPne4($b_tGlFQfP0<*!s?3KDEm=Dxo{$WJZw7Ghw zdM!r!gu!j`VXDCB*Y!kZigdykEq@jxqjV zLxEYA%b5QvYae6i3=0+Ovo3#>hsL|GR9uYpQ}r7BkgK1hK1CJESLVB%tG4)juyBse z*W_vpN^^SjHD%YMSJLu`%mOoQv4I-wGRQgeOH|5nw|5T!?1Rd3r)^d|V3HQe4Yt46T!vwMDb zD`<*)v^LhnX)ZXi^A5eJs}H}4&=!jiraQqhf0}i6Ofy>T%F$}M&@&z(2y17iBxQPwdF3%3DjO#1vAZ2Hh)TiKrjtn93 zA_tGx)aD8IVVN_1a+Fi{;rQeY*&rr^L&NS?;VEwlVUnemsf41TD$-n)5EDope|8Lt9X^JFNpb; zW=BgftTLY%;FG%+xA<3}bDJxGi0*QKWkp6qbyQDf{KdxSh1*vEUqWz(y=iNs_+(-yh^ao& z*b#g7x?%Wm1uFAEr5NGn@4V@4U?f?<(_DAD{5+~>6NEv%-lqqizLxRcRVm_WtinHA z_B}5T5NFE{z5ot|eG=^!hYe!oroaI!F}tX~Nv>&wj>{~D=-9Rvj8Z*5Aa752KDMJ( zN%jJB&E(T5?s!2ggr<&|J-ftm>1g`LbZ#}Av%-Hg=#9yzI^1t0amR2SiH2RpWy@)C zTMc#AX;9t|jL{{gW=Ikh^D<6XB~_wj1NON}*?OmKe)&~2MjY>dv6+(_hPy2{@k;kG z_kztVG%>zNRM4B5plHG$7?mr4*n=(R^+LXl->e0Je~i;I>RT&r5jPgUXV zl${<^pc~QaV@fJI_ymbs?vxLP>-UW3r-iECrjBJMHqW`vcIWNdvX*6W-v?@}pqS!u2WH-t}Ylz_gmltWCt67wv2 z@;KoA+gAc8`>Z_b?1{}8a{u02h6PwXciMJ<(DPeP!8lw+;jZ=lU;;(h)Qhu(o<1Uc~Cmq9(7OQrr$0e z=@zPR3#<4Qowp+Iv@+9|i>+S%^_6r$Ak)b^@-=-VKrYUCFB(j>Ed#0GuKaB8!uj~C zSl6`@k+=vopjUub>4k6zM1HlYWZx@;LTg+|h}te?XiPdyX{YBQFDjcRQvrzXQaQ{* zMx&zDr@Uodg!QJ@#;l$o8b7FSIX2h(e4HtvVLzdT=zTA(-u|Fte%i z-207-og-4#6YkHMporP3&3lU3*3$D)7m1k8ImwdJIVayVt>mc!yavQ^mSmncK!b@> zF+MEz9wzpKcK_~BsLI)%E1%l(61AMmuV6XRYhORirU}75${+N`@ZiRm?uE>0T9Nsc zSp+FP4l}s7iRWW^y}ya%8C6v{Cp?#00#8dvyfDKd%VYwZHDQ_tD4uuGbhqc|8$$rc zeGDfYIl0>xmFYYgf!1!mMc;Bbru>rEY;O_h-B+bgo#V(TG4CK=d=H;s+^<$*9|e`a zYV-a`+i@#m`yo&PH&QByk843^fAwAiBF$%xnjvj=azUVuW*Vxq(BL}|?J)^_W@`-u zG`Tsw?>3a>Z|hjSzohi3FwQhpND}o%TO+ z`-d_C?SCbz>`&R+f3e4ngd^#`o15oMJy6WbS*t4pTgCqv-B%G++y}lL1Q_Igrf_{v zQ%rwR{a+3_Nau3CD=JM{e*e)g$H_j(Q*_1Z!8=RVbTbsy&b)c{Ip??Kd$^sr%{K}r zXnam3(bhQDz0%UT^~Qv;dUI3KVA{|NOm1I^o=gzvn>mgwd_8k+Djgrvq(K|ETmia% zD6qQdUuKniZr_BW44{7;UjasB@d{HLevS4RD<+%dW%MQmWRXE!FEb$47|ER}!Lr7P zBH5J*fiKCFvi5{jR(Z=`h5O2eW30%3ex2g_?Hzj~+WvF8ps4kRHQL>ZK6n-g?+Hhe zQ708Rm_bg{lw-o|61N{F{N!YRo+)Cb3GEOKW?e?>cd)iaobYkivDUsZC%Z1CLbB91 z^<{F^-&ISV*I^H0jIp|tbQ*(7BaEGXj#msCK{Lm~XdZB!HY#of(OCX zaj_T~Kgq)^p({YQ@l(Vc%;$IoTlNcdl=~2h*ZH?F_#S_CSv96*VMATpc9Wo-R_{F| zgJo~ZKwr_}^IfU-A?U1lLqPDMTQf3o|FdVLvly#HfwK5A?+Brwidr=mPPk3?~Q4##j=VXP*paO zpP0}jJm6@@=Hu?B@&}56Uyxk^$a8}m!ADr_!l<4xh((dp&>d5=xdU{Ct3e-s))S7l z_bvwFQ!!f^55^%iM);IbJ+Z$TCx5l^hen`3S%8?qD?kqGXgQJu_sIPU(7b#>n@z>~ z*E;{sUcnvRlWos)saWK`|-ZqYeYnlpHu4+bb zG26I*aPDjNJdCs8nRC8md?5THe$!cE^C@@+cPcM)>AWwxu$IN;V07k^8w6efrr1NI ztmcLp!p=UXyLek>;3w(_^5ovjr#0BFqEFz8*HF6V7lmj$yOs$z&N_t2+l9WA-S%69 z9?+Xm#|pMiD)*x8i=d6E8Wz6M#r6>aE!@a!X1qX##pCY!t(%~hTDWmAuW_}mjo4t5 zb&jZ(vgO3+N#KLf?_~yA5?0>9ylyD{^^JqroGi`pJPb!%A5}deSJ(1LAo3SD^0$ zYH@c%0x9J6PF%$?Y@uNWq=f1Sv@iQ>XjA41GK&eTjuPwIExZDBHXYg}uWf#4o4;OE zcKJr}x+LOzyIBRN!{Ju|QiuY2t?dTu{*so`GZfXBrggE( z54lxwu(OxJ?ZliLF6}+;86?|O3`amLCJFP_j6QSC8Knma!ZJ6k zSP~^E%clABZPp+3I6ycjkgZhPVAf{A3cn&Fd?LG4r!W62SmnM=eRDM;4S+LK^VlKgkGE9 zozAKSwlCjs3g~TG$)dD0)hVE8(T2k3`y{Ft{J{=JH|dQn30&XBCC}m7m#^a!frUd_ zfheAM;=O>vD%)s8{RD5O_OUfB1-FxlL zeL$I)k*l_ODs%B3Zju*i_I*~HNQTp9$6IL44{!|?9Z=^3l$auC13tNUM9359lD^-aY9(>U;Zs%SeVpTHFH&e|RTZG2X8I^fMMWiU7ZU zSr42ApGu{kx}mPaN;E5CpDwFZmA>y?u*W*@@bhi@eDx?>zykpjL;e+2NxA6URmX7~ zet&7cJY!1v+(v1pjQY`q5#fTf0_D+QmwJW6?on-NL&Mu36Pi{Mm{o<3c!twNMc&L# zQN%}Mu4(Z=@OTaGvz5+-3*6kGq4u-=+Y1>E{y~qlqVP&D=YDTDnqoSz6sx~W)idk* zJ=no=%d1~9$hHUpgaqZD+KuC@P3=Mju+E;^~|*QZd) zZ`in{ZI2h@FB7;a$6d$G5 z6YIy)U}Sz-GNE-UvEa5eEjN`ZA(*QWWP?<#AtB$Ec{^kQ=+t}YwugV^$}(A9dJ&?h z?S>WFUfbqKd^%AEn#kk^OtA#Ul!E4l}!q zKLN6sqs@dFu$oiN59P#4&30rw)QNQOo>McE7!U^D04yv%=m{ta$I+TQ09oYpQ3S#p zDZ7?cwN;6u`2HR>QPSvXAB?qJivs)xU&qo`AI5htM_P(lC_0xwT&Kd;CP#?hJR(WF zmRZD^=|mF(B!;z8%sz8K`PH479ZuMWr59RsuwF*83^3dzXy{cZ^nGMm^#Ab2GNXr6 zbKskjpXDCiRC`=^WPfQV?S8@@d>y_Gf4M=XIK5kp4)YpPA<1EY(G1RY&CPPL1O^h(G95<8rr22>bN&A zk)8v~Q^;S~QR`+K&+QQzaMyKn?Og<&Ws>IXl=C>uLw=z!-Zh?0gG*x1j@Kv5Yg&IM z(S74#0~pD2!e^hFBI%vu!kaR&a8yC4ON-A5{v={!G(6&(5Wx>GXI;d3&HTKjb9-~1 z#1ePxS^3MFn;bBWaB#B{VsWINpyt&ad?dVJlc#4BS|P_P|%$IRI7WOEIVG%1cCMPD{YpzTPw2N zarR#!KeRdbLzze2#8RGbYbIz{iUntoBv`R8CaVVEJS)74>$Nve?DY7bOWax%V| z@O$vr$A%Co^1TexWc6`@x|FRYGJ}3)=wVV zpI&}SpH+Dh&2Bj-YtLrE_=WL{wh03JX3R^fs3z#(M8T=ir7=r0GVUDSM>2P|od
xyBhLR5I?_AJ2116+BeFw}vQ79IcRJ|-2;(+FxKPJFPo%nvA0Ce5o|I6Sv zioY#>TE%5W|DwtU{P^wuZ2?r%`&VIC=m*#h{Qgf7wExL@aM&JGn-Yn+AwD>=1QW1S z6c45K#xJNWN##8iuu@Zk{HMkPoV#aV#iD*p*WF_a)_k_-@z5p>WjA@wZ)iysPs77? z@5IdH_fMw!6}8bD&Z08?o}{5q?8%|rJx?cA9{c|V;^tlmA=vFC&9h?go~R?a$#!8s zuRYtn018MVn1BXLoOu}AYZ_{NJU9Fd-5)alTHXHlmqPcaE!WBzh};y6P^a|l#(L&m zT-KzZGLw9LQ)LzGdXTLz&#A3D^6)r(PioD^(s_UR;e>7e?O04V<)0-Tqxs5aVtU1B z{m&Bj93xc;ETDq$gjJ?cSWF0Nff_s{tAaKgZeoa}I<&RVayNbQrhhodp7po$OB?SOaZE-SF9igY*hv~ zEq%DB=bB(2Al_Cr==9Uz?Zv|o`W`*u2TaSY!9&0z7oQJ=u4okMdua;Y($$V-qMwEp z%<0T2710&ZD&{BV{xLOn?~KOu5Fk8-!z7vZQVP0xiLKAkJt=1S{)JX`j~qay@!z~E z>gq4)c8xMpy3oB5c3uRlHx^ymMQpVxhPla3y_AHN*-6Y6t#?6Az5w(Ra<+00`+N-0 z2r~$}To2LC382u6Tt%M?`PdD-N4-f|8XO*2-b!Nl8$&{>p@jOF^3F==h+DzZ)7+$S zeYSCdDDvX<*wUe31N3}LQtyZ0Yo)qLoRiEHiVWVKDbA*hjv|akx0WRT=<3wz1gp+_ z{r;pk&$kNM98^7udSs6HEOCEBA?T67W<#We#yeC?ej90MPO#RUn@>W{T%I)aKQAZh zS<{;}NrQkaDc_LWrzn>T^W{BaUYW+~`udO{{jdV1x7q2gM0`v#M!P9`pv!GJj4)E4 zrdhzWHb}j*m+ERG^PQx=uGdYZ#9ttIv*)B++XJkA_FhPr7Nt<~MXlt^rs>Ryr;R$@ zOV!gzM*09snfPB!DjsL$VQm!65~vutnkle?GkZ(k(4wp3w;X<<3lTj3G3kDeOi;=M zTH%Wel*x*0ZlAKm+oHi-n$7e{h`g5iz5Uryg29x!ATI@U4w9gkfopDVSFENt#6{<$ zzdd*(+;TJBG~9~Z#QoB_F1v9i3krwyri-B^rb~+9PBXH#l9Y|(CV_{8;3&r@c&3HF zG@?njjoJVe{2fb1(9fhn>4_&3pHgH6mW?2gCm?%QQLfLRevUi`b3ZU=4-*Mi9n6cm zeqS-64@65fIpUXO&+k3$8|YyF;J`j<>JNZwsuV{ zST=4^AMdJd5jV5>fXEuOef+Xq6E)J!E!;IPnOe-AcT<+(okwh7q+&1EtoD#(Ce|wp zuI%ZvvYy<^eto4g!-|@#97xLI|l^!(wfeIgLYiS2`5QVWBgsv=UZlsTd5Iz zW%WGA3J+qo)>gxl74ksMXkGE#x?H}JAc_7SA252q}e2;~1zgXhR|Bvj9#nz)kj(J9M_6t00LDNE~#<{qc zQ;pAXw^#gD$iWn=zJX#sQDuA6jEqy&)Os^I6E*jfM5ou3{^;Z|j5Kcsg52!OnZ{j8 zl%;eq+>A}mur+Sd50hXeHyhkOyL3*`Zx9DUVSHxQqFy}jWzGX-$S)tdX+fPD@f!l= z=1JpCo`M>MILDnX^D^sY+Hu%sq_v(M0u!bC(4eEzPV3i4eh~s(skflZ03;;!kg8h` z8jLkyL)B&=31QWCvf7qOCof6%BSen+m;A5+_j~RQbCQ0*1POz4w(I9x8 z9g5-p2VFCc%2gKgJ?qT4&d-SZwrjjig#EGNj@jM0kgVMkD>b2wDjU<6&(8=WaaAV4 zbeVf824Z$wQ6{j0P9QVP#>H}ifiL%?D#6e^PeeJqL=|JTcIewx_ej?uztF;tPQ&&3 z%{}b_`LxeEg}=D?-oLOs7M%4mbVgb336DW;su)Y|qSJm4<)B|e`2gIsRQ}74Q^8Y2 zZD9V~O>Fxo2hut6ytd?r(B~?u_4K%h>b1${^YMH5(~rF>E?Kre{<&iz?gr~|?*@5U zDDgH4c&SgGs*riHV!BJ< z8QpbB>3mhms+A$i`sWb`=x3aG5L*%kL%#0tw1uz{dT)2(fK$RKD_EF|{(V8so`vZ; zS-xJC44QmvMgr7%NuiRrd)DrScBQSFS^WmCo^`Dj( zdOb#1lA73LThTUqe64j=efwc#Yrq(G$!78+ZI(k~Uyq4oS8Fp;4_0cHMY(PJ;?={Q zG|A(-x2~y~yN%-Z6+i2$9k`8uzr+)#Ix5G_JOFMJ-iR?wAhMu`aEMM0wNwx;AVp&3 zq_-po^Wl!;NX{r%SEL~IJuNen*0BBQ0-(NGTxZ5@5NSvJ1f=R``ksxA&c~EpZ2z*r12bEk zhR{7=6FUV6=v%54%VqZZmKhk3w70|*%C~o+S{Cy(e>B2eiQ!YN{zvH-CimRc^eJD$sZqF#v-60p>bm6_)OqOAyW!KDXM0v6$v#~jL$QdJOYJdw-ZXYb zEYwc&-Gt#faZ@}$v(;uM=glFFX9R5hz#Q?o!-AC`01jHBq&iU@;s z;>?$3@iGG$PsiNdi;0d_1C9PWihV77bo38EmnQ9wL*;Ps&J^-wD)rqNrU$=Q%)_;n zPww~$k;kOgt%oPCDQ~v=ud2-T02xU9Dij+|-j#SQR$5Bh5Z99xF2@kHlXKQQZ>UY? zZY?k2!mR!;ROh+nyhy;;h_d#bW|v*fQZQ4NmHcC~oY{GI{%Z6k-wWF~f1-8V02$^C z574D-=Ph&a@fuGc@*E8Vq+Io_euh>BYIYrmWp{>5?Os*01nfsO;J8_|IABJUT3W|^ zgfK~lo;u-wfutvC?VfWV8;Kkex&Cau6Bv9qtj{*uW(R|%%j`r5{Y()Iw?<5#*^R#Q zUDX*fNRXS@3_hW%^v`Z#Tg;Ka_bnEOM=HXPK=LaNy0>Q}{PA9jZ>XR+=jJ%9oOHJ~ zKCGn@I;S>DuAz zU3>d#2}$Id@d;j~J}X}g^<2D|r&d&1vW1C2mHvDuUe(=4U`z6PwIIBUU#qHji#Nd> zw~0sx3L_Ykb@VLL)%K(9GZRC>sgC*i!B;=nEDd9R(vGQ{EMJU#~s$W=sNcQCI0rY5-(zrZlr zLz0bjP^rp&tRfJ**Nk3UdAQp+7kFb?(V+C!TN6`DT9=)kWg>=JtJ8f0 zU?WXO{x?HJ4zmHBA`)-Iv(O2$<5=Ex-(ZiVKpXs2NIg3>(A~4 zZ)e@{Pwxbf0>tS#u`!uhtxzQ%OqS50#PE|5We{d$Y~Do2Jc zwR-Ny6hssuCIO`DP%fn`kGX;t`iD%fbcG=xGGOUs|SasK#W zlGUrXgSA6<>Z7WCxNJCK!s_r4m2s|Rx>uaPsutu}8|1dMXl!v;aPycYWAc^wUuX91 z`NiUxM61X^g?M`$=q>f$BW$>Y-5ey&Gd|_ocx-*Om5$%ipu3FQuqRs;rXF5>vE9>l z4>K^+(aIEj-0QSB!Vy-zluWie+B5k5>&IvroYqg5^rHl$V(CRz*}E51GZ!!C<`%Nz zb+MA1`;wa1~Xt7Gk zORq5@KFWX*ALb4=iXJYCiJakmwx06pG;u7$u&QHn%uwe;(NQ)fbGG3FIKp$_zCZAf zp|PbO4#f$a;D<&dsPZn>Zln9xZy29=`@rIL^iFJK?6{nsGv~&Av@-*f`AajjXr$^^ z)J}0%@7k|L-)=H0+I{~OFZa&=g}8rQ2EuEFsuxPFY_XQJwZL{ojIDt88$Bd^lPqOM zC)E&-wEYVNd%0Zg^#sk)E%^$a9>8NBJop}sCwA78E>|h=bH1JHrCznL|0^ zW}jt;hJB{S)-NsoSqZ-)T(bxR1EJgZw%6e8HQ3$ent^@<|qJAx=&yV;; z1V@FtNXcZ-ZwU=OHR@5z5zdZ89tMyCuG*A$dM)YDhig-kPc=SHah{RpXIryJm zANnyc8S+rSOUq-ZAe7hkuS#sI=J^&-zV9 zA0YCqr}efnh|kkt6o)@LU7UZd#q~JGD(Iash0GsE`mpLO!uv46D=MS6Gj8OxL|RtN ze4VUa;C`j0tw*V$^hE3U^;4J{B(cicN)Ucx(XuR(E{b3IHL_QB3|ViSH4tKVP(*8L zGC59j+Nn(2S5Y0#X0LglMr7Y#r98of!MUsLaVwh_16q8)%JKvX_c=i#2k0!9AguEA z&OhvXjU8tvTPZPT>*dr&y8DfGtwoMjj-_-e2X9892ZNRzF9m}4uUCmTZkF$LgS>^2 zyujM=c+CFHTW^=EdjHKIj`{>~H4jr{HEW!Clp%>`u*@07i9+{{XAksYD+o~Jb}MuV zxzaKxA%_`A55hb9!`BDcH;0e;5;>yrrQ6F(PTMZ==Y40`ZeROx{~O+hGl02b;^C%K zqnC)zA>3}A`Tb4`{TFDwF=e}zna7K@ka4egeUF-HS07coqk2_%tLd<&V7em2NPKGN zqjF{f^o4rbzf^TT4GTY#v%)y9MkNQEC(SPyPUWH|E;He-R%8dGN@)Xk>&Vv zd%}9H$z_n|4yQ{Dy4;I*6dwG38#fvN7xe#xQn?nI(THE^PFeI=&f`)y*k|tCu8(|J zR5v(RN8}sa=n!&?GjYpc>5xCGB-oqk$Ub>NMMRXK%u4Ad0=lEL10u&+JI|oMWohdi zl0_0tdpy9nDNU9k%BoS7H~F6MvXsXxl843Z@~*MY(Q{>qt?cmYUMiz!lVB>!5SuKF z&*lNPMVH;Zd@G7#15|W}{jxSd*6CIFRx8Qv$YCj*;Sj4(xS!G zSgAzwQQNgM$Sx}&B*@ky9k@aV&sZwWKh$i_6tYD~!S;ql@6pF{4lW+_11vXVdu zs+iyGKXz~vM>HWaz-kX)bckyVzk=KDPhv)yw`M?{>~j9U2> zF)k%>AI2EyQPJDt+{ha^(Zf{D*2+T*J1fh`+U;mJZ;8sGO4k489$qT>F;tOs#l36= zSP0J;q_ogHZKZF1T8nirZ~7ZZB|1>gJ&G6Ur!hI2#90JTm4CB1vhr!N{Q&V>;-;W~ zj~nXF?@Vt$wss2D4bcpBegfbpaI8&s07YG}NbD!F*Zv2bNvL%tq_W4pL7eNHT&h0V z%_hNi0-6-dP&G|WSXSX_l@&RvpFdXDZCw3 zC1?DM;w9Zqm#dte+KX{Io09k~!$X|U(bvQBNBsC6not5PzohsC)(*DL@W@bXq${P= zt+vr+9IvrP(Ii^Ll$(x;$8gMnPMqJV}D5t6!o| zRT#3F|GJ#@$9hVH7G^HXO2rIRIn7%`SYpp{nh+~b3Z|8oWD01d zPXGe0LyCm*%IEga_d=<==a0AnRI7ny+Mvycqe^pfRu?FG^6*;%dY&lY?fABgvvbETt%A zEJCF}eRrJudYVrl)^@L1%3^f~ESN{QM4%F^BFZ-Iz*d*xqr_#V(GbSAQ6V}aSh2ct zch?7RoFpwz;aS+G`(_H#JjE){IVoPjSod4{#tf6q^&9x>lNr@Ug-ObR{z!Ghn#h2s z-;_2lpUqxwaQ{+EP_OGfelWkI*IMLzla*H%|LNKgahA~SNITGOV)w|Go_^)sq*z~FZF6p@HFnsQv?pz)`t$OusYQJsvc%Gt z5iE$Xp*2r8o)TCueyJ?BuJ$v2nQ;06)YiTeFY&IQNFTk%9pzW6(4f=M_24Dm)_#&= z!3a+!UN*Shk?<>XL5_QQX<=$T$}aP6fu~EnU01bj4v%^AiWSJU`Kj3Wd+xm>S%J^Q z!vCBXk5>a0lD)>>pwlINoupw$dvik}`8sVXMo5tlz6^n%w}ef@WUG*6qeSbEI!e9f z#;Bz_K%Q1*SIP+aW;{&T7kEUpjbMHbuR3=@IYbE(8*QrxTn|j0*PMN&8t=7nWbvca z4iy?-#rb3M^AsW4O0*+v#9B9XWDm1xtNNYHw|hbRb;OLmkFS!8y*A)wT+gc!J;3|E z&@o!}jVt9^FGH>N+EnPuFm>cb=MVSjOf!5Z(Ia976jk?ykpRYPzGZ20=J&-#c>LQ` z=%DU5mUUce5Rt~6+fwW)&DvGkfoqTz*5s`-!8o`}tKB#`k{nRZ+agVRk$TknVN{)SzvaB@)iEXsr?? zC*2|bpxh)!-L>*mssbHL9~rq5L{SOXa+^)ta19zs%M^aLIi^Jnc{^nqRQ9oEsx*DB zj71$6>>2VKU*0nk82>n&jB@DI@_E`YbqLj{@GJ>#%227DG>`7lo%I?|{k$N|SP-qk zkrMsq+!Ylx)tX3TQ>4R_VLkm~TI|bDf$4*VNdB*%ww}7Tm&qc_ijWb<5k3!4>48YA z=2uolIx95)9kuxBEzg!ex64|w&R$ZjkHMce zbS6FMr!t?rJ{HmtGR7`3X+vXByh~kg33G83*ly$g}b& zny%(lsZQfRZ(mO)PK(xPG^LM)ciZV=?W@L2X>6Vu!4E z4_iCt+FBlEjA}w3&8Lo#TC4Id$1lqh- zZQpw=Sv@Me+Awd4Sz9>_LOCFRjLNL7gwhI5Eq2{IH2)#X`FNIf6;Q^+hs%8&xF<@G zMe!XO^LW>X5OtJOZlfKyd-XmI*I>!;?dLf89IoEk2cXI9%4S|<6mL&D!^GJV<%xu> z(&Q8U2%EyzgSel4pY*E#t;!(>X+K9EzFt>r4C!pN4G=HMTXGi0q5?57*S(q8ec5hC zHYn*_VffR=Ngk3x{SVjUQm42@5<#+SOvJ4b4iZ!AVP~Gxf9$soo9JI$y@BRU-OMZh#VBmHEHYG!{1& z{F|BKMU5s*9pT-biKLKJzN$l&Wn~M7gu@u5l*E+J^3Dcj z8ibFv!qpKMDucoFe&W;J=YeQk8FV0~N^$HoN^4(hVzp+{Wv)Dh%#O<}yxNIed}fo*_yjK7Qj>QQ;8Ju0j<&%Jb( zgb=Ap+M8?^nz0>tXV#}BXWtcz!#HKXu31^7tLHfgr=)ieR?>WJk?#Z_0>Ozh+988b z+`Z6c+{z4%Ne7lBh-kBtBiAqaT(*G2cC$Dok%dT-v%Qu3SgCTjO*>^RBWsKBeEh4l zp_e~;g2EJkf4Q?MkB=1XhVkubB{Qld!iZWwb2IkiEEA|VpGYQhxskmaW{qQenN~*O zKkrSNl~3?x9~cP;GxS{j>O;+oCstEdI$!#>j+ERfPF%6jG=?ZOv7+9I*wKdbmz`;JpSx+hGXruJfp5}FE z)^_-`w)1K9sM?dd)IO>|Zu@zwg}C+ua81YA#v~fU+IuV9i1JBArb#J`on{alb^2Vm z3fqB`PhLk>e0d$Q`JB6cBcVrPf6f-B&j5i}HrF+t3{Ri1YtMU=kW&2edW%7n!ezS~ zIYI=O?hhizf+OkGJmF`O3b7n^Ri5A`x?>pX(G$seGQ^xJ9FD)5%3E%F1 zFK2Wi`sEla%|UPe)5{xW0Z5F|TB*qMF_z|*jCT;iLl)A9i#nG?rQL??5qD(%INiI_ zw#m93)e>9B7?U1EG(isawd%+0?RaQpXAL^(no58q;rs0bvA<@_P=G><41TTH*cLo@ zsI`2B?92Jd_AU3BesnKD{yZP`A;$oolTcfj!@Zp=xuKTnM9Ngpyb)iP2yF$oM+%&r z0ukTonEl?rG6W{~NfGP=45P?I%~q|qaygH^sm<$m7QYjJn1D|O=Xemt7x_aDcJl{B zsg5r$18;GEjF$n=MVZ$n9lGW`U3{A_E#bN?@C&s+@`jZsIa;_oxR{9evS@l2jIN>; zNnc)DK&*NsIa33LzGTOk?eu zU(RtiDZn(TRYK@E0bWJsZYd$NYvhn$cLp96$Rtu5VV%wvFg=W!ZE4N%wGJ9eSPNSx&GaqJ@$NQ=li&AO zyP$S7%5gxmzOF|vt$fise_6Vq&py#*D6iQMB5_i|TOV%}XK`m{8KvYJ<5#te9~<=?P0QcSfwgPI%_Sy= zRDFot0ieNuPRf>79rzF#z-RLnIBQFSCfAh;1#iZEcm{NC zVLOwm_#{QEOhh(ummbL>0%@#CKk^_ zJ{8XI{FIZZ-qT$F*j$1;I#V`^^Uo_tY&-PHSRCtv8LBGByQN;uAy=dxLz7cM?($EI`j760_&lwpx3gX(MVUI+1ErW4DN)`8y zfyn<}RQ|`ue=}3*{jIJ8_5Zt_O77pQx@@41%m3%U^&iWzfBX!oX(8Q&(7MOJxJsGU z>F|3_#1^R-q~g&Z_s;gi8Aa8H^0oEfxcf@PUjd*#`}KdPB)k(SM~?I7L;8yf43spo znHAY0tAk3|6Z>%$oQ5Rk8P@d~qes-^xkUYnQyI_FsggyM9Mi zsZeHfMV?&uitl?8^%s3M`V1TBgysZW-du31`4n(CIxpFbPM7rx5@iktKw7DX85i2fR4mUII` zZCUkZdQ^y4u!0pf+>{gV8e7H|c^lk@-eiJL(l@0KgCXlevK+XhvDIj@cjP658 z_W!`mbxsWxh9+4nqc`mM^>2?K-N{UE*zfjC$u3w@ZIgjiTZn8=`$_uD+|qTfGEsQ3 zRaDrtD2;@cl{=gf#-uCd$4?ud^hy8fXLiN)NP`Q{g`e>!=q%gYyqcsl5N93OMI7sM2sXP z-X*yx?EL!#G_K) zdS5&XW@eXZsBhSukFTDr(L^ED{Nh)7t|QdS)*!Ij)MY*Ij-VFXGrTjAOw#a&aJ~J` zwg;uBHxJIdU?xaIk$v@+FN0wIFw!4?2DFI?T|}8T$hy6sqlQr`fbKZzw=AW2^}dDU zh2AE!$&;%Cxc`-Q)}>Pae1im9x0MMsow4Sri#XkRrzCLf$oVSSip@F6+*pYN3(6#E z(BbP7C9g>!?(BerJv1@)-#$DZ5}B%TrjZ8>7#s=|aDO)iYtAMg#bXl?{>u zXLqPBd}zP7D!!5kb3oP^`#>=`mp~M2$I?BRQ>Vz=nW(!c{Mu9B<8?W+TZxVmsG_)hIt~Wn@C~k){%p-avp9T}ZUhC*B z&?A-H##?u0xtU@t02HHik^)#?%oJJ{icv;6cU&+MPE_wojugT7wIeehNca22MLV|} z)cJ_b^tVw-eTpK4+~l`D#6E4DfkDYJ1zjaVB|rlAkukK7=9f%HqA!dC_$vR1bNx8S zhSG?6-1baa3@P43*rx^OVHMRS3)b{MWuBVHc;4PWM6>E*d=Z$Eb9?k6;HS7R9I$CI z&hu2{+Wv?B3k`|a8)OH|J*{j1KIQ}e(%SvS{VTQ2f(z}F0ySxRf~ZzejMUn8Of&oH zlAEfHgmX73n}?~726tcef-j-cu6Ne5H{8tM zGmPs)LkKm-sOZIXrBjUyT1M|2BUl;8{x9{}|MEHhPae5CJe} zYCoJr@;)stWLIUix~v7ST}|~Ju_hnYNe0KsQ$-3`9Y3j^biop9tN4nMURl<6_IQ8u zsYghV>I52%A08w6=U!}-cyHJTDIUo5m7MjiJV(h_@Z?cT&DNDk&QQ}lRD?f@kptUf z_hyyZieqW!mSl6SsMAwKE?jppoN)#4*L5&V>$iz`)L$E z>VGmb`o5po1I#O%Jt#^?_?20L3QE0Hyb1p`9BbI7cRk*Uj~RN20VJGvbuh~1L*KZ( zG}dOuu+!HF{_nxB_W!(*B9mrZNB5q8NI>%Tl7>Jjz^@Rz!ObdbP5un09sC`)eLudX zt{j6@%q6Ez|3jfhFtmbFv;35CE{OU1RP$pk&WxM+BOYQmsY=-7Oh%PLr)Zh5`$*2bK zq8)B|4wv;k><(@Pa2@}DcHsZ5?EK$=6RWvC&8GHkHfrkYcIXw%A= zn}84s90fXE9n*)NnzYY}g(5?Fpug(w5QcfJkoL_6yKc-UV2OMic09E|(MPZZ%M<0A z@`>VCut%8(A>(9w)@@jc0wnI0dC)}wEL4-b($lOg*vSX`q=gxWi{ypEk~*oP9nbpm z=YN5Ap(tM|!|T1jo7I(hyD0U#bKQihxPI36ndOa=xYYOk(=1T6;2f^hU0+lD5B<#R zf8N^tz&s}bD8cU5wc(WQX#{wEq$SPx-IZA=!urHFiVQDgN#t>%-T5LMTPncwpa!jMX5dy7X*mqmw=Hvp$I(g>TKvu-Qw>bhr;?9eiSE3v2J!-7=?^uc&mZ-LZ= z=zWjc3h(?O?;@)OBM5xWEqYa2KUjpo-Z9owm0&zky;rkpGPeN&DJ(OZmn9l}9Q?9= zqr@a@I}gs)Mh-Sy>pMHfU$K5^&G^bteR>Ace9hnUwC=|p_LtF;%JJJbV`_U$Pp7i`U8uRI744E$|HBQM-a?w_zS?+5$ZC;s2j}++0PA2-Jza7YXK656a@IW ze)eUJzY*0Uh?P0w>}a#dAl@+&LM_)J8GJfM^w1Jp<=*&t?5BjBzf9^~6hR+di!)UT zd|LKpRVSM@kRze<7hk~7%k(hfZ&BT8MO;Zrj_h6WCH#J+(mIJBNJKfnfU&Q7nl}P$ zmIJ3#vQsf^i+EqD_2CaYM-m4Ppg{7z3r_;V;(8guK%5DaO2rh{sXpQ@w>-D}iTEcz zUOSE?wlJObE#`D3`it(*w}7GsiYC3K=o0pMN-389eO>AF`w^lv$F$yZY(Tl95@%r{ zUm4_Wn2ia1kEUoE$zPUre6trAGZPIpD-EowxG;Q8GY;zQwgJ$y9l*|1&_Kc@$U^B+D>!){v+0B zs;W3lFzzRrmfdWEB#I3je>{N67J zz14?LPPWDg3-cOkUT_4_Q^tJmTNF3d?qg&|3rF3uV@Nv(J(2gTCA1aM^Ok@5k{lf} zY%^HR^ImB~))m26?j-u2Pwo z_%zFuo5Dp&vlCU0XrGqmw`&exHe-31%C3TGrSm3h-}C40}>Pk9)l}RtdTY%Q@R= zyE~ULQo8jbp$@)h>@m2axN{-bnpZscKHd`roM-=}1`YlKg*E%Gjo?Eq&pnQ6%<>Fv zs5mVO04hPg;oE5x&R#ETj0b4vS$4DUdG<{%Sn8S|`?3Ws^mEz!)UQ2%cPwMsaFOgJ zJLcV)L=XtbBh_BYn5Q~#$Ecy4l^v?BmKlD)le_5L-)J)TL>>34oCkR?7L&a$?C|&F z+)$aNT9vF?YvC}&G^|g#VM5j$eCEU;Kj!rkz9B)U>luC8GhcDi%Hc6@QMKt8S3Nm4 zd2<}g_08XnWiSchIR)_R&XnGeBiNFZe#N9f1bklCfty3uL{2SY!1B!0BJ|kk@u>6Y;m$jB8bzOMRh$c#? z!m(^_uICZ=nEUH#Ewzq@75>0zdGBYqyF0`mO5LsTv8>A`Kv$~Ms&#k6W7i!K^(PG+y-sqTLjrL7E5pL_mlndHn*t&`o;P%(Q&Qt0G z&yZe2K1)(>YyjA~MZsU7gR?YLM0+bES_px*xwes;sG;zsFvzLdtWw(X;FB(sDgf0Y{L(EOLt*ruaYpOacxL%n{7 zvwVs2k?qE(#`P6)oN248pfZGsgQuAz!&F|!{ZHwXMDfpQh;m_gn&FqJ?TiBGi%F&S_KvX~E#Y@`HS?^UC{E#is)tE>@-cVmc;A8#RB`E(&&!FEn zPc1iEKC&@-ZsCXP5Xj{rRvuN;8%7#}L{ol$+AxBJ#P1SeVVAE`c1pHJ2y~eI#Cl>f z;RT&3_IV~SZ#EBw2yPY)r#~WYAL{Y!N#xg>ACZV_%dPs7V@9B;Dy&i~`fmN`{PNZz zSlGd|`AzsW`B2)j#lZb_2Ki^Wi%FMDfCFxN3>*`1wqi6otB8pbcMElJ-7MiN7{YQ z-jQXKtw|J5@8?>A!7ccTgPUTj9Su5U30 z<~>QW`*dQ0+psY?`Tw4Fi1Yqx#pyC)5>`x6qnrHspLOhb%42|_e-ZY7x*7ZX`9z0g zJM4%~mUrry=ITn__}5+dGtLvPqOGB%m@${M7x&Hvbp@6cg>{zf->(m&FMR2>&XhB| z5-clvSvYg-@9LN`eVcNIBE@q;w+(7$gfpOR*dxn@MLF1mLA)Y?cl_ma_!_4yxn;&G zA&sU^0*%fpIRm}yrKZmsE})IRFT$!BzuqYcMPB+&N2B5#E>^gRmC|w zmeH=hf>id=hK7p`aNg-vMN_5GyQRo|d;R&34E#Mop?b!2-5zblhyZ?Lfwzlgjps ztySs^BcX{1K_s%d4yZYsS+jN|+0X*55;HaUV+in&GX#yd()RPC@S{-*qA#od(WJKH z{Nno~{;iK1M_mw4#UT;Y)eVgLK(cs2IFiH1uzA$&Q5SX&e1U+F2754O+yKFij|a1d z*v=CS48WE5+0@H^|8|-q@|fY}=>3!jcReO+?BC0HT+3R`%p_^>1QqqJ zH7%?hTsu6JO5)!5Rv~k8v`qe!SqMllFuDdbd1u^D2L`sU<*jV0)~g7k4n)T8tLZhkAV+oWD%`ij}b>e#m8 zW4Vu>QTcunR9#FUEXV)T-gibdwXN-fh$uxYbcCQm5NXnpuF{d-J4hEH(gOq#k={W- zf(S?#LqJIAAVoltF1-enUJ`16kbT!a=k9a%*=K*}+vlGBjdAZ7_eaKBBgvR+W@XKH z&iTC0^Slc*!Rw|IB`$u4aV(pA+4s$r>TK>%$Hb9c^GNMA8EZa|x9(s}uSsOvOxtXF zHxX2(-IQ{{AvAcyQ}}f)vuu#2SB-qN&r5MX_%}J`QGrH~)6;`pe2fq%sex0dF_a3Z z)E3%9I{qdtF_-XkG;1-kgAHUj>kd`0Ou4h$G{py zVK(5MtzkODHqxG(umierpX_!e2m5*ITVyDFIJV~j3fq~R1T{OfmZ&d2D5w~>JYQ~C z%RwfpW#R@Vd#2Q(Gw1xBHVBeF_oPK(w|-qL2?e5%EiF@NSM zo$-ScMZ!ZIs2vJpg2@(YmZFQxrzR}kYqO-XI^B{;em*{b@X7icQ9|QlVTsAA744|l zYIU{px85v8hQSH4BU4A#X`Zv;{bnSUZ;AcQmj-=!Q0M2H8(Oj+W~c_1O-*noO?Dep z`#*wyi3>1FZ^8Pt%Yg?QWs5DQrtiN2QP#VCLbSKb)?Pk>n$m?me+@Ew1=Aja$kF#M z_TGi>sEa^n4fv}Qy5a&^cCD#k;<%jnMq0ZCg!aP4%3^30VBv;G>@6z|BUqGX zlcLnK*K)&eCYYba!AZ8jc&hoS5XxC-0M&)u;d10pBq-3ATAws`Pg*!KyY)lvvRpGN zF9;jk&Qh3;a1FE{^H_^LU++@r=qq%~WL(^n$p+T`de@2#Af_e2$D$i;vAc$D0*5-^ z#006VPs@~t?b-D$+kL1#1HOtFr)BJq|a7fQPoO78ZvU9x4**FwaWj|g`&@t z;#;%yQ5-@{VqO~fE}sQccl$vZaGCY$g=J2&=9T;ir#K19_fzO}%e>0C6CH{oT`SWQ zDcF4+MMq*J`WW!W^52_6rzmixt4=tbQD)Y8vB*RQ-m5Cra&;x9+$ ztr^v$GrU7F4OMCO@vU1-9%gA+NOZ{j8#xiYZmC9DaNisq3PfIzV4vDvpI?3OFl0i$ z9bXotfi^hw%Ie4#f#qq;w zln)%`8(VK`s0P@eq1SXM)+jbXCvGt5)9mZ6R8u%4v>7rp35BTJ@_+mA=CTQGU5di; z8|b-4zxj-f!NvZ>xvP9cVd8)bOP2L4)UTC{i%rt$`Vak9_t)%RfUw@;G)LanI>NeY zvuzD+B#ck}^u(`cfz9K^;lt%J9`FUc*S59dz?s|OI=MC%N$9EpoINK|jtLsFAnNO6 zib|TE5DGM(GKEvcdMaQ1Oc!C1kS{YLNK0VGwnXe@J9f@aE_l7a@3y_QEnpRxxp>>y zRlNgEVi!6kHa)1ot^qg=TLZU^22(LA3ZY#yn?AmM+Xb#?B^nLc+4w5d-Fj)WU+%>S zh?GE4Q;&z_kK;e^Tp#0TYWz0jCif!`-lq}$JuTn#QrO2-mkkfAK`ZMMO;;8`^d$XB zV$yK$*p2WsH)d-B{h57LS51F>9!@gyt(gk%WH|6dv>|HS#6*2~$|`n(d|FRp)>hol ze))~dp*00e)}Q@3Cs0(zdC=a4Utsj$o+MweP5!cJs3RPXpC^J zR|0m54)0vxGaqYdu5Ey?C{I1$<-H@@%1l2r8$38^`EqG>Pgb9JIk`mO73|&%24bM< z4Kf$EAFwt?Um-Zj9xWYIP#yPdD58{1`!pkvJ~ifj2d(qn zxfjc<@fx|VlfGHDu`>ca+EK0K&1rr&-}&2<=)3@fNqi6p`8F2iRE#7{#KAEg&MBVr zC}9+orpML*<$T+1z!b+B&$juRVd$m2ZwBm zxRsclA_&*Z%_htr18mym%tvS1mZ6&OB^*BTwFrL);F%U|e>*=}8zY0rYC3{C-OM6D z=4`jQTeUr%RzPwBDx{4_GeiL8WrH=sb1MZo-S1XqVbqFjV3~G_e}cnAJ_6 zAkDnd%{_FDva#HgcMY(-w*)8q{zwp9%t+69-K;oy5O6zFJewSQIF>p%1N2~GX@ec)_Tr(=?!`~JIk zmlep)yhVk5PRwZx__lwOoK9EuFQl$tQX&uGLc;W-$G6B>RKEfQ6}rix#+u#Kr=UCU zCx2$A6#bX<=YJ=+@q6DbV`l^0c@*UVH|T+Q%H{Zc*=xGU9*t^PF}} z-e@uQbPeje&^KnrLyQ&3yQ)SKJT;H*xFGD#27l!u?P(_YeBklbB|A5+#LFGDA3FXFS>;e6>sngTU^gDSU^7(}i)e1?=T zEj*K1)WKWhu6Dh-SUUhSN3IxEnWCCHQ%hISDMvYvpBtv|EUAIqg=1fhm76bJd&KtO zW3%Ll(sr~=VCf2kE4jexo~={vz1#URl?!SGE+(&&a?g^Hai`~Np5~)w?teKkjm5Y( z_+SF1W23C~DjU&nj7;q9{mg?}yT7D{rY3YY`L!P(WG-6M0N}27X;9(gJA8v`iRr52 zPDw!xEF@Uk@HuLj%OZrFa5u68KAOrMwwLAViU(JrlOgT}CXwkMQl{tx0!of5r1WLT zPPkh_Wh|dO8f>KXe>-V~nq~oNNM&2_JZhzKpQyb`tSYCN=@(nK62+&v%uCNmw@)gE z`z_D}EL}OM7f1(dCY6)=Io?jrm1O1~Co>~bzU|1!7>#+zGE)&A0En_l}0{%$Ia|)f&?-A}5HuR`@v#E$b>v zT2p$qT>!)TZi_A)f=_9Ls)unjIn!j zG*Bm_F#!Q^N{{AqwPm6Dlrub>KI>iTB)D`u<6;?v_Axt274BkO%f)S{mzjmAmupE= zYS&XV9NPVzwgH|42dG|K426Kvd=qR8TqwmfR6@=Ju5>tOc=r45pGaIIza$tahlfty zGxevIk4!)f!uavY<(%hQf@dH;TKzK zrY53Tqf`BEO8o+vmMt{f`eJ zXa(>U=KRZBQ!UU=uQ;bM8NDF%+}9lfzVT~v4YW^%^U*U&?RaZilr?CDMP~rX2OxN0 zgPIY3`RdE?S(T`q+7t;Il);t2{g11r0knw-g0T~3Q$?vp z;#doLA!qZEz4dk92%XQbQ@r9XX0MzPq=1PH%Wz}+x>^-c#4PgU4{1dw!)0f#)tq#s z;>X|stB@L?s~c-*pLb>##vWl`s2v1qYU@?NHLd!l-gb(2-$+giHuNRS?H1e8C@~is zL^IyWdM0dpQ6hA2{lOYT<(JB)ue@OKfq0IyHMz`y4Jfw{mb-(UdQ1jf0+abxJ*6rm zo!4K$|E4-cwIMREo>K9dW=hn(E1c@8sutQ9*S2>51iZrO|^yj(Q7t#)0*eVpkkvBFc~q-nho zA2<(U!=F2lJtJ#=zY)uMMI9?LrCy)X`Qw$M);1p|YkN_WsViXr<~M%(T34UC@M5cn z_Z3WnRLn3iY20Ef@ixA2fi`l|J$D$NdOzka|axX=1s5E-z$c4hhynP2j&Ne&}-7s{xM&j9Q|*ja}J_}zSXR}9^j8fU(jm6g$) z_;>Y8HUQ>ppQ>9Tj=N zpsxR5w<0H=0<8`?vt|ZfbJDZa&>dpicdp`oWk<~fzBDm)y_F2a^C?J7i3E1K0GX)K z$0>$f*<)r(j-U%{p}!D*hSpK#%9VnF|Zykn5oRO_tZFxMb~ z3UhL5t{x;zl}NKX)Mip+deisrB=m?xa$jsOo{se6x;3r9zBU73DU-597uo*kyEZFX zy|pkY)6^bVW=u+s3gA4%;2YFWe2`i1@zJPP1?_GLB7Bg_+LQ4I!wIhAw{mI0qs=sH zQiV%p!q(J`au5Y#N3!V=R>cqm$9?wty#5MkWQOdTJVI z6Nr*D$zsl{F+)sFr2Hj8Ic{j+r{+5&d(4dL!&^_}KIOOGju58nXei+PzVQP}Hiro0 z|7V`mKLEi}!$$#{gFlfJ+3TEhLlOd&h%2R!r9IH+yH0NWm1|%Fu(C*gdC_}z&Ux%I zc}(V^pY?LdzwkjQkt&cCa_KR|+$v@IJ^qhT(2wTP*(O@EfdU8Wg3HMYOw|Ts;!6xb zCAhtk$DaWJH}r3h@-L6{pK%n7%;`x#1}rS7vpyc!67LqgLr5G1my-8+T+69TJqGn3 z4cVz^0M^|vfBtRsKY;4Gh#wgX$adx{+|b4PMu9H{;k^x{sgq6jQ^|lVtUdk#uD$&Y zB|fCYSr0+XUvL(aRTPMJu;a_PQe~;CtI|_Vmi$?g3z-xjuRX@>SdALPwaSmZ3tGlh-lmm!E`$5rq$^m)5VUF`$DJJa3t+4ov)WJzz-(|}Bd2@i@|OIB-i=EkQ5 zR?7LOrKFCZ12oM|?$#PP#$gzh+x#Y*cNPYFe43ZgM|z1dA^rQ+XC$7}yR&uiTw|E; z0b{KXFbEcNdAblcMKRZi>J%Qrc9q5wRWS#|^XR1G^$zbQ>#K*OJIV>RzW2*+gud)v zmN#f)e7@Mvd@uN%3tuf(T!WL~{aTwZ4Ey9ElwBv)i;RDE-XIfVOVz%g-g=v(B$gz3qKx+ zvyI7iaCgkC&7_>$VoJb5^II&jt{9)Cf*KL6OJ8bRmFadgfrK-h3OSD-6DmjB~H0T63*{DE2|&Eeu4OH91oB z$a|lb%TSgdJ{r-*aKrTPW{JFCXI1rBnXZwBehSV=qrRi8#5FR%$;<{2bGoh1;<3ROPt z0|e{REi`Kv&Tc>9a*nQt++oZ2HQ)AlLmnLNW;rn_vL0iZ@B0)ukN{O4|4_x|U#FY? z>AVXk8o9wkdAeF)KoChirW`N#-I=#`WwM4#+r}MCtKfCcei1JLup}deUk6J4{J8E` z1A92cidSoB?z2TsvkP?!lcG>KC|*s8{^yBlf3K^eY-CP%baej{UCF-`BN@y#`XnYbRUW)%j9O~!2-k6AHK^V|9gER zpF9H&HxB2uuc*Lk;3B+M)@*8psQUB^z)ps~AbK!N(S$b3mU$aavICUKA?V_x7eII= z0)I(t;)S(I)IPz^=-URyJQ7u7Xn%v=G2S6)F)sOqUCi3Pn?@(qVmujUk6q9;FjI6Y zUTfJ(Tqm>m!tJ*mQOX|`o}|{~(vQx;D6vL`^9|Ni7B2i;X|94fWI;u`9&`mM_NIsa zp?%t4Spi=VF>PSw*DBQ&A=*p1tXV5w?^>Onae1yU!$ag+B_nA^-ILv2ui0lZB?LX( zkLe2h<0+FGmO^A)Vx;{je2~)OqnqN?fgR~s@WngAY31;)cp3e2{IH@m3s)utBkeq& zuKXdqpd}fz%VK(uNpYEkON!lfM6~5aGyS0V=9SJKb@M&*{wLuN0_Ee;N*>QE5*IKz5 z-@Yl^`Sh{&CD=Kvc67BR>%*oYQ=372W%}fr3HJ+7_@p5B@V38P56n| z3yJwOr(=Yhhn1*rHXNDHwC;z+;kwx)n)+(_!SmM7y_w!GR16x8^2!>l>u`Fhp0Rv+ z%f54aE453@D`wmI4|7NV`=OU#`Z#%Y@Y%f--;-oPBYBJh&B#7&WozZR^=LVhvEx&6 zC)24|ll%Mb?`I44MSGxyDMod5Zo@6^-LmASzvVlZ8TroIL2P#tN0UDDZTc=KUpt`p zO-V1v{qOs6>rB%~MW&~uhiL)5qzudCyNvW^o7tAYmL?(QJzXW;>%ZVqf96qV+N|&+ z^OyS9Wk_=E%F>eD^Le8J)dv$ktQPH)&Rt*S@(H|VV+N=u9ouXZpgyuB82f$=DV_s) zIsrAPIjjsj8mcswlH$#@l<6XtuPt34=PM@LE%ujqP?Z0afbO*cU-04|&dE6ZK?MH8K;HQf{^0_A6e>zyZ~oSW{9j$b!<=^0yC(dPhC<#q)_JThCCRIMo4Hl<*V$Um&AMwZIagS~ z-FyT4Q#u)xwq@GMuxx9*f%mAY6E;PA4-0~|e0={Nws#yd@ZF8>F=Z0(taR~@9ood z=>AXBeEwQ|}JN-`Xa(57)+h;W2&q ziLPC3uOM&~bCqHH~#-weY) zI$VGKJyN=Zb*bIf4Od|kGlq8BPBc%7@`v(KX1Wf$LH%j7YW^~@<_b9&4qV(;zj%q#orYvyctqEDL&Hg!QDBcJxNL;|vSbVTMz^uTc^ zNIfx&`C!TdRZ02Me#q0+D1CW&e#d02U4=dx$)cO}n6Y8WH7NCixn+)`u0>8eEkn!KyRUQ|gqPc&g!Nfxt@euz*jT-dDT9=m%yh4k z|7h$Bt$_L|hB{{aczy)_=a1+@L%yfyG@Z>SqOkov z0ReiA9ba4m|%$N0t2kA-jl&=T*DE?Y^NA5dRTHgM-tCk*b$-ae%xjaG7*Hhn)~ z+iv8YTZLZMcK+&guwf`Ipa>{& z37NR+9Knm$=GngZ6xtcYJLZg}U`^|x*BvP|Gnh^*bbZ|Hs0(q~ zayk48B&;8NhvW?@sfrBcsSFPJ!W-})!5bT3iDiu0#cP*DuOMNUzXc|su;f3H5Uw6B zj6L^>?UuQ)XtFR^7}VXiV{UqWgU#TQ>ORtsTsi&Xi>G_lx@v-o(2=@#+HkWht1EzN z&7#)<@Sckg>GVC0NWK=j#qZ{3$(g2tjo|NeO*wrp3Q%l9P#Nt(U^P@iyH-`Ab_^@j z`0?B5%4fHWLUG_l#*Ii^tl|L74Wapdl_j-nsg-}QE`Gsr(v-Q*=p5i8Mh3_&h{JL$ z)x$S;1d)6QyP6CS%Y?rBuM=Kz8hiWKrOkW=3G#lZJaz&cNtGanv^&UN`El83`~>bn z&QbVm$jaJ&PH4*q+Kw5)Pa35JCEUp7XtHy&y;)FtvB+uO2?aNk?&@q~#sQ5^3rjP1 z=zxoH*iR&2BM)_qY{;@ll`mxR5D@esfr9~B%qwj4sZ(nC~+M1l4< z|N35(0br`>9sG09dGzE@i8w!_yPP`Jz2VmazM&5swKIu^2y&(Pr}<~nx*kaf`h-Kj zAODuZ{Od^hAD!!SMmt#CDIQc{&R}q(1uvN)&3*J1I^@6R@DzKP^uK+L`+59`{w0V1 zH;M0=|6m%TWjrk;XyP<9u|umlR5F5cW$!JYgAA@JL_0UPshq9b>?DUJo@Sl^HW_}# zKaqUw5hMzBfT(9ASv)kC`P z%Fl%jjb*i5t51ttoPHh*>jzob$mm9S%!C-tnU7`{wi%#FDjzIrzVtE82T-2)#sm); z*EYdXQ8Q{a4rJM{x-iyM#O}GOt`7M~5FH`#9X_$$a}^$3SUmHq}oF2*V`MaM{Jd? zY_6L?k#(SwtSwVX83(Wu{r&Qw|8lkWTO_dTl4)aOPMQmKIM{`iQuy&{Q&QqmNaj0d zjH)rEke*&`TgObvC5sF5H`j!s3gkuK#9)q%AYkr{?vBf fNn8SMuqgk=sC;I# literal 0 HcmV?d00001 diff --git a/docs/SHIELD/Reference/Break-Glass-Overview.md b/docs/SHIELD/Reference/Break-Glass-Overview.md index 9b382ea..5b41279 100644 --- a/docs/SHIELD/Reference/Break-Glass-Overview.md +++ b/docs/SHIELD/Reference/Break-Glass-Overview.md @@ -37,7 +37,7 @@ Each break glass packet should include two of the following printed out: #### Passwords - Passwords must be a minimum of 32 characters; 64 characters are recommended, although the longer the password the better. -The password should not be human generated. It must be completely randomly generated by a credential vaulting solution and set on the account. +- The password should not be human generated. It must be completely randomly generated by a credential vaulting solution and set on the account. - Passwords should be printed using a monospaced typeface, such as Consolas. - This prevents confusing similar-looking characters such as the numeral zero (0) and the uppercase letter 'O', as well as the numeral one (1), lowercase 'L' (l) and uppercase 'i' (I). Since the passwords are long, it is easy to input the wrong character and not know where you made the mistake. - Passwords must be changed immediately after every usage session (after emergency is resolved). @@ -79,6 +79,6 @@ Notifications must be set up inside of the security information and event manage - Any successful sign-in from a break glass account - Any password reset or modification -**Note**: Notifications may take up to 5 minutes after authentication, due to limitation in log analytics if using Microsoft Sentinel. +**Note**: Notifications may take up to 5 minutes after authentication, due to a limitation in log analytics if using Microsoft Sentinel. --- \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 57fbaa7..e9ce9c8 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -164,7 +164,7 @@ nav: - Microsoft Defender for Cloud Applications (MDCA): SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/MDCA.md - Multi-Factor Authentication (MFA): SHIELD/Deploy/Reference/Architecture/SHIELD/Enterprise/Conditional-Access/MFA.md - Privileged: - - Conditional Access: + - Conditional Access: - Authentication Methods: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Authentication-Methods.md - Block Non-Privileged: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Block-Non-Priv.md - Compliance: SHIELD/Deploy/Reference/Architecture/SHIELD/Privileged/Conditional-Access/Compliance.md @@ -223,6 +223,7 @@ nav: - Discover: - Overview: SHIELD/Discover/index.md + - Installation: SHIELD/Discover/Installation.md - Deployment: SHIELD/Discover/Deployment/index.md - Usage Guide: SHIELD/Discover/Usage-Guide.md - Plugins: From d976e52e61044a7e59113f048fb0cbfea3ce5b01 Mon Sep 17 00:00:00 2001 From: Elliot Huffman Date: Thu, 8 Jan 2026 17:13:00 -0500 Subject: [PATCH 08/15] Rename section to 'Break Glass Accounts' Can't have overview for overview. Update top level to not include overview in name. Signed-off-by: Elliot Huffman --- docs/SHIELD/Reference/Break-Glass-Overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/SHIELD/Reference/Break-Glass-Overview.md b/docs/SHIELD/Reference/Break-Glass-Overview.md index 5b41279..b7bc144 100644 --- a/docs/SHIELD/Reference/Break-Glass-Overview.md +++ b/docs/SHIELD/Reference/Break-Glass-Overview.md @@ -1,4 +1,4 @@ -# Break Glass Account Overview +# Break Glass Accounts ## Overview @@ -81,4 +81,4 @@ Notifications must be set up inside of the security information and event manage **Note**: Notifications may take up to 5 minutes after authentication, due to a limitation in log analytics if using Microsoft Sentinel. ---- \ No newline at end of file +--- From 9ea30172f64a0d1d636642fb9d2d2c10c149aedc Mon Sep 17 00:00:00 2001 From: Elliot Huffman Date: Thu, 8 Jan 2026 17:13:59 -0500 Subject: [PATCH 09/15] Remove Trailing Line This is redundant as the end of the page/footer handles the bottom of the page. Signed-off-by: Elliot Huffman --- docs/SHIELD/Reference/Break-Glass-Overview.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/SHIELD/Reference/Break-Glass-Overview.md b/docs/SHIELD/Reference/Break-Glass-Overview.md index b7bc144..126b5ff 100644 --- a/docs/SHIELD/Reference/Break-Glass-Overview.md +++ b/docs/SHIELD/Reference/Break-Glass-Overview.md @@ -80,5 +80,3 @@ Notifications must be set up inside of the security information and event manage - Any password reset or modification **Note**: Notifications may take up to 5 minutes after authentication, due to a limitation in log analytics if using Microsoft Sentinel. - ---- From fe286ba2a76717dac4bcfa76f3927a5f977e0180 Mon Sep 17 00:00:00 2001 From: Elliot Huffman Date: Thu, 8 Jan 2026 17:14:37 -0500 Subject: [PATCH 10/15] Remove Extra Spaces Signed-off-by: Elliot Huffman --- docs/SHIELD/Reference/Break-Glass-Overview.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/SHIELD/Reference/Break-Glass-Overview.md b/docs/SHIELD/Reference/Break-Glass-Overview.md index 126b5ff..cf3f341 100644 --- a/docs/SHIELD/Reference/Break-Glass-Overview.md +++ b/docs/SHIELD/Reference/Break-Glass-Overview.md @@ -8,7 +8,6 @@ A break glass account, or [emergency access account](https://learn.microsoft.com ## Getting Started - It is strongly recommended to maintain two break glass accounts. One account is designated as the primary and the other as a backup. This provides a fail-safe mechanism should the primary account be inaccessible for any reason. - Break glass accounts need to be excluded from all security controls. @@ -71,7 +70,6 @@ Break glass accounts should be monitored and audited as much as possible. It is - Break glass accounts should not be excluded from auditing controls. - ### Notifications Notifications must be set up inside of the security information and event management (SIEM) solution of your choice to ensure timely alerts. Notifications should include phone calls, emails, and text messages sent to everyone in the chain, especially the person in charge of information technology, such as the Chief Information Officer (CIO), Chief Information Security Officer (CISO), Director of Information Technology (IT), or equivalent. All security personnel must be alerted if there is: From 361be0b742f8465cef602e5462da8a183d624230 Mon Sep 17 00:00:00 2001 From: Elliot Huffman Date: Thu, 8 Jan 2026 17:18:02 -0500 Subject: [PATCH 11/15] Remove Tracking Code This was leftover from R&D cycles. Format Document. --- docs/SHIELD/Reference/Break-Glass-Overview.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/docs/SHIELD/Reference/Break-Glass-Overview.md b/docs/SHIELD/Reference/Break-Glass-Overview.md index cf3f341..30e8127 100644 --- a/docs/SHIELD/Reference/Break-Glass-Overview.md +++ b/docs/SHIELD/Reference/Break-Glass-Overview.md @@ -10,7 +10,7 @@ A break glass account, or [emergency access account](https://learn.microsoft.com It is strongly recommended to maintain two break glass accounts. One account is designated as the primary and the other as a backup. This provides a fail-safe mechanism should the primary account be inaccessible for any reason. -- Break glass accounts need to be excluded from all security controls. +- Break glass accounts need to be excluded from all security controls. - These accounts must retain full functionality at all times. Any restrictions could lead to critical outages and operational disruptions. - Be sure to test the account login immediately after creation to ensure validity. @@ -30,13 +30,13 @@ Each break glass packet should include two of the following printed out: - Detailed login instructions including the specific account to access such as "entra.microsoft.com", "portal.azure.com", "admin.microsoft.com". - Two FIDO2 keys (YubiKeys are recommended); one primary and one backup in case the primary key breaks. Both break glass accounts should be stored on each security key. - **Note**: Multi-Factor Authentication (MFA) is mandatory, even for emergency access accounts. - - PINs for FIDO2 (Fast IDentity Online 2) pins need to be randomly generated and included on the papers. For more information about FIDO2, see [What is FIDO2?](https://www.microsoft.com/en-us/security/business/security-101/what-is-fido2?msockid=0ab1f8f5d40c6fac3a72ee5cd5e96e90){:target="_blank"} + - PINs for FIDO2 (Fast IDentity Online 2) pins need to be randomly generated and included on the papers. For more information about FIDO2, see [What is FIDO2?](https://www.microsoft.com/en-us/security/business/security-101/what-is-fido2){:target="_blank"} - **Note**: You can have multiple FIDO2 credentials stored on a single security key. #### Passwords - Passwords must be a minimum of 32 characters; 64 characters are recommended, although the longer the password the better. -- The password should not be human generated. It must be completely randomly generated by a credential vaulting solution and set on the account. +- The password should not be human generated. It must be completely randomly generated by a credential vaulting solution and set on the account. - Passwords should be printed using a monospaced typeface, such as Consolas. - This prevents confusing similar-looking characters such as the numeral zero (0) and the uppercase letter 'O', as well as the numeral one (1), lowercase 'L' (l) and uppercase 'i' (I). Since the passwords are long, it is easy to input the wrong character and not know where you made the mistake. - Passwords must be changed immediately after every usage session (after emergency is resolved). @@ -44,19 +44,19 @@ Each break glass packet should include two of the following printed out: #### Printing - Use a Secure Printer - - Print passwords only on a printer that does not store printed materials. - - Most multi-function printers (MFPs) have internal storage that retains print jobs in plain text. - - If using an MFP, remove and securely erase the hard drive after printing. -- Ensure Privacy During Printing - - Confirm that no security cameras are directed toward the printer. - - Cameras can capture printed content, and anyone with access to footage could obtain privileged credentials. + - Print passwords only on a printer that does not store printed materials. + - Most multi-function printers (MFPs) have internal storage that retains print jobs in plain text. + - If using an MFP, remove and securely erase the hard drive after printing. +- Ensure Privacy During Printing + - Confirm that no security cameras are directed toward the printer. + - Cameras can capture printed content, and anyone with access to footage could obtain privileged credentials. - Ensure that unauthorized personnel are not present during printing. - Ensure that people are not present with Eidetic (photographic) memory/total recall or are familiar with fast memorization techniques. -- Print and Store Copies - - Print two copies of the packet for each break glass storage location. - - Store the copies inverted relative to each other to minimize the impact of water damage. - - If water damage occurs, it typically affects only part of the packet, allowing reconstruction from unaffected sections. - - If you do not have a secondary location, consider using a safe deposit box. +- Print and Store Copies + - Print two copies of the packet for each break glass storage location. + - Store the copies inverted relative to each other to minimize the impact of water damage. + - If water damage occurs, it typically affects only part of the packet, allowing reconstruction from unaffected sections. + - If you do not have a secondary location, consider using a safe deposit box. - Maintain Redundancy - Keep two complete sets in each location to ensure availability if one set is damaged. From 6fb93e29e2dfc2e25ea15709ccb16cd2f96faa91 Mon Sep 17 00:00:00 2001 From: Elliot Huffman Date: Thu, 8 Jan 2026 17:28:56 -0500 Subject: [PATCH 12/15] Fix Pricing Table Old pricing table was for v3, new is for v4. Add a note about when the pricing data was captured. --- docs/SHIELD/Discover/Installation.md | 4 ++-- .../assets/images/screenshots/Pricing_Table.png | Bin 0 -> 24224 bytes .../screenshots/azure_cost_estimation_table.jpg | Bin 62335 -> 0 bytes 3 files changed, 2 insertions(+), 2 deletions(-) create mode 100644 docs/SHIELD/Discover/assets/images/screenshots/Pricing_Table.png delete mode 100644 docs/SHIELD/Discover/assets/images/screenshots/azure_cost_estimation_table.jpg diff --git a/docs/SHIELD/Discover/Installation.md b/docs/SHIELD/Discover/Installation.md index a55ed2a..fb2b60a 100644 --- a/docs/SHIELD/Discover/Installation.md +++ b/docs/SHIELD/Discover/Installation.md @@ -22,9 +22,9 @@ This application is a self-hosted application that exists in the customer tenant - Minimum SKU: P0v4 - Runtime Stack: Node 24 LTS - Resource Group Name: SHIELD - - Azure Cost Estimate associated: + - Azure Cost Estimate associated (as of 1/8/2025): -![Azure Cost Estimation Table](/SHIELD/Discover/assets/images/screenshots/azure_cost_estimation_table.jpg) +![Azure Cost Estimation Table](assets/images/screenshots/Pricing_Table.png) - Permissions - The User logging in to SHIELD: Discover requires either Global Admin or the following: diff --git a/docs/SHIELD/Discover/assets/images/screenshots/Pricing_Table.png b/docs/SHIELD/Discover/assets/images/screenshots/Pricing_Table.png new file mode 100644 index 0000000000000000000000000000000000000000..60e3331bb3481d81ec318b0bab0540d88cda5370 GIT binary patch literal 24224 zcma&Oby!@@vM)>oNJ0n!0tA=f8a%iMch|w)U55Y(?(PzTy9b?M!GgOE?#=+iFvDE( z?tQ-JJI}rM?E6R0)atITuCD6t)m`hiR)mU@H0CR!S12ebn6fgGYA7h^KopcGN-v&0 z<`|7AP(1!Uw-QqnLqVyF!+@KhK3+d@Q%C2;)*iKa;tnX&2=%OoZzt&?B0=3Lv zQcavhK5U&FOv+mpxYQm0j#MpLxv`~ZDBnUHTtiRC(-GU%NfVciM_1!VCliSppJ^CQ zj#}z{)u?IY6dWqLLe)2sNNU-{=mEsd^>Un!;^3n~$YC{OPsnwjoK8IG8ip8%Q_wJj zAd&Ju%^7COboTW+YO2wmR#9;YBUz5}issQW3@(Z))YJ|}u2Co8HdlR(;hMzw=9wxx zrj_oJnS~W!Ydz${#Wmz0vbei+`n+f3$~H82>F}&J#?>XcLx7tbdb;rA_lC8a67srd zXR2lR@($o%o)GFm&E>=@X%Xg-aq$2i_DIP@L7_mAl@!zPUOF~#a3Ye$$xR70Jh71= ziHi{`3({oepC&taQwZt@Ug)hAxMrRc%$Go zzdUWIDFMNKbPNg#>IWFZ)4xQ%@fYBezXSy1pG&~sUldW$KYy^lUi_bmCfNRA$p2R@ z#6J>I{#ENg7X72hsyXRD>U#g@ES62aNFJ(!zA6_QP zEUorl=T1a!Axcbnm2IkSeU$xk1rV=P~?k0uXg=MXz>OIUT_mw_^&Ja=s6?lH_0=lx0%WrK#Un=^RyF*NPJ?s(^kW^5-0>l zBs}SKWP^dh(?Kv$GO7T>BWHXt@^*W`fY zQ|z*Za_om|jU>O?&9vM>?BEtI>7Wj;{rjOI@_SS$Cxl#ns@4(-iaucdci@1>xAa~HI{hjS=!w<4)=R`ko@FYPfodhTS zd=FFXvsV&+BeDkf{8=PRQ^scU#p#>iO)lE4mXo>gX4v4_jy$NvhW|l3JB-ayh=zOZ zsG(QA7<@7ps0v|{G9=~8r9Yp!k^!G$T&`Yu*OcYbE2ULHn1FycyuGWvB!7k!w^A~G z)jI~*zw;_N4hw9F$_Et8xpq5V%P_GyIB*SjtF!?`L0a#R@auq*ayW6gPu6Yd@>&d# zQd2d?)Y?VN+b^66kvBSEvYAee)(xQ{?s1O&mUnDVQMKcC`1t5xc)hl+1RSdeI_mfk zKNGb{Q&e!|Cq!GTy%1u!%+W5ucWe2<5(9E1aG+iYo?blS-}lP82GApTwvD3AU8akf zdI9E!9c2M3T8ydMhldA2G{k1&hkN*3;w%}x*9l}b__t*1%a=pwnJvCa z`9)u+&wyx%OpPlzOA3rGBf3KsHjAc-yV7D;@?rnBygJajzte;g;&-eBV$psci&jr= z=j-Yqehde>o?c;O;LR%P&Bj7Ec1jX<&$_S5Y#c}8fLODAn|W3WJDVZP@85v+Nk2d1 zTRj*l7TQ1R91Ty_@5By$pXYtz9V8voPw1}NOb~V!^1C&dD*HM{jl`P_SGq5N^Hr*{ zLpTPz8(29xB*AdlstcZ6ptJkV)3m;sQ^<}3W?`C^w*8?k3w!2>UtP9ToNszZdZ%NI z$3~2_xyIej`LZ6UohYxe`KCme;MLh05r|ZdlC?(A=q-?v`71*-!&g?-bfy|Swhm}< zOpc#Eh2KuOW8^TkpelO`Ox0lRC`)F2A>i(=ZGHNz4VE@dij<2>AQPJPTuXaE4lrM` zF8htDh?8unm>AISL;RFr9r^Vd*HuSUIFa{y+N-*ZU)g}5EFh>Xv^1!^LYw1f#6#Kv zILy9EKlAff&J@&=1z_?cZiJ88%Y`Btu_?EI9c1b~^i-B`I?$o=WB=9&|AGk;xuOPb4;x77QF z+%)Z8Jj^^4VUFo^L-Skp2ihXXl7?LP$wB{8~&UeWq1wn1bxQa zq`}FvgzII|x)p{$eU3*f*GxeR{Y5$Q+$(6?A8)2O7a3=W8k-pi+)3K+SBTO(D#0<^ z$W-9nOp{_>>B2S7N9VgQCd*2qLP1PlBg*Sp5oo{1I$7d7T{U^7EN~1o6pF;&Y2W(N zZenU`_8b7|V}ZN{fpz)gf2oz)Qu@ znbeGK5eH@3_Qzw?;SnLr_VmX>fYa{Go`p*vaq7>y_yS{RbaftTiAC(M>d;DMV>0h6 z4ifAeYit-BnLNY~J8AD$i#I1^E|Ug!r*#%mXa&Y90lW>)9z3Rqh)SAB}% zqe}NJW+snoDeG)p-M4Jm=JbeRe`5w@RlZ8_h=$K_GM##-iTSIVIFSoA`vry-y{qFmqg;TAyR>z_zUL5h3??;KNQjDz_z=ChG};<*UXWZwB$iI~>lis* zi?#S}OrMl092o^Xo5!(~N9M^$QPSdApEYrHn+KS=o{ zv=pQU{)j{Y9U$rikM~${qbKLzJ8v*w@&7d;)X@FmvZ5D5mm(RhAKo`v4&BFn|a7SCV{_h*}C@0z2dY+*TrC$(71NNB343+!18N2SpOMkUV_q}qmV=3M~~(2 z1>00*cZ?M1G)@3V`!A_L&C`S;wLD-(9s1ht$b+C+WNvBtryhD>E}q<~idJD$aN>B@ zBq$jfi%Ti=wHz^`+vvKuT5(yM9Q%4_KFgdda$6pxG1E+IQ!eZBCtTc#{?mnJqfuRi zpQrA$pWjl{RO^=58+#tR%pELFZ{?Fhj(zQ+)N+ze-CPJ0+Trs2OF5-bC4W;w0aFAI zr_O6z2M)2SIJ7e~H%hHE`Q(V@(ZYh7^pt$p0cLHnD^8pP!YuVj;HkFh7TEm^a9mzDwtQT%p2Ha3mTIS=!Yq7 zC|33xwv2u}+n8I=P?jw*Wx_55@Os?8LzuiX7r#rpSwNKX ze!-soyq`wce&(QCk5#-MH5~DQGt%#IiQTE_qOYt8EJi1AKCoUzth{Dz_ru$pgFIVR z5i=Of1K#$rnr~(qyn)DP#Sw9*8MKuI2F|x0>rIWl^Z%C3*j8*~J?pEUlpZo63S0Z9gAM8O+RX{4P0LqeHg5#$!oFh4|m47fYr;ERdEQ8kqw;kfS^6}kNO^J97=g^|%97aQ9=r4cjk!Ww~;bJfW4}eDB&z>M9rNws5`l8X9 z407}@L!hf0RJ~+KvHa{ZF4<84t7e9^OrDuRoVN46P8XkDXM3kDc5Y_)wL6q^Ulj!Z zJa3t((MD+x17gmX9o}|An0R?4X1`YIFr+x_+Q7buBQiW`7dy)^xI;v;3i$hS&vqoq zMMhN56ID(1k8dvvJ}s|ozM@B3of-Krea86|D^0B4Y@7DfMwMPls`0Bic6-WOFT5W@ z!z`3o+L*Ew@_0?oNF=$-)%gNvtj`a{W9B>HkJVHz%2=yo!0%jX=aDj->e9omrm{Y# z3z3|Sxf;Q%&mp77NmHg{3QODsD~Y7yQ2%LibKAD`!Shd8l01-c;;*_vIqi)QM_T4dV@Aj3)LBmfx1SnS(d2xGA zbkf|vzY*9t_^|)o0wDEr&A8)&SkrUQT7KpBV%o!}bgbNpHn%^AakC@kAVpi=Lj3X~ z1;p(kWsfb~6p|fwGS7nxX7n@~qy~Bn#2VFIyX?$CQ)W%IJ$66>K&djIGnz-VH%g7q zyyesrZqJLhWnqz~to1p?I=L2>fq|^)*tTt7R|X^RQqVqI%J0C~CM%>)<9KTK5Qq?{ zt{Ub+S)^NYv*f@{dV_I&-F!GdK2vtv!~5)G<=okXvmT-xover*-QhTyWw?y|O*B@Vpp{qO<~$5q-*s)f@$PWaCGj1|v6~PHwz-Ci-)&(~2#QzvFJtIUnu4V5S^AXRijw zpP`rK{v~;{`17sHgr1ik=#YMqq0EK6_}Z?sJAI3{{P<=v_2=1EiJg_UlvJiSK6yFS zhQ6-Z)KoawB?YvarD7jg^XU^oRSxNe8uvo!o}fKQs}Wt~H7G?;-biZio5Chj>#Pe}>14;U4g3V;l~a|SjTN%$FWjhpZ`*jMd)|fKy3Zr+G1Xvnz)pHo6jj{n z)L6#mSelcp1=m}RoMlz%RFj)y)ZPf)*O#gg3u`j|9ds_f7JmB*NDp-L^$lO`EuAh? zSCRLrbd#g-KZrGm+VJ~lf^HmLL3#8#bN*$mVimb7rVZ!flgAOlSf zU?%O3F*r&h!w;^kjtm|JQh>ur=e?t|scl#K{{pwiT9clen-!$`T1vK}dDkpC8 zLUU4@TiLfTSML$;g^B}1uF%Y40TuQ7()ycS&^n-_DRVa5jh?kD_7#Q7sT$zKfApB{NUvg%hmYJXSkq|)6ynY zEMu?rLOo_RdjMV944wo+zuoH8W>Bw+R-3b-LeX^SLrMF1b?2N|cZ0y~Cv7x3hjT-v z&N-3E0Db+qe#Zo`Y_QJ(|5)h$9aMp`Jh*cob@jnxAo*bpO0eTGU^XJAhVImB_r+vjIPL*z3B(22~CMJlri_US2kl)Gp*Ae^W&iAHgA!DPB6_uQ}WQnscg)T-Z>$ zeVAeDYlAoZuQ@L*ZFcnKa1-My;3tThHycNebo<^G__(oTo<{mg{!B+5AMcQMENBvpCTN`fXP+5D-`Y5OWPAKh#cpoo3;prT;T-7i&dB=jyk}lLJVeyCdVmpRE?YpnGwz z6Ij1ZI5>gnzBk$T4i}VEv!HZetO7g2yM`ML+ps-5p^r|F7U5thHlpFbC(68R$nLss#NtyrJt(8SkpG1#a?w<7i?#nweu_E8FwR$!$+-1DJX)ZjZ+_ zQ?wp8l;K~uS`{tW-M3*l&keMTc<&Wy(VWpQ*l&6DQNbCOk)7w)-$`bTZY~6DEdtZ0 zm;*Nn)JOiLC#@=8?uJJp9embgc*lDP1Iq~km+Hjz95kp|Ht<-zuObAXV*PVRx-=g+ z&$QlwYk860LmykQ7Q$@?$WkS9iEZK`eK#t>smQlaKNDC#5c#qMzdZ-@OIOBGn6$@w0!Ie%5n z6Y&^LyvRyUPH}8sd+6f-9d7TN5(-F@7XoxrKE^8hoD>`aa5w{aulpAJ&00h8AC;j1 z8WQ8`?lOi0S`)9I{F7mpY8n;O(&cLesOl_GYhZSDA7c)0+wx)SWhN!L>F1mkc{j3I zGnUCh3&hCP#@uQFF7XO=^ldR+YNkYy6+J~s?}TdJ0t;zchP(Ch#p24mE^BCoqXssW zuX?p+0Cr{p){7by*X`DuUL%K_G@D)*I-qd1Cn$f6;dAD%jZhV}u@gXEt{xs@dext+ zLRu@+c8yqlm}uptslQ+~H98jN}!ZK1qf-EqTQuVz&S4NT9n{f{jn zqax*lF}qtbB)9tZ0ou6!8neWtgL`=Hwa-vK`du((c7D%+%~zb?RPIToWrU!e7I)mh zr_2wu+>3ntg#1UH;hzJ3O3tKie+a+@G4-*b82{eVM%|4f-qLOgo!@>(bQ=qn>%B#s z6aKZ50k8iZ`acfh#`}ueexHm7x_sIIbz=8-XN?>^-)tb>)k1y5_SguXpiHFn1*l54N&uEZ=0@6fw##dwC{ZWL+JbwdExX{&4DgLHIb_cMokpPFzb#BfYuU0uMb+FZ9oY zTN!$#EkYLWe^B{Q1WE<6WePAc0Np~=FQSN7?*9&R6qGNI!~JhUd9=?ziQ;i2|0^v% z=Kf{*4{VP?`bUHOlm4pxH~qKC_vmMgzmfbhs{c>&|4`*`)&DkU|BtQzRrbFW{oh*u z|7l>8IfCS|BlqD$2D|2+be``u0FY95RLKHpRNeCk!BxlhP@LM|4%`{vr zzaVH4e1IIJ{LLSTjN!)|6XCmqQi7oTcV&xnsXI05fr(^G(t&AGz%tSf*vir}`uH@g zCovF=hYGuQBXxCE&lN^&{r>J4Fgn7LJ&)a4nJbcqY?Ot&Zkn*YeLNul+`64)%E3Y3 z6zqU_0~+0%!9ue9g!q>kznzZU796vTE&>`6tVqQsQcz>tcyFhnfZ|aIvk;IWvI)uz zdW+TC_dPcY`6H{h|4L-0u8y7;Ars({Zj8}Mv$SzXr`(=%9voyHbY=+2{@m(4eD9Rw ztsY>+HO2-w!b)!0XW>y!?~0tl0sHq!KX?{L_TOx#WwpSO$A)&wM63A1CLC%{RK=n@ zf0!~Q45BO4N~?VrjW(Tj3r?Hooq;ZG!ynHHH*LrFWR1xMW@$*SJY6mIJOmzayWLEcs-zM7e%DU~eA=opiuMe47 z_T)0OA`G6^{ffm|7)jk=Qf9g7cys6XPPz2mo=$)$8(E;~w@GG3rPHg7r#EHiS$4PU zP7UD^ld=yLY^@=M?N=f%Kt0kz+zoF)tZ`q(XFZ>-RI@Vfwo~_82L1j_M2zD>gWQ>W zqc|BxPF}?5l~Axe$T>LOyTQxJz&pIl5&Zt5A?)4+ir0-Lq57Kydq$E=25p_U!}TQ3 z{aVt+X=}E-X7n2hym<$cN$bu+x-(ABldN6bf0ztX*;W@?wR2+h6zq<9+r65Nd+D4BoG&2^}h>4oLI3**;K(x&gnL8H?^Rt z_PsR&h2>jNZg?s|TkWXk*TU3#NPcNt9OQ@=-t1>H93btTv}rTLu(N3NE4|IjD*kQ5 z&x&{C+!h)i7_JqnOzb&-CC}*@Y=7aCP>lFPMopi+%=85%g zQ`J1qw>Dqtqf=^72vB)o?cZd#<;iN;uq5pamqLpXu*BwT%ITKKw~n`ge(Nz88s}Li z0WJy9shI;chSK6N0=+A!j?RxROIIbV4qg0K+?`nipi+cH=XQ~Lg(se@&q3F-T%+C; zYP0&xQGo;YUT4`IhdVN<@kc$irHG@8-`-{+=RShY4V&qs&Y~Oa)X!o`EVX{!4JxiH z?4fyeb^+So*a)O`T;2$2sRwbwxuBbP%p9lib>;L1+oBexGnazRzSndZLNT6GBmWD{s1qH;FBZ(#n(3zx7tp zz?DFPWbB8nD{HN6tUPx+rY(yHCJ~u6x7AHl@K{h>m%kD_+NqdTTES+I-)ko*`HbSZ z#uIp0NkS)z7_pKTJQks*_|#XC4hys)v-cdNsAHUeAnC1ADfLy`k&ksZ?Yw^u7<6v@ zfD;(C4OySx5IAwTmZvN?l)JifZY%2e68z+Is_fY7c^&5&bCH$*K^8 zUWbzoRl)GDxF#D zrj8_bHjLz5sfD(ro;)<5IDPZ7bW;nZmFH*ux>0_}2f0`4%TZi*<`GK~eayEs)g_2` z^Pj(%lzKBe$mx7wE&YBA&F1C6WLb6?$mZ5AN(nBgaHt(-_CSu@Uy^JPY}ev{0eE+% z${V!qWJCaZ2$l^KyOV8b6X`-qsx&s{_r#C;h*)$VO21|aZ{YG2*U4W*Jnl|f*S8k+ z7|->eEFF6W!3Y4Om|mL+X#vsg&ack)EpYk$|bQ+LM0RIpi< z7S*(vjfvn&)nvb-G4l+P+Jk>8@;P>o$U}2HQN1QMH=4d~)7MMGn8EsWZCX(4EhCf{ zHaT$QWGS;lleCKtDmZ@3-bh(4!^P9ANZ6`<^YmPRcxZ(+o)x}i@cvUUnapAN^agK& zVWe_{m1q?`H?*l902t}tlmH*#Fnx^beKqK5=X)eY_!iue%KooDy|u;5OM*NV6ko)& zXfS=E9=Dp$s@_Wn+N$4vuf`8Fc?lYCw?+rra5lZ7_IBi;7xJx429 zB_Iq0Xj^Q*w$htPmrw&)ni6qvAtHpxnraX!2VSqf0Dw%`t)MzwL z=e-rZsU@}YS1+rR{CzyrIK80#Q*}>3U8&mN=cSGc*Nv~C zJM1;6-%#(yV$AMLBbrMOINEA?v@xOAQTuK&Z;WRy{=`?-e&1*@+%FZUjhF|+?=Sz5 zn?J|!YwJfNHk*F!`lUYM^(Ub9M|Em;D<~>hK+tXDR?;`_d^m+vBzK6P=Ij0ASuZF> zB5&nkRrSLRXHvE>+}FVRg3?az4^`qJeBoPartxj}mw37$L$o}ZcB`Q;Y9RoWyi!iJ zv7UL?r8@?_t+OYlF|TV;XRQnI-3?S0*LQ7M-1ygrL}V^N>mBG;&uB{toOQmeMbxeH zV&I=E9Hs17zGU(hH!(}lc|ZMnGFaaefC)$Qp{|9xy#*>x$om+w)J()g)k-;pM5BYy zzj2MP{tAj3{KS>-JFM={YoF{?eOVy(JLmeBPW}>cLv|cwSR?4&OcOd*&sVqB3e}m; zB=qV{W)U9|6E}gLT$e-+Y@HXZz!8n?Nv84UW4p`eqBO$(p#wucoJYrklufr-6HKU&_L< zEQ1$7PLn5WU%;JLErQZvI8~o_Je38f9aHy*3FLEV;IuO;5`wnYq754@brf>HSwKTX z0|g|i4N%RGHoY|+d__kWp!93{>jzY&3sUcFcyM+eBfH+~nl@w!%-Q1s1p5pFJ`{v!&9e9$P9A4{cH#>H zh`c*T5Zn8T_X$1c8Kd8Be9QXGa@DYy{NMJkI+T|8isG53jncjLPH1&;4~X49Bgf`_ z|1txtcZtTjl|6fmc*B0{{!6lb|0wZxYn{&eeV-XlmAps9A5>?P23KLiIoq zt(`{lQ4Ql)Jd4GHzQctZd6(q2`ih0tPGR*r(K4^2o(mY2Fe9izqfg9MN$vsod3hjv zvXdO9={wH;y`*13xH=jxk}QR&8AeOz`igh2!`Pp&k{L-!T;~AEV-uJf%!oE8Glcx2 z-L9U*?xD2*vgFY0+j;iB6Woxj>C)QvG0;YS5lyjDpj&z}$4L>m)MJ30QM+fN-eF4(s*!KyM*tS;k_ z*k97kl0u`#g!_>_~3Ab_FnKG^YtFgjK5XK(;N&)B|jK)G)7q(z=C2JuXoJpAg zpmNM7A=aS4foaZhR3~z2To9sne06jjkAn`Oq=p|W&Rh-!m~)ejqJd_-@n(WLuP9NO z2cx8pL`5HH`!R(T3-5=jxR!if_)J%{QiMY=7i+%|{HoC*w&ofy+jbpI$=lUt-MH1> z(EivcqnR_3yXZS>pmCJar0Wx*yGi3iC_STQC7=^T4A{YhR^^pEWMQ~yBx<&lll&oy z_vmL#dKOs7jy6EFGnp8f^R&;qr-#0C$O!XdoClGBrd!Cywv_-N=TrYeU^ctbXxV*s zv+}(}?s=}%Eb&aPhxg8|htKc3Cm+8Wd?gCzdDXC!Eq3W*GAPpeja^V~jxwXQr#sbC zI1KH>E|AY4J~zoEVR+(gJRfmOI1NZU zJ-qXo3tBqr$FcKDOx%Ma_sA8r-t?snJtVFvX`+<)ccAX?ZBZ0^09paInqwmJ5q)C&ry+HVTAQ z&9Se3`!v?Jw@OWVrm|bH(jxT}GCoB5AP)ye+D=pawa~y|R)J=~bLa76_nBw${9D{D zzai)cFQcEV4h$5?tPY&YuhNF;(GC#DiZFR(-qcIm;SXq~ehsDU&F(cc|9sJDg*3Y@4dmJ|E+5 zYe@a^Y+=1OaRK^_|7{{jk-dNZH|CHpHZjkS4PIjWa~$Y5@;r7JMr>TA>@^Mifgj#e zxHs6D7t5{tgVsfs^~_X+H7!jbNNjbi2sX9g>m@V^YJUKdk+De7-pHmzdDm zLN6AX90x*yobfAL_1|q8Jb-u@~-K5t~NGC3yn~wE(P*4Yk znQmocstbwx76gQaf}?dr-viU;FNc3g(Zz-&_?-KxOgM}r2o+z>RR}k~emgBxFlC{s zA?C>suV#4#yk;Q$`~q9g=RGh+p~Qsz*G1q>b#qBfPK0nIs=f>*^^@eO@|T@4;Y4L( za=yfPV!>1|!lQcR%hYDn4jz!?7v7fkXVqRoQ~HT4e0$Govrs)PkNL>_1U<{^sla>w zsl_rNVAb2L*eypMD$$Nm!+VE`Fv zkRH{V9$W)K2s0c~3=pwtZKU+?Wmlu7IQFv(YAGK%7}D&JD+KRvUmeL#o^8|> zfkP+uSgNuKKAF7?>#D_+7qfi6%OAgWQGZ0r0BI*x60T8h#$2%s1eiL$#l8YBv3~C_ zAVpXfp??7eF;6)a1i(es;`rQw;RHYUveJkI9k2`{NP;vLH+~RbN*wDS0DrzBX=ByH z$P!7z6ICa(6Y^q0gzCQUz&lbsXjv4xS3ox5oK99smnh;o8FlThj596f>eNZMpKlTr zIZkB?mE4@j?vl_H^hqgsb+RYWDT2E2}SzRFkl-dYKAX` zS~Ed55MtTR?-@x$6HYE0>m72B@Da{FAk!J#Z)^anLiW*3@+5QmCvMN2LXYZDeWK9I zKeV(NeH9R%x5Y+^{x5cy!D$OzmX2>%Dq;}0Cp}ywj@NncnTpDPyd?`Ovad00vg6FN z(NNYkab#nX5=ee)X(vAuqh58DD=K`$3EEKPkz*rTP^{ZjT`gdILq5@U_7ba}p1C2eaz2VM5eO$BUD2P)8x<}4r!S#JI&LM9WD2$NtpC&L z-SY)YGo)mDd?>EXwJK~>4(kyqOZc4pjbk}Nh9A1o>}96WveUP=O$9l!1=DL!F9}?P zx-#Bf@lGL+>zx@9w!HWZU2o6a^rOlVW_K-a9X`Zf`--FE(FZq)Yl4eWX*Wg;o+%hW*{To7}M zx?99?Yg7Ee*y-SQ`fT@CXW`KLjh>J9O@~IF3*-pH?$C;%0drgd{Q}TD;NIC)h`BA- zuHm_*NAHyA@T&#H=CY7}D<_2HKB1T z7N6ANzZHb1l@TVQw}y*7q-T8#kuwshId3#Se{s2yK12wP3p6&(10@SFl{ca zGdcbaOh~F@fSbUbAV2@=&i9`L3F!C9V~!)paMt!>psD1x`#dr3qMPv6=Xg+=u;o%r z$u}1@e(VLUTArjh2FOv_$h3d0{}nC@c}dJO8css)~8 zO}wa_}NHbT3l`3Y;PJ&&0}BPO)-SDFryE5{BoNNAO@(M_fxdY(ag_bRd2nam_v;S}) zLOJ6(B?NVGeI93!+Q{NNAP(dRr^a&XVe#NeKEOEjV1CE=&zlQ##ci9>C-5oN5aqAH z>GH1eSVY6$=KjG}|3BigQT`j6`~Qy1M){9L|8DmY&23!#@zzum_?{F~^I<(ZkPL8A zep9#N2!tL{2G(dU0APjhKAvKw90GL}ThpJg#LsHpR}K@<(5!2V@M+#yF4 za^1f}9yZCPL5eK5Yt=ZnM4joVEY=lXY)!w!)7;AMv(IyBy6*NK!?G=}*vNht2fjnt z7O(}ro`o~jWgXt!Jl!2bng;&GrF)?ReZ8Iby=FA*_@9?!=GyEs>@+=dJei=&IZ>W1 zsrvfBgdMmFdKCYTfTz(oC0Gxi*3~R@ZcG3nmf@5vi>-_=O>%gHr|+#4FtyA2COkUt zD?$u}5-;nHuX$@Pw%_veyqb~BTM=tj#Gft>a_oe#c(_*B|NirB#QC-U z3}y41RWR_wMU26pczgvW>*3dxE4rp?dIc8aXAPntYKun^>tg#!wIYvR;`en7%kPcGCdr3-iJURH~hhb$^Sfhcv8mzGQbzVM0Wm z@McU&=(5}sh?IOAP8l+kn|vA|w1Q#(pk#ny_Rzn@j45miu`2|tt=E`_ISHR)JsZ-v ze?NHqGHxppgK6r=;1o}dd}1bR`l4$g?wHr`*ee%@APIQeckVUS56Io_n|TnEqP50? z2rt40c7u+1`ioo?WJifewU|9p=jI@`p@?AY;402xuqb0r7%|+yl5e!MJ!r`jfx1-X zx_nk=$WJa_cNL8-`7{CYCaScM!AN;HEzv}7mNZW2&LrCKX_qtTO#tH1PjbmZnQ0np zn?`kwm=RuD z4XeV!i&=q9eCOJTX75;5FQ~4FY?&Uv?Zldo{O_yQP_i3+m?k+ZeY7#Soi9D`128Ms zu9lMsnS_V;hapnDJR&M@N_-Cxc{U))FUzu>x#>NU4aT2;%Eq?)Ib$N2HfO#kUT!A_ zV&QRjZEaGdr_AgZ>a^C@7O!(5v})+)(pUr*w7OzBe_J^ws|aKFt;Tn@g|sM0f*M!L z?Zn-O#i#k9Y6#T(Wo((e^!bUinG-A+>X&Held{EW*i=7hDo|e_(tm6tK0u-fdmD@O za|{;vgCBX0SIqY&iShZxMSGU1=RXPn5%2rPmu&b>B9O(`P4gL3J+g5;1{s}QlTmr| z!9Q2N;y2zKa#B7%Zop{Wb)SlmM%XRR5$TRs9?Q7T*^)qRa+zp?jBR9oXiUdVGWP7~ z-_qeYjn!T4ej!%N6K;es>Dk8X@u1fSGe4_O)O%b2qn5VY<(fam(d4EXN?>KPV-TiXKHDS?2oB1RlNXW`T?KfMX; zNv_6^CDyX*yQUCVb+H&Zjl`j`D83cDt`Au0+MQ$8O807zY&Mg*L;`n!UGJk3j zDWe=JS7sdtk7Ei_{Q*-sS>twEpqS@itPON2 z(;k~$z}WJ(2A-|kam(w4|A@OIxV0{rRbfQJFOxeQ#4%XY%F0A;8YgT&7kAL18BLJ_ zQ1xJV0;^<=<7VUbZ+fs7R^Utx&pyq_Kz9p)qCIEqO|Hkc326|+Lrs~VZnhu9L9O+U zb^u|k!3UhIOiZ2Ds{XtaRMq>DdWoC?Zq{qt;lC4El-7A_>j7Eib;FnT190SLxPPT~ zC1ZY8SVUW{_S0zAG2+?#r0VJUwI=$Z!rLjf9R+mDP|go};eECb{i}L|of^lX{mU@D zpCgFFkLnG^_p|2ToD5wOA}&Ji?i*n zU%r2@tSUreo5?=nmE-Ub-HdT-!Os~396f6%cijpd)*&s>-@heeS&;SAy}52$Zv}tF z{~W-*Bh*xAnfQ#)XR$UODAfM!Q)=0mlcV;xIZXTHF%N8+X0};Tyf4tePD;I!ScyAR1SSz>6`~)QF)jm3ET*^F*ueIJb#<;ua zbU!7)ag=T4o)yoxE^MZHmm13R{ma{LuedEXP*wA*8t)OHUIA?Y-2o4EotIB;pdN`p z2A|a~+;S}XB!O+(%#J0%Mh^&@QKYE$?k4!gPEWpHG%`aj(h$rJC@iu~Zxm;Sw^bVR zj#z%4c0p<{P&4|H&vJ6tr_0+y+_oedIt^KUGrO}SfG1w&Q0;V1eOpG)iWH^UWYMBr zRw_85-pDAsGlh;S3u|X=FUN(!l0^g zCYyV`EiGhT4PIB{I)TS6sI#JRk0dBLIc)$ykjKy>A8{)^V8eyTB}RPUU4Uj=a?8qs z#&%`y3A5v{P@YLNt6%#j*WG7|>-XQVx>gww_g{T_Lgj%{-igXf^tneGkm>*fY2nut zd1Uo_o&E{%tvnsEwH06Zmgk;a82BsR<_51NDy89JT73@kC0*)k_4=FkOCNeUIvPy` zeyQr&Wm3npPd{nteHIB)L;&Ue<(mS=5GfItH;n3-=io`vKigw!T zXQ&}`G*!zlLnMILBW7`+LybmX6_esyGAY#>KNhkhq0%~$hXlNBvh39n0xjE3t?)2# zI^O3Qeaq1(i-u&tNVd=G%~Ka=iNt`R+^$D;>D62j29vJm9nKBb$BBT>h6h*~OkOyk z?q@)5)GV@Le6oJfN@nSC&$Aww)#*9pMEf8Od_uwaTW8~9PPn-r6Zrvz^6|A690?l< zsp}apMV0`_vIYL;Qs|CPYiU=;qfT1+u0M7R1#P4f_-nEh)DVhCR)+VcE7M`t4H_8! zS0Gs{Joad{=rD#&XG2wQBV~!@*zYWF6G{0%e~EEEn9wfYc@j-_8HIQG>-(A(!h;Zr zb;X6|ABh!?7#W`AE>{AQU2lkzfu1*i}G&;LWfFQE*8pHAjRkRTg^Q^kR)Cxl6~Z? zr;%<^81UvzmAfsjqDb%Dl&}zXKODk3fZx@+bmhqgqKRcSiU=lXsbQmDh2w+98ndQlJ?h!}Kf3#FVMvM$)6;P?WAq9m%ZAT%W z*czI)vdB}vu!=#pAao`Q5EKNytl0j3G3 zd_47k|M0b4@$CLvuBH*_O{Jj#Vd_%fC_Y~65_F7Lx68DV8V{+W=!e0Jt_QR-pTt5F z+ULW)a<0*717a^+4(F-u#BktcWFzlbS=WZHda!~gRql@)*lPYr+qI@$)2Fhs;b?l| zcT(6H3O>MCcNeX5QbO=+l>BSnE1Iv846Y1Zw{+ZOoNCd7Lr+p=KI7+=QE#RI2DzbT{Gs=JC zToOi5Bge5}&FN>8w5yUGMsld^Qac}+L6kzV+?2_L7_uPrd_v*FXl>;oJpni75idUg@yTz@TH<}A9YpNIMFXN^!6RU#Z}3C zV=AV-m`N-qf~}a8Ici%DM|$M5ESj#4IW^OENSd9@_$Cch$wrw4e#X^HpeYf&7dgE0 z9&HWXL>s@Ow_fdo}~^ zO(K^=z~@-rNaN>L)|f^nV3kOZ-M?^UZWKtXY9T$je4W3aF!wGEY&EPe)#+%=W}wQ4 z>O<|dbj8UOUZyN5wTzxyLLfzgry81mXk1pUZJFhfGIsIp@p;Or$Y3JcrT*0HN4%rI zU0imhuWv{4ZC*w?y^a^SQ-q1^UP+GfUpt3|5xa7+`2|1FhRI&igTzdy2Axi12COEP zG}Iko>iRzM;FU2TL1X-?;_>rm&)IQ}+;rOw$zA0?T1E|?RXTmnzIOg>aI=fSdY40* zN0>h;HLeFM)&nn=h<^&plDnDlNy*aC-CL6Vjzv4(a2Ku;Y0i4991wgp3@BM@#~R6P zK^Ro|uI9B@kg&9U(r2|B{IqHCl|WP7u*s*>zIU?2F@P#n2=5dZJez0Kz&$zM?L@$| zaFBP`8VNn~O3@RPw@^vhCYml{nLQac@e^88`{uTbOtk~WghV+nId0#wr8MgCapayX zJX)csc%+Nbu=>7|B>12ziJT2KW5|oPh5R`#F#Bn(my|5^WJ9GWhZq3nQ@lJk=ARC{ z!|bWWTWqUq7*kt|$W428SLN;Ytz!xT=%Qaykj7WHla8n@sR~eMQL->;-dBn<9_jU6 z$SLpF41+hHDSNKHah{n{r-hSW`IHcqP>Buq*3XK>Eq`=OMAtWd`?yxMI7~&_>naDF(xyUk z3!21rPlX@9!axH1`(1#WOTU)IlClv|l?vwe3e}W!uWfzFd!5lf`@{Ls*srR~$I>B! zk2nvq(rkroOxO9yeUDA650~u-8(n;NMw8}N^B$L8p}U-@n;EkTQH$l57A06*KT5d2 z{64sy$HM5VPbXI0kk#bVbH^@KtbFfr8j!pglAf)hhq!vFJ?|DpQ5KM6VE<51Y?sHdw5?C_n_zH=B(l-h0q`cTI8BbK=we*LvX z)loRlrA-EpMGlim@PPO zp$6e*g(t7RR#%w=s>R*ISAOyiLIvv%YxSkL`(D*RF@;n9b9!42Hv7_Unr@St%&fVh zU3~Pl`RE*XEy`3-#_jocd%V(>dCIJb>fKHf9B_ck+QBa!YU3*xPhysJeSxfN;wNyq z>X-MTY?JSc$*yEBSD~`1QjQ0gT9#bUt;s5r@a7?xiuI0JKa)P&zEjLH*j;?JpxL>( zZ9;(_*^FtzxCCC~(V*I*SoTPV!+!M`lE?$I<#q?U2uG5h&j|*`S+C3z6j`FyG&+gd z4M@iEa8RX*$t3c*>HZ&u?;~lqL@W!nyry@Q^@ed{7BZBSzo$;gW!Wc05~?wzw*JoS ziuQ?o3O`e&xp%E3C``&Q!0I!(B!ptJXPL!jmNgI5b|?uX4zORU5n~A|bJ)x@=PO| zN~H0}+f(DGv8|EsHE;)`Ru@N2^}sssa-(EktPLC7(x5_|H5Vx#Stod)$BU&5;zm!hKhdO(!E~Oj*4xcN8(L~$_9Pimi;{_xWKx{|524NZ z+Dh+XGej?W(Tao3)BXd+ON_Vx?f#=Txj5Zr-;56>zl8VisB`I-^2}B8@m@yPMD5l{ zvoRCAoC>d0GEtMx`HG-+OyCNp9($0IX`{TvdI2Vi6EgK zllUPQ4^0$fzJ{|fW##M7zVE9kC${(Sn@c!0!^SAhx@|d%OYUIMr7=Cz^&4R-XM8^_ zkV(o$8GMdijd>ywyEd8Ztrb&AH#|OhK*3Iy6D2gQ(<4Q;6A|XEMgB$zfL>}IZfebO zl{MmFzSOqz%#*g@6?6A)rF%Z>?-?Ea88e7U?M_^-=JDKth=`-2L-fN>s(nwgPL5z< z{56i*Cog*WziO9E$+M0YT%5N|Up;HcpBPVV5Gqo+VB&o`BFSRoO^mi9+VOBgd;K@; z^@$OjZrnMl9K6 z^%;pp^K|ozD^li)Nh0?bgl&toqkb~xTpDV35srjc^C(99%5@UnoS1O8J1K(Z2JDBD zDR#skx#XA?j+ffti6-W9W-rctgu2AY?M&|?^Wo=d%St$>*&iS4`-itQ>slC;9c=0t z_J2RWlmfmN${H1#vr4!M_Ra*n8(zAnBfRG#J8g57&MdHj!MxK2XL;MXr0(AT;?!Gr z{M*Y_q9t*G5B?yO4ctp)PWR){2`?c0wCilx>a3~#6A8y zes_H^99Qw+dW^H})av8MbI=c9buiaaDT_X_>)}(VwK-WPJte2{TH&PBcU>1*wKNes z#1ykq<;oDO%s{uzb+i$X5zy3(m~QrX3*8&u+9^A1iqY8~D2UD125afvNToYZ0)2h) zljWnC*_ued3kmHmi)Rg8sJZf*X-(icJu*2tNw!c;-+Hgxr}J~bX`Him*61rWeo4+8 zY+t|21SN`+mltu4(3;cHxxMwAJ@bZ}z$}=enb59kD0mmy?EWfq*mgh-3nofH3cyty z5mOu=5>d^yDdGOc1<97y%`RHMq})9e{KNn!rDCvOJP~!D76dP;v5wEeWH)TwBOgyf zy!ePGe+t6jtyv%($JX=C)EZ~v4WJ``{gY=XbXL&Wq z(}+gzijilh7|yboz+J5a;reXkdr!W60u>$D`~^|RC>%omoRUjA@XC}j1~ zbns$>PrO_7Xe$tNR76IYrj{Jpm7Q~pnJzx%3X^oSaIN12j&L?$G!00O*aU#j06dDErmFhNKO3R^RD_8nqvr;}(>0Z65XOlN{ z5&_R@n;^?v<%eGD$}l5f{V8?)*T`C5q=rSSU-6dh5tIUoijpkgTnDEMKY0f{^d2x{ z_Djkv5&VpMh}Nsw-*O3JLO*hH>!!Y-g;*=q_;x(W(u%ZUna#t>m6nmc*?xSp5Wa3` zFaTS#?nPZ~w$D0%$}n-hi#=2~2*pFw)~9v?*+6kgXgG4ZK%>o~N7_vE^QO#GVxRe3 zoB}p54tXWUa1ux7+>;c;O2hfn%e$C`h~i-G!$%3MoGWqS`e%R?u?A@>N_0CE+rL## zg1v`fKc*6LaNiiyco%!XGT%tW^G(Iw>d|PhaERB4hCJFB%Fb~^qlvxV%XGsdE{4vrzgb)Z8_qg-1!pDeAUxCZ_)*dQ_H7Ek4O3&Ub+=m&BiYcIJs3d{l;V)Qz*HV<=~Q|k;rmc5p=k%2{Rkq969+w zBKNkTh_RUY^@Xi&Ympo3N;D%E^YCgO@K`?DGKZzYwS)h`HK#C}5Dl!iA35<6k@n}; z8~8%Lyh-E_Frd;(++=!Y(SOS2kq+R{k)F0uAimADt2Q1tRvT{-=R5yiA=C`P4^JE2 z78qzzR|a<}-==H&CcUksZr3$zn|d?KscbyRvj>`v0hSMMWjFRC?P!hl-{&<$&n)1j z8G}}?E__zp4Ib{$Ek1ZG^B@8lXNn!)^qBFFy^zQyW8Imq+O2Ih+h2+N_~ZOR>hevO z;}3Nx#!9#hg4FQQ@vV?>FV_*iX-5x zGw=DG+cB2&1wQ-ilZ<-zs(18*+?9CAm5RIh)#lePez3DKRg!cj+P`ZYLQX~5MO>&Y z=XPt!nAlE;BL5_gm|rP{2fEk-Ip40+<=oee>b~X6f7+WL+iiHMh|q_xlE>F=vcT63 zevvVJE)B7pck;83ebS!w@j{)*N7MOq0a5RJeR{_j%uY4}-dh&*BJT_>2n<_NBfrQE zqaQe@_#M8lntFpFY(|UT*tgj4!tXmKvz<*6mtKoe+J`wku9;z8Ev3Am{lxeri_sKA z~hsE~AwA9)2v_;Cy7WzDpk-=p||y3TiQxX-koPApQ|3@}WuA{B z13vvkifz?SnIb32FIpdR_ZJ*2kp%3`vrXPs#h<>>NZl9WhI1TjB60*oPM`Ig#Gx4H zmS+}RGQ>N@ZnlLZXkSOYGa9#$W#^y~;ehksbPm%0*GuxF!1A5q7SOX9y-5%i+p!_# zTisCelg~4Auu!qD>ZqWQo2pKtN=!n!CePV9rQ;`5n_EHt6B27WiyOYZ(DUtBGKUkJ zwL#eNbNbT0)U|!kTWFlJ&`8@GQOB6in9zxccHfulA1Du0kMZHyRbgwn@#<_>@L9{HX@-A_dbp{j9Z1$e`v?dbKA^Vc?M0zcAvbsGe~nM^#D z9)T{Fot)TlD`U3AKbS?X9$6y9ODylt!xsX@>o-y_$Hkyc0<>>*nbR%$-k@nVz*J6c zmk;Ny$``&b3Vet#jWzE8r!6SY-czNgZ$$5lAeJR#Cx>#!57!?lz&!QAHd&881bU%& z3^tk5UzTYiYw2C(^g)i4h3EC!uc=}5KT6xn8!)8F>7`jYKYwdkrzYdSdwDhgUq7Lg z5`k>rjHxH%169fKG0%(sfA!QX-H76S?Z(JAyRnq*pOWF4hy`A{&4Er~gT;{Z&W_o9 zL%%Fh*%JSK{^3`V4NmwTH@+dK^mE6KFXqABfZ z;Gn{BIn(2-0xO$R0jGU`@kx)0_MMFK%rInr5D^`25(kuQy^F^HFdws`gcIHC%XhOy z0IgkXm9Flf)ihw2Y343tZZ?M2tC{&M_2cwd*oTVHGe3{7jJ)FV@_fR8g|&|9^`~$o zFHEDTa8wmcT`KFl4Gphf6QA6FG_&(F=tK?=LL41;!t=v)85=N~GOV?lUJ5Bq;z~_q4{Jpi-|h3}!OPj8c-=NU|Q`H7@mA zDRj~Pk;HU~%g5jPkUsb;e)7YG5sMsP$RgyHm$Kq+K^Aw&KCRr8QNERhb$b;Ok;4B}n**eD`&&ohRmBF4bL81Rt$nG8Y zGD(shU13Mut*DUK?LZCw0knICfF8GVPmJbNDNI&{99FR8lAD7rFb1mR&P(H>b;$QN zRf8(P_jv#tlYSQ~Zor0}%((&*;MZLCKpU)gD9xkmmAC4Lgogn!1F$r#Qjts;&$7&+ zBS5<#b0D{bxjs+sOR79;Su?UICZ~^yiIFW`Aflv_OFXKzfKehF8=CBDb@9U{i8~$4#)=rH}A-A zX|}FK6@I!af4LwZPpDPW#~h>cvT}YA*TN+0n?mEj#XZ%e11%>3{*u%3Q)XJEco$`0 zZlE_udNpfMlPj9+E;mIq5rN0TyW~D4+K;XbW?L_^99RXCNjm8?|2CaLAEN7@@ zdkf{RsmgD_^4tY|&(T)8oKr>=efFu+`4wXZgwFBPcy7I{_7`Ck)UJQL+;yMtl$QUg z^Tda@>bn84(Iix=womHI`#bW>w6EmC4@{`Ci)qU8ZY{MK&fhf(DWc;Orv?7Xt7a!H z(Veq`5_w@yB{G~+*(P#2QUUsD;2(CEE|S>$ApEO&(Hlt%L_E;_x*7f4wCcvNV=>xU z0ls>N%m>+}ziKFoN!=W9{xS)-tbZwiZ4ZO+SfS9^oCpI~O%!-(bpST8Ik@#U*Ro5a zN0Zs4DYZ4ez~f)Yg{^spaJ@)Y)79Eo=>k|A3GXVR(0A$&>Cli z{2B}EGm_79>L$h0u+vkHocc+DZqE_j&gYttT2-gi*P2Ga>4wz&k*>VA$PcwHZLrL( za%1;weF93;E71K$lr)z^Ngp(s>O@To+@nfUHC)jbrN~r8&b8zafC24p^Xd*z*^X>6 zA6iZRs<{@oymQbRAA%W~!{ISYix5qBsoM_bC3?HoMo-X_t2$zIbdz71V(x4nFd1I? zI!wu`Dy5IS_q`2@17HIod!L5$y@ai~Q9NT1oEOCU&Rj|wWHMgP(uSy9br*COY#*LA zG19^6qIbVCl-Y7;Ie~`M;lQ1^T%b6AB-=Z9{#04l1KTym&@X;)-|4&k=qK#@neTVO zfRjO=l0VPmpH0LR)sdqYlb26fjGRB;%iwMN4KQ}-8NdNM3YWq(H@M7wWN)?QbmGQu z+Rs2C0&tOYe1r-%(3be!vC;-hdB|7!XN@~`Ky(!MIBV7Tt*T;JE~+~$dldwmqy zoKTzAE^1$?+t=SM>H6s4Cxet?wJEc8@`RMJNT$WQHLLJMROL~JK-r3JimJff5zaZK zvXyCJnp2np&{g(UvxW?lbitnSY}0AZ*@OMdi{CaSbSLekWG=&`EA6a5f)LKrg}uy2 z4IVkS>dcR=!u0)U?(oO=Un&DlmmQ~JmK#9>8m)v?<_=E&emJ9rn_M37UV+xk%6|bU zRD(eWJ1!aIq==Y)m1UL(eNEKTF{dnWk+a)hJ2!5=b7a*eF#T=YFllW}1$6}$J<=Yo zDW7WV>nCMvG`v{Z0{#j)y$k}^P#8UV09F9{=Id2lpV>1ajsM)kzh1HRk`)dNd2dHN zWfa(@+9KRUIHQ#?oJ#kba{MbX54RdH@fj`0AabM_V>nU?tT?4d=k|5A627Wm%QAb2 z)1mwh5x(--@9zBPIBEu9vg=;utg|NgnOn;%y{*>0r4y6#K{(H;Z2iwdisX&yfTbYw z1F*Kxyz(|^}@t|0Wem^ zAW*bSq4PyYD*@zU(g<^%t7(-uDC{}+kYt7HpmRSh9VcySB`v?ZU`CO(dn7KKPcnKX zSJtsILlk&kJ>+K8Z9*YETjm^w#PQ=;o}Sp(f`W5?mjCmjke}@~yed>EcVg3yv98nL zA{%e+R~|}vmN4}O_7;B@0WV!+?Wv(xZ>`o9N($Fhv}V7%Ct;lD98DuZ9NQb+c7GVA zhiOv8FWwuAX5&h3zfG*pLjf57W;0(7l>fxpo*LC7deXOA>(j*njVT0Gd0~`+zsmBy z)=Q}jrmT9YvkvNY@vvXR7R~`YJ ziOxN{gsXe1ze_y4R@?gBF7707$_%vk)dLd5mj#}}7T#@Ii;>L7JgYx{{FLqs3w%U4 zeln@xWK3py$xDy?Ia5jHP`R`Z<;j8iDNcOI^mI1mdX)XPO$6S+BfWo(xF!Ja>AAtz z_~#R=TG9bI^fY(-jngS+oxZ~fAR0q@n5KukH~%GuQ?jpT~rtp`$T z<^*%MtU$o|7$)gn(wc_T?Nw)_YNty->H4bAPg29Cxb0ch>S0_BH5~;WL_Nq5$?{5q z8Rih`X@?mZ-q;W7g`+-|gU;yUG>e187qE86Z&qx{BQYEArZ!Z zB>dv`a83w;+vy`XDYEB_DI_QW^}qE4979{2@L{Dq+?9tzGPO2d-Y=lGST~#clgX0y zk&8>w_o_5O^#stIWx`oe$~U{EVpmrN>YGRFrW1u!{`)I$fM3fWWQ9%V{Ejg)m&U}s zllL|erG#V`VEnA?ngyC}W4xU+7dc9P7JpcJD3adjKC542{^~pamTGVEhCcTmOx$Yq z{(=7GiPtiF`2HxdLdKl1nxZ2~nz28PmX{w7@{(*b6O z;BtTcwc4gJIQgx~pjJQ#&E`0%qMy=o2Ggu1+23^m0hp0rFRk=4<~cf?X03ggCQWa- zZUt9_(ZVam^H!2?{^g7OM~C^3UGg7sh2S6Yk7%dr literal 0 HcmV?d00001 diff --git a/docs/SHIELD/Discover/assets/images/screenshots/azure_cost_estimation_table.jpg b/docs/SHIELD/Discover/assets/images/screenshots/azure_cost_estimation_table.jpg deleted file mode 100644 index bf95752383600316e284a68554b0afdb5b9829dc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 62335 zcmeFZ2~?A3w>BI_r4ATntWrs9Mbrpsm7zsQoDh{FP7onNS`nFq94kYBB##vpAw{Yd zc!fd~1w;suAw(f0%2=fsW+Vt9K}3d-gduq#(|^kzI@rT z<*N)0SA4Q&)tWV{SFK)cwAOf?(c1NESFc`YzHYsVshOGC8l=Ui=BA$-o0^#}zR3~; z@H5MnuUx)-rK!6Qt}y&$<*L=-8`$d*OP3fJEL~=>c-P>&so?8~W$Tw4fARIc6(%QsFx-5}bk|R} zAAIuV{<4>5C)?#)cAxw4>dIB-7N2g|XuZ{D+x8vy4vtRWeCvGRpxYt$!$*#uI_>R) zKjZ5ccs}Sta7bv_<*4YGSaMu^;a_c6ImkzU>o=CByGWK8$`G8&^!v%+4uQ@chE!x|Sde{(V{h zSlNGC*Ltw7rOTEXEHhkO*OH~N;4)ahZ21>ouQ1+s!tjSnCYyKt^oi;I+YicKuKaTM zNx9j%AKO=%Z?P9!D;Agb=gR)yE$r(5r%YMswDw@7p+1pist|*tDd=YC;>r!U3tl%bGRyRc3QIlWz)^&92YRNsS&vxe z;vk2Vq4M5FhGE!3;dRO-GiFX5*ZJqt%v=3V1x=798a-BvS5~%ZjG~8H4I8QtmFui~ zE4Q(|lf2kRPPLxbBfKkU(*92MuS;a7@o6wac~7poHk-4`|G)u-g=R~L*U>8x7_zNtq%rTFPk)j>z*>^s*>CpYk~;%8_ob#`&29--`zo873*_jAatUf5dX zEcAo#?Sv%0JDD1*NNuYgL1{B&drCZa^q=Ll2X#&U&||kb^jzm)v`4ZxlzLA62m3() zO5&LyuBLSd78=ObMma^U-fmsAAQCV~wVA$wyQCjWIrZ^qK=E(OJ~+wz4(C-gfJJ<-An*39qfS z*5tjHQ>2KYp34QxLtfcA7hz>|thvDtn^ufjK;4Ws+Vi?|gfvAG)#wa45eVvXH*)3; zJt7?X1WuH!y(j)QinTr@b7Q%zBie{?OzoP#phtAtfbUkju_Ep-P1y!6^aqR(YR=uJ zz&9cdHKy_a7AA=m{V_}B(-Wab^t`-KqdUwOQd9MaTgMGMEAfJW71|q`B}2&dA9Y`J z&LNGlH3e@tsK{qsDs2&e?8(Lcs%oSat&3+N5B}NC1s(W^oY+MByn^UB-CXa83rq0U zBMM62q*N}Mti<2>$fz7mblE58G|-$og$o~A>J=V#g@s&8%>5wGsWcPZpdRtl+YOQTX%*`z38W;CLFIgT=IRtN)i{VM=%h8AgGqag-TEEqrflw+o zQBs3k<$tV7PA(rl(pRwC>30TJ+Yb$ywUbAczsW}vH3U846CUFMOm7 znhlcTdsd?6EK|S6;y*+&3R)~(E6dR%6t59#UW#T;TNAbEas#e1I7yEXTVi1Xuf&Z`Q>wo6+H9)UBQBEezSbiWTJIwx@_3u{h^yp} z&Pg}0pKH!^I`|4B_79W{Ql)x?Eul4*_3SYsFJ&9JGlA5j(ucUL+*c>#X2?p~EPPw-Yoojt}89r+25)f6${s=X2bqO?7Y)p!c}%xM%XC4DiOIs|E7@)e^J0m= z<0tt9&t0u{*uLlMm2NXr18hAaEll(45-G4rn4?Uok{A2#v-n99${de14^OaTJQ~AZ ztP0a3UfPYi`REbBR6n_w^ot?JXBww&%BAJA3z2D$YTOO2=#9ud? ziOg4%$-CX*%e_j_UQu3(mk32{10~gE?X%&3gk4HcL z{F!3e36Fx1p0DCKy@cDSb6Wv&=@I;@E3S?yGnng8B{GS(BiuPRX+=&6OlpV^E8#d> z)dnjQ*vViakt!cA*epH*VS2(1T*Q^+-9t8sJZD|I$nuIznx$HQpTb=%%)c4tatNe-@fA4O84236EZdN`0*E3HTGDf~5?rh4b43>Ug= zP@g6zGz_|w%VP?~0#ovCe|~a)SyDsRj|6Q6Ni!{!fgAbrjH2bu!z^&Sp*(ADMOBx5 ztbF8sm0xNB)7WjNr-cYg7mYBHiF$;2r63iH)FZB?9WLwIIop&=ATy39uOAhvoeFxP zj4ONm(5uF6Vq*mB)7QUM%1k= zWL>Rc{X)*Hg|K*{_qK0nPuBUvDw9h7<@do}8Be)!>Qm(Kmss0p^4eUw1oJ8RY7fS7 z#!KFM)!!AsTPHr)?LP8c9`|8AR4GVw@s@Ws&>TBAE`)m_8+TUc{!Jc-Z`)O%a!+Q+ zpcl%nYL*l!Zbc7$M>Km>){Uy47BV}8TTW0}fmp$FK1qk$YnAVI0S*jEYz(mMbSMtG zZHtkft4`jk9xut(#m}IUQ6RS7;90@1Tx?d{mLSdH%-1tPoi0x2GEctXi>Ut&e`GzP z9wp4ILz!tpOX2XNRox|1v*8Z4-0V|q4{|!qb4;a*^wc99XLYMSu#x?NFWagfVAI7c z3;6E-r|FXF-pU-C)-pOtG~d_G2l%vLo>C{r-HO5`TUm5!+{NmVuF8bDf#r1&BfU80 zU(iAp9U6KNk87|bB?+gvJV&)*;^vH=K_oI%elf03r+(+5s?sACX^eCS8ePYqMt{^J z=0+`aSJGcmTw&1zjhiBqPC*BUJ`SxG-3UIzvYq?nw#$I%$1_zmQ^Y%0Tvw$`Z-c@x z%k+rza6O(I-fx7ecLGpZF>bNmCOsObvQ^epKq51S7$a=15BNe6nJ$)k)emly2TfJz z5ue}V9x0^eqV?B<@7nIBths`_dIU_#9ERkeD<)x{PIsD@@v6FoxXudA#Ou!oL z<4T-4`3Z6LJ2<@2%1p7*k3G5ZLhZSX>A@YqoiI7QI(7eEs}^6C?u(AfVl{e?^jOCm zrJ~BO|J|{hGaS`=OBo&s5I}Wt0t5!8Yy9=GEm%a3^_f(a4IBOO zE576P+RG~XMS4W<-^rdU9Js4qk66AGeu<_ww%PjgW%PK&!t0cIJp$mh3r1Y!k%O^mqN2dH#8nU zSO_h@Qy66tUbjP3#~M9?if*U;ASU1}$-&3lWchb2J$~mF1#HUhhTgtQ+Y2m+9+kFX zEc9_m{I!kg4;nIB6QZ-yS2C^82A5=u$Oqv{b+VUVPt3h`!Q}wf|TxYGjhcqPKIaU1L4i1g7fJ z<^$0t&}YY3&-t?JB`qZ3fjSd%akJk+es~o}e)i}>RmHBtx8B)0-!EnFTJ;EoZWUr~ z2m0kKs^7A1W9jpUeWDQTHu)fHeYPh`P|+8#o7$Sjj}_>Iwo#BVF2n@B#%6b!U9mfK7)jW z!zR*8M+Fsu51lc;>k-mk50IxgG8Cbu)*be)G5tr+WSnt`*e`fp$sN!mTo_Pm`4!it zDKikAZ>9NG{^PKFS=Ue(+dtO#g6Ez??MzyGY&1tU>2({DaSF!xR`zNEVw|?4%f&$w zu>!r4Ca}BrIJ6&gFMH}@vOk9;+G~}*n5N*uq=p1V(><|2zK&-rzfk-H4FyAWM+&X0 z13;u+>Rba2&vk3;VDWtozC!Vt@+)HK$&XHV`iO+_u$ziq;0RvJK>Q6V2^U_tnjtM3 zkI4!hhz2i!9Z8C+Y|0s`=PP5sGJ~@sp!&aNQ-SPr|D+t`2VX#2tytJ2()< z|55Dt4g&Fa54z1ILVXhUdVw+q9=o(FN_!!KG>J|yd>e7{G$Zz1$`<^)4n5)pG!(UD z@-#l3Vy%5haZmt8=->HySvS{-`4Mte-ji6K<~&P=_|r9|!jUhuY|4hXxW|ql!C-mI zwbxi?y~!m}ISZ8U_);0zT!X&7sJ$lwtRvI`usP{kHPo=-T(@my>(Q~2l8XV|Rtw|9 zwAPz{!ecbFn)fxUVWM?^D|eG5ZRJ_thVn^;bqZnriRhhBRx@?n@WBZ;Q^bF{&hi^l zof`d`ua!<}HWdp)oF{8e+U}o1I($wXrZO73XGoK-R_tH}W;o(jEo%V2d%U8XDGlnj z(`jlbU7`vYdUqdL`j~}-Un&aSV4EKvj&Gd1^}vx)M6_clYd*c*(VaczQZwMl($0Co znTl*T*dKF!h*!nyVo}^F)zs92+{e=uP72K%#tvw5cFACSz;+PxKp3@DtSx>NnuSc} z{$K|J;}_p@oeHfRd{A@U_j>h+&jttr^?tI?sJMVJoccvH#yAu|J?~Ss;F;YLyOTfD z@>*vOq=H3CJWag8sN^K^wvao9>x@70J_q2uIZ^6SK)%yxJCcEs74*h8$XU_^F>4b! zOSP{};~=T^IR3P&|0vgk`t7FAg=%cuRJo=M8Wv3+H>_^=4cMVD;#}kIeln4H`>--A z;x|tDBlJvpL$)YbO|*`~*RzB*b$WzJiKNTE)uO>iXwer`UEPZ*=|Ee$@~PID5J2C> zbky5yMuV$jC2nHMtlKE~2(d?zPGCW|v(L#2+^tETkqvNkOZ-u3xKP1bvQ1-=IAPP5 z4OY7qmU}s#h46)D=_xmmjs8i;YTV*7iqw1IaDe1%O1KfF`-(y`GE<`SyFYcPT^Sfhw=I1Gs7AIoq@{y8Fl>B1yo}(%hY#F8Gj=? zLEQ48Q^s`o=JqCndJM!fkU**$5%Feb5+#aV_|p`{un2C7?kchO@OP_xY$aJ1+ZAc1 zgdXPAOo5~-N`!P{b|g9r-xV}P+C69e4VLI<4keXX2T23;86D<&Bx=d?&ZPR4P*J7^rFT8DCr)K zI#(G#_LZ)V9mm(0lls0(yr z+kQb)Tc_U8f$ZhuDv*W_J*KVp*LYsFJvnob&6wo)eDxwZc3F+`VpOo(B3j)?hUIZ5 z#A!{fI7#v9Risx% zL#aAlj~KGoBa(=fnMv3$$a%x{r^ftbi5hoPRG9znh72eug8%{ljt)c2Jwew;c?l=# z19tRcTg8IaFsH#8*N<%&+|oJQx)9&O4;BR<0>+091d1lW3$BTzS6+LIE0!M0@M5;^?!dGyoVjuIQS?FYu1Pcqv)_!pWFMfr>5 z&K{8P?x8N1?JPJ~P?u}>Og?oxQ2Rhzr2Q?~Y?7dZDr#QW+@q;9hVWwpVF(MOAOY7S z8fvV{;M+fPdY!E${k6>6M~79$mHbQVourFfty@(*%n*VMV|zj1awMDrH0Az3w8bUt%JNV+lG7i~m5UfEFz^LqwF$8I0w%WCksWOwB+axXf? zu!LM8?fkevyYWXBn^y=liVH0o<3bhx9V?3;h7r<%XPDuFiR=5%zzL1c-uVkGWel@8 zG}k--1AyX;W2JfotP>*CSA`$YE#$(h-dWr6@vW;#?tU51SvPRg$0!bZ#P<`Bb_qKF z@4_Mw7b~LEYW%#jOQ=Fb2Wyk|sUGqEtq$<2w_o#T?OEsYu3-IOq2;f{e$j zgc)TCO3Q?9PM5=mNLzD%#!C~dkfqoxv;lI|RSL!@)!(9?vz9RlPO*_naL?R}Lh8EX ztyPJ*&Ss6*~C5A ze^Pe%9l zSp=(Mtf?OEnTz_58^UZlQ;HL(8EahO&LKhS;Aic@3hUClVZumuq0mm9R#Bx#4CX;E zK+O7#RUC33nakav{x^8F#68*G)3Dyhd8)W1>{Q9gejt1~TW9GJmahR7DhePD;cixw zCUX?o5+S1J3Jam=ftq7L5IrV_dEd=52%W7z~^TmktkCi9(E;l`~*UC&y zf?hp^dv(ujbg4%b7!#eKhh_jf4FT%Brt+q}=u9NuCS0Ou!GmPBvE^B-K^~QC}YFzK=}S*=g`?;M}Oez# z8wKw?5!#LsxyN|b`lIR-Lil1a!?-U!;0$-qie8=U6^ZCKd0Jh(2p(n>e}x7mZ(ool zVXY?uwzj)$SAN5Px--h`nU{0}ls1~|v>Sh$f(Ge{MAXMpUg@ykgjGu~k?)|dcWxy) ziZg5m6*yJ)Is8~|mri;fE}BaqtsOUpe-w6%63*O{{=kd4ZO?xfb02vP3PA}y>i8!7 z^ELdn@6c)C1X;BM?ZM5v;v%j$DrzCQ5Dch2%XAG^;l567iwx6#rvWqEqUK z#*SibgWJJ=;_1+;b)kL{`9H5N9~`t!*`h}ToeDxw80y_2G(!cc3C*`8UzXU=XKV(7$&fyPMDM36|ufj9x5 zaB|mmL!q*t78qAaT(^?YO#Ges>Nn4KPGz2)obSLmsTqwGBdm^9{zY0L0wyT$>4dO{ zB79Ne`uy%|xGd1@*8s0~DGLAfA{`vBwiNRdcj`8gk^AK%DU+PeixLhIUWHE^0|lgL z#h&2{>BG32&OQvW)S_-;N63O_{-`iFj-U&$hE%w#ysP(-be$t*e+o*t=eT^dA@y=Y z7V;|N7+q~HIzYIlYkx-KWlKE&=pF@n&3Wuv4op(->n97FPbR(8Bl@cp{)ASZWNP`~ z$6IPz#H(o%q(slU12{?j^Y)vS-z#*5PE8otO@ov$2@;FC$CV#qx*Wotye7x+QwQ&q zZgM+AMzoH!LrVt;(0lpOE17WyuVpm?j zD1e$_O_a%WwhWN6rRfnDGJAOTnltj+w3`u+)HZeW4G}>zy!V{Rshfaq)dDUT!I511%&$HQzu6_Z6%SC>HO+` zQ~n~h&$65pHqEI>Z|#i{I5s@+2`*)peuf#n$GsxT!?j#H@6RK`hJ&n*9g$tS@is$i z`DNV^Od@U)8LUU--QfjP!1MxID~^qCAjnWJsXyeCi_T>p={eawwK;-6-7@0Yt-KzG zX&{1bHEA|X!g*y3}&3?tw)W#8{n*hBIVW=9Z zbmF(<88I=9=0Z8%_Pv63uizuj2*e>!v2!!39Tk>3gyOY6vw#bF=$h40OWqUBd5DQY zOYJWjrioy_4f{Gk zIOY_Cv;M7kMmMK>lTth_CFSzw9)=al+YCoDYKOB)pN26^?bDJsGU&vnn2Ld|baBLP z>3RaY`r#y$InuBBZfZ_YM|YaU$Ws6bb^1Bo5vQe`#gD}R1hzb-u3TdDWCx+)NzHm6 z-f1n<0dr#`{#K=0n$WlanAqpOWBs$O!QZjdHSj%=inzm>Bhcy*GC(K(-GmKc!LUVU`QtPu4e=`eRe?>l%M2=+z}qeB8FeA4W$U_IrZ?a(9SCrCFh{$4sE z&Ze@oB3M;wb5LGdIP7Ib>xo|ra=9<|sJ&B`dEHI8m0UtIE#k z`bV77N2#r%m%J<3RdSJZrFeqWw^k*-^D#b;Ec0j|>6F_G*`82U;3K*A#V8-Vf zNNgeT-)KgdhE)7%Idjqn7t*ddQ1}vETT)yBr=zrKJjTm_OvS2tWg=W7Ch%9Bg}v%& z#+6-}ld6STXO55`t)ZPJIAL_I#Jv<(xhJDuwDe={#tM>ir$#OKf3m0*s#TV`#&xNiI>oDI1_}NR!p5yslBhigcXQ&3C-@RxDKe7LgudFIgQ&s>xux2e0p(>A|@ z{ml=+*{h}>F6LSjNzhN&FT40Z$kur*GkFIK8c(s3We=`H3D~idM6^x|8LEnVuud9# zKnl~$e98OOUY)aEH+(p^0|vuZ#(fwV-@(VFk3dFL!!_uL$X^cDe32Zp)cn|!nUHPO?rP2x~XkU=0L4_@iw@1!z(Bd1- zH&VGLY_36`dT&{Y9Hd=2PET;!>9K%4kfKmBq5C7Nw3OqQ|A9d&%`dUq?t$B};E#c)9HGfM zRc9W5(9fkBp%L|9TsD+YF2SfLFzUEsYi-aa=Edq>hgXqS+k@t@hwl(2UXr)jw2^42 zGW`Qven8Uu^Q-_#I6S7nf0xqJ`h_}~*73*-G~w*&9b7y#8Nh>G+I;SkU^#0@@Df_} z_Q|{-@n*^9VBHMJ&p;j{O7IcgH5JKE^v49@qvf=@0gdf6zUMT^78O1Dc>&}kB@b@S z50#b!GkaM~vXE2$$Tofs00&oTlf<*qtj-ii7Csnn(;VphzM4%!Zv9Oc(Yc#1sJYNh z%>Dp+Kt2qN>~ZI`_D{=Lzfpd8qH7P>(e8j;>kFgmon1I7Jxqz0G|gdiGS72@R1qU( zNZAN7RBsCZ2=ZenaR|Fg!V$$W<^|<+3+9!Y`A2dM3}8D=Iq^>S2?d=vG+H;Xx^BIfQt;GG-Ji;z z2qNVS)-ba}{@G{#@o(0z{6IZo-d0qJ(f)iyk9g2R^l1m4w_MRHeuT21nZRjv(@*9( z8B8T!C#}a3a33-u}CV>!W=VHgSGJ*Q-vatG}g~gSNIW5s*DSx>r29s$O4DtHJH@GuJ;j$2!WM!`)t-m8s&A!@?AeX?mMlvf zN_qhquoBq6; zBp3w6qht1O%!o+o&Jjpzc7`97#@YO@u=XhA?1#@^al~9e~l5nrMmI zmEhTBAK^zx^_S)}w^<~UT5*~C~s zA>34%MpAsaHv+pQ366GqyGX4;Ha|S4a?d=}7>|Hsl}WH!5o|C7)g7+P@5VNY(T__V zk}DlVvF5Tl&L@mX>_TvT0xpU1DRu{p9rc21hFPeI>hGAb;UsFHx)^tNbcXoavv@i} zJ*Tp@G{XW;+(4{gHAPq`$s}_PR*}mnCXipUi|NIC5~$9Er0xv-ybBX>w+FrZfS5Fr z<;%q=9DO5r&1iC|SSZrPIX29rC!_!%J^z)5r0Se>ZMbFJ%VIrZeMl_Ls-}yZu%jh> z#hryO3mz!*=hv%1WaulNO!;?~o~>&IEr}XexqF=-MBnJ%d#-}$YG;`MDsg&*urJ`0 z`iFV`YPMhnCAf1awA2N+Cv+j@fNF%DgHyWe5p5IWs{q;$XI^oE6#RxB-I~nrI%lC9 zw*v?RgWRl1)p=YQvhgN2S$dn|^Gca;L$s4vtG)$fHCERqu+6|+Lkx1^gf%{c2J-hOc0BSZ zB;-ATkiVzTWJ(!p@HkW6Qnww&K&qa4Q!Zf zw`rZxzE&Si1+vgyRIU%!MXtI^Aw6tVW62NwxwT#F^SVy?rpDCz{ud=6=Yj6wqARou z!6_yEKy?Iww{*1G>Kg^A-V@z$nJK;X{K3l)LVt{AI(9mTvvonc763${Gg>=xA1NRv z)6C?&bTvxj*6Z@MWE0e&%=*A2U9u}=`Dt@TGod$Q(>5)-ZfcF#)>v>7Cgg`2zu=#H z)^Uy#5~IoXvrX@r^v{lI2lvTeWxomEgfgKx$lXs}b#K?9!Y%xm!~Ay{*3j(1MOxx9 zOiROo4kdnr)eeO_-Q~m(IP1h?91ol^8K}Qz>FccqiMN&1)^1gE<{^*<#b3eU=46Rk zP%1wdl@iaY_gV*MH#=3cN0FJ{X=g>geu4(96pSU^1^v>K-V!3H zN{4%`)_kp4QJ5b1z>%JfTxP7JEUhnAc7 zI1eW|I^10?s4kF}!Ggo^buks!;A|ujjo}q>PrqYWN8nR*%{ck31M=1Na&o|j57Vzj zKOR$sm!D=pvJ-b;IqfH~K0(q41}z)L?pC&Itp7fe@wa{o663(C>Qh)Lrdq&)S$?lpLk}MZrk6!|o)9 z`*lY~6ZmUGQ;R~gT9tP)ETGFezy8U7tzhUrvb^|}&RKJzOK05j!1h*>)zi$G$#ji2 z&6p*kf(oz{)ErdkQGb(W5Q8;G)OLl9Zg67g50?u1J)(MWeU36EoCh&lsSJ$zCY|V` zF;Tqdo6?NoQ;qnqY}rjkfo2U)3*Y(ZTp4m_#N^Ho;l+F6g1p_+z5CX4z?=Wn^>-bqp{-Uu*=8W18E8;dFiJkvQh%Iyr0D3+y%zXRI{{YANZ<*?to{Fl zG5=G1>_654TPOqDXtsmoV97E)!pK2}>}$Lv30KESH3ydQpGD{q6X(brjcC$2f^~+g z{e^Ahq{J%>>#1MjEBT5;&!eiZe_%c)rEHIM>55f9ZsnYdU`4?Ga{4|PS1?{hvm!9i zCwZAC8B*hUel3Y#UgL+Dr#GQ0SPhm)D>Ay-YI(P2kGAGvNLdIc1N#LbsWRxaSFTO6 z6ZFx6_yVdx-Ks?06q#x~SmdN5J=TgFbmg{!q}Jq~;d4~Dic)4XK+MUGpn3p398_$G zSFm5SWz(&n`39-CDn%8eeKjP_(puyY?#dkUy2y~SUF`4U5z02& z+8QyM)t)1{phpD$_$4%)KG^=>&pH0tVgK1t0;1IiH2BORMjdh;xmwsrnws2v`s#pg z_~@IIY``DqC)&ev;A=Vy5T}kRk)O5%B9kzV!T~5`mvv1f_2w<9iWZNMGp-AfQbUOs z>`w75(s;?GZ<1;4{{A73SuO$izW&iDkJN0=MHX2>YQU_9mkw^%ct|!m?Mw0LGa0uy z5}67b4Dn68uaa~dRyPMAGsS|`>@)HYwMC6VxWq`iI}>3QT9{wsyU?uJirt}QW54KY zd_?wWaK6sW;rd-*3?CUe?9+W4n-F!H+NvE#sKZ8^bsH<>#c&3+ZtN+1$=jdpRP9wE zRWl}N(%@D_+KZ=JR;%LHO-4`^0c1^`dD`w8>MP=?nhyjjIwe%z+=yBOo#&^T3uhOM z{Q|-qRX)`h63HrarDZ;yLfl2+PvJXID`_iXpHXFG`)r7PaY#_F%N}EYV%!mBvfr88 zIRm;G%IuN}eC}6mv!XTpn~~88mJut@5pHyS$T1eZ*6H+!nkuf!BdeJJ50IFlKx@j- zbxgS76JJ)%JZ#*-e^>3b*vbg*&w%yIMa_XCjT=lDV)c#tZt;w!9I;C;fv6XEidsQk zm~s&`6{6o-3DhRa_ZfntKb@N7eKK7l_Ig$mJ9!kbfN5B)U?PXI-NFMD-VzKW67@Tw2zMTn$qO1j#Z9QY!@QBF*bW|3+m9o|2)j_;#tOudG?bT78{c4%{ zfI906wnN_hvpvo-lrOZh>Yj|QvF*pU7rwbus8zDdh<1xqXeA|Lh;)m#yO*608UhN! zdcKa+S;;TzJM|G+`~OdhDdV=kc_QRntI)z1*7IUIkRBfa|_^?2h&l z%|6ltLGhS;BKAbw)6lf2Nu>iGh8vKwh|>49v7y8LaU}1*$Fjx$~eWQJw7s z*ikbY)Ph{-O`>vQo!8BPt<;3G@}T@T#b{E7WH5maIq-R7CV3pq+G^xY)Dq2dh5Lc> z4(38Qn}AHxQJeB#KX(P| zt^gV?@)OMlZI%Y3IQ3GP`#_AbVls0YP7%g;fr-nbV2TP%>0ZM6%@J~rstMXk?5ePh zzY#BVO>sB&S{&CSVtkJHPdwBz_~+AZoFZGi(Cy&1jdrnp$~d)p#4+BpXV-)JYM@^Q zRZl2~-|^+gkvDQrY9_=ri#pR!rslCU7j5B)JgDbsyXIR(WZA>9ov-3bgoMq6QW5BG z+&vXtL;aS8e4eh)aiP~(x= zSl!&v?@Pi}aGh5ByOBtdkJZ-mF$c?R1|w$AY;IMfb*mP#sU!VI&;qU+Go|Fs(PW7ZO68b9+lzY(VT}Wga z2k=Ay6ek|~TneIjI!KSm^#la*#Cs4}T(WgAGi93r>Q$x=bdD(8?*f&Oq?S}|yT1n7 zN}PW$QZ-tA$Det{m!-VTyYjW>ulM|GKmW3&zx?Pg4EYN`|B4;|BjV9K*&Uqt%9Pcl)?zSUjq>(?BH=q?SH_;BLH{3M!n_r;)T(#6>c`pr$fw4T#3 zN5{f{hJjwTC9Mfk8difkxz}E+T{>&HY>08AinyM{B^JUAPmeP!mi@PtQEX_tGO`~? zCdN~xvL-7Rg<%Sp^bp3p#LGi^V>bpXyOqpK5u@6S6%l2d4~pzmBpLpTA=33hN6_Hh zTz10@b zA^ZSd{bD0SP&5{Mr|>37HOF2m0cTN(UW1`C@Zb_MNwT%}$=S0o)VvW&s$|lY;ZYqY z$42I{v!!4Y?|U<@TDf##H*5Bk_e7uhGU@nC5NC0OX*@q9r!yWZS8r#mbZCl3;i`xH_B#Adscr^(}6K6xR>jyVhE4CI#*Pe5WP8l>R=2L;Nuu6~k=-uya zo1ohppQcUl__MWQlN{Z&k&%Wq|CsfmQo+lQDw&=~mtjGZ4W1g{t+vx6ULoZIH50U# z)W$Ra{*ak}9}W0(*l1>2^JA}rOz5#s-gE2s+|}tMTkB`jw{?Bd%LpRSb``w=jEX;* zq~XE>zOIn}>_c1IVK;}S&r^zvN_>sa*y<6fow16=vtgW)tH9{bHDv~F4Lirm*6xjN zu-7Y#Y~|aX=Q)+ihp{sxP_*2nwELh=7x!SlQplR_$x1b5MSWykolj?NZB<2du(ChZ zExl^bBhTqagyKF2`nS=xYn8&S(?QSJA$PSI=UJa=v!g@Un8dHi`-N(?N#n*XC&xIy zNDpQ7c*km|dex%A`)em&#N$&dE&Y#T%*nS}8j?9w_CRe~UyzsVVV;IP#4}TH8V5Xv zM4FvFiXMhTEuZmk!c9$S##@R_OS4_N=lNG_EyTBqCB?{OnuDBmlj3WW!kq25B;4GZ z^=5FOJ72`tp2Vk8Y+zhq3GGdcZrgJOt>$|rKdd&TNuqA;@RmHw3|>HQ6@fDCQx~Tv zRh;`{3yE&Z;Od`(LZF)G=>5+z*MYSvlIo$g;eOXvMpH42` z2Q!O^;~XKLZqG;h5~kE^8QQ;PTE(+8bLqS(@RT8RclaxpeV}ba(v<%MCe~dBMW>I- za&|_c#C$$~Ky!%zrUv_U8xaj$xUVE!RIxMQn@$ZA<^L>sGmv0EJUTVcJ0ILR}F7xAtAVJ7VY7-@4a78bsg8J(p#u;m!ptaR1#lx;i#F5PY< z;uYv$OrXZ~_C*sD^@t5FX7|T(clKzGX7&J$R9&PBFNSSFrCfr!s_QH2cMoRv4R{oe ze^swCm)N{jA`mkii=XU8E?A>rMh%eyWN|zezjVoedzKnGi`KrU!<<-~4f`(67a`CjTHbSRSd{fgm-clA8Tk zO*!b7gBFU@R-aa8x<~ByWgJVHxV)tXm%^qYVNT;Ia%UrNjUs5Spf>hCv!pEC@fRwi z)wf*~*r@Wp8+3`dj%$^R)8@P20`1r(9~p}8xcrbdS#A$rJ5I^&g~LyY9kXZ~Dd&5+ zhJ|4#C$dg2{5Ww^5L?E&pOfEL9_JnFQA;B+KHNvf{fB15`V9&d2>p--Z^LQpJP$Bc?({Rwf}AbE(Cu5dN6U=J#ovV!Uft$Xf6$3Q z(R~V40UqcgB}yD>#&W-q$1uf&8dqoZbzYb1Vy#!rhhk@px;s^20G{#Zex187_( z^pe@6CQ_<1>LqTiU14#F%E`ib-Y3S9&hrIke2&{vN37a4NN)K~uKHQCyaZk{ccCvZ z_A#js4RM~EkaVtRN1J}fH!!MDbz1Y8(N5|2;rZ8f9~Pe>r*vZy`*n4Ou=~UD1gP_( zLou|OH0=L7Xp);rG5ECqAN}jY(RG|VBADp@JX3qI>e3#lww#*;8Xa#_9U3$1 zy*}~aH(7l?Z%u|q>U!Z3XiD=d0+crN2(~#xaY`~(GnBLY@Oe(>xeV`aUT3YHW3|md zpH8F#Qt~D!bhRK+x1*hcD|`}5Qt4S#Z{S2g#Pk|Yl*tQQH@jWnxH z6*afsJ%qzoIKrITSd`T)%BoM-W@VvZT&HXT5Nn_FZC>ApM@K$X@D*)_m*miJa|+Lz z{KOya2jffOUF{KB!|DU4XDAubebW@>m==uj|5%&HMGpz2SRPKn6kVlwh+7zjaMgfs zPm`Flr3QK?n(C1?*Ce|fSaE%5&mmGJ`PSIUQIg!(Z3akSpb+}vqe0I$*7hE(y&p_! z>g6r(;5rnAZ!FCY1Y@zaw+7NopjuT-#9{}Vlb80iRq=*DJv(aBPKgzpAtEDdgRxZ%qi=K8PjX;m=Ym{*WTrGd3giLegWj`Lf zO=i3l3a(XZk4ACWT^KItLm*YBmFfIJkvIzf8(cqZ4<6xE8DNrlpvxikTmq`D0~=_ZTIDG@*^bvCSe0)n)tSzW$e2kQVn?a+}7!7BWy=_@x9?H zPO?+W&ek$Bh$}b}9JeAr+^G9E#XI5It#JNz&O?kUed0sf4N$&wA13wnHb$^QvjCPi z)SMtmv!A!$AbP&368N-CeB{Rzox%;ixrA?Z-(Np zU~lH-Rd8?VdeDEfq~KST7lUqQzkeDsU(7DJqG7LQf6Jk&?DM@nocPkRB9DLXdG3AoUtxGie*Av# z`+dK|XMpU~Y{Qxco)&10$&CkF53BR$a!P?#L2zTEN%$y?-Y^iR-AYS_vy5d(2Pi@; z$2FsDoYT*kwm$0i*ttzMD^+T-1ub(g5_(IywjKXO>|y;JATmjvv@@qC^P4Kl$n-o<1W8 zx!U-*I1fsShEUt#JR$cI=xC4fhH;zY1Mmu5(`MqZdDiE@3zY?jLr6(K(H0VFWB_F; zO)=B!no?Q~UwW@$R4jy}#h-`fx+EHTzdxpB3+&=ymytG<3*ph5H#U^JEBnbc?O|cOwv2>OR>_rt3N#X?!}FJSahwMTOdOF!HyS$uBK7^myeu2G-a%fLu0%XA_*RhaYiDq-VszKB zR2~J~zW02L@tz>Vnw!ZqU1{Iap%io7J z8#BQ5;S18gbo=-Y6F-?mniT{sxW#!am#t@+r0)U*&^%=wZVmYeRDfv3WiTw}i0j6@ z7?$zOP$7rH3&}n$1XPUjLVhKHtTP}CZq2-J(6U*M1(SH%(lB3N@GcVtBr23=*;aro z7Nz$gU3eM}aNYbqkDQ}lg%o$6Zfxma97v+^r+XuW+P`Lv9_PIYeJUD6{)HQv@FubB z&rX^U=QRz~^dd_h!Il{!x*7s+O^UA0bA;)YJ2zt84|N|N;P=N6O)xDU$P%Pw6xDM3 zx2nxE7|-ZrnUYZTk#bec4>F3+E`2)&c&F*D?sm@v>a3kX{oXACki}n}!cbK=QpgNt zx6jv_QckX&;OabW)kL^MpHm%P{4Me3MuZL0)QVHwvh=_29amL0`Af(4A_{@F{wSw` z747O@cU(WFr)8pe;Wp|Eiu7y`RaUVF5XQBP$^E&$a9?pk585`Lj~Nt$07#=g{LNQ9e$V>k>7nx(wKLHIw#GX>2G5=0K_)?*LvM=2&XOq5U*1B z#>fH*M`41P_U*=N44s5R7(!)A9ifgP9#6Px0)L_2CF{8U_b0Cy&;M95QtWK3wuP;W z!A4yoo3o%9clSCRxRAbWbkkBmzL?^S3(QU5l2V8FUm5A&ng08LGBk1|r*%;b(wZ24 zgs~Xu8I7x<7O)^#t9?-EDVF=JzqNRvK@cMe0(FQnj)Ku%gYL-&em|?l{t*x_`k85B z>IBa7CT(Ae*))eO_BPs2&o(hu8UhrsHKLlk^{-pA5CtkhyYZ|Qyy!S`v@o7gU~rv^LLQXs0B|gSJvQm5>wrN%J&YaH_UR?&a&zLrFtvF*S&@% z>d|989_?oy^7`3GQ5|9?`AF;n@*_)xqzP)^Z&1HxGTZI`%(p!+*||#_C!%XHudpu4 zDu7L~imr;W-~U8r6;n?ZOjJ%q<_FV_&qJ{~*>5Rvw}FJ8CXP`W>hZoT;ogbRr*RC* z%^Q(qfm$~V%cY$mrl&Y(D}-rwiPB9ECF|>Jcia)Y0>#<|llgAgA?SwUD&sQJ7Oa&h z#VUCFXC<7hIO&3TXGFZkWTnz^S3_1QGh+fn5Ar1q4-99iyBC zuy+|gzH)z^7|#xvy#rE0E+7t#5io+YmTCFkn5o;5@(#?2+yKg&RXA70@U;IqtJseS zwS~!MAR$TY1sbp$)csdHP@jd9{L%IKeQ@^LiM6PKErF(;AhfEOyIy#}cct<|g7C?T zkcgYeVK}9=f|;u}h(IIhs{PMZIQRFtcgMdb@Fb?XZ6zSHReR3>NiC?&@-k!fvDWad zHIEB*0AW9PVgW@(po|#9vUM21ZMe0Kz3H*>&dJXC7qu+>GyCbhR1$Bl{7mL%l~|w6 zF@ZHot+!laIGNkR|EPag@lik7XHV28Qe*mIk(9tg3OzQ`M7J#WmNXQP4mWdkh3ST^ z;j8<|f%k$B_RUV%B9Hn#rY<^NX`n$P_pJ-1cen^clTY~#>^#)9aOj#q z`U8kYB@Orbho6;Y?WF9$s4H2w20p4l9qO6ZCLe1ztl&^1WhTja{^wAsqTNz-sQZUH z_4|qorQ2_87jKA**vBw#jS`J5l@K^N-ulD!HFf;D$NUk@#Ei+ z6Hr%8-x-cwYTeW0v-kd>#}(%3(^a1L#YSD?LQvyrd2Vw%DzlI zD&Dszz=99m2qD6!x40rza1~ACF;C2C@B+A~^vm;&mO{Ok7>EkY3P96CPJuNq>ZV49 z5ov|6=FK(_cA{5HaE+C$Xnjw8Ry>Hg*LEE?AFxNXG$M!PXEo0sM9!jQ6Uz|rw8Ds%pCNIU4dVSP2os6Lo2m*~Bw2Dl$NV_fZD9};sw5AHVNvP;;h z?LN$M{%e3Z>BWtrb%Fsl0`RDh$V2#_mHqlrS*sV;vNjquz`k9|c-eR?%CL-Bx3%AI~%uI6G{T_;dB)h&0m{+R_C+#_%QMsZsd21_+6U+jwPq ztRlYkgrhuu|0+RN4YDuyX+26+%dSd5n2&1#NqOrS{8L&)b`#IjWf1gV1hkKW_}AsC zwQnKj-s;}Dmwlt?hRn!IKbxFl-t%2Rj7xuN^g#HanXM;hm_D|dvx8`p0`oUhll>n$ z@P5;Od=vxPGNITekjTR68f&>Kts&r3Q6KvbHU^tt6!lA8O&ACZ@OLH~Jx?IIwFV;> zC|3iNzb%yeJOzr9zJ6> z-ZZ_*0MX+jhiF;>cHx(ogMoIxq!q~aa`ZnN{2J7dYNV#G)5dGIO89o@91eA=4 zAeY{@RJx75o}n%7c8lFf!5voj)tr)3jvRZ@@05depJH5yl7h1^A@(e&m4k+#W099x zBpgO9)4rbXMzHG^Fh5lYqS|$#MBUiZo{u??%X8wC%t`{$noOGjys9F^wNVkRU+11g zX-*=7vnirfEqk7WXm;GJ*{plJeaZu6dB^k49m&1+38y=jT_k zR}X%P4dAyvipCyaK=FVoDEk0J(?pX`DSXjQqHF2pBx2aZ%sBh!`qK+lUYa{Bvy^{F z8zH~c|3vLM424^yJ~dg__Ie*eIGU1FDKt20&A~gU1<%TCi=T4~@34Eyx&k0|x2H*ZYf`tI%;D%-pIxg~QmV z#&W)kzq(bvy)5~ROyeN{R1!*-i)=O$U}i4jYF`N)N;M80@>L8A(b*S#N^?K%?1G8% zlG}#6>4||=P{m28r~*tU)dm8f_CIi`;R&P?v4Lo+0E-yLK5YEcWVh$z+utlj+czo| zM&^+u+_ywYAmO&p|KzXR=uM8RsR)0n`v z!Qr&RcTG?#oIP|i(dQ=t#jzgW{$i(iS2pivkVv{LIFPtb#L<426(;xe{Z6EQk5W(+;3f_L??+)wnW0vO7)rLShIQ8nF(j@<(oW ziYz8q0rQAx+Gv4ZJhl|3y<)sOC%c%w?^2kTo_Ms^X(6_2v~8vY)Di3%fd+F9hzA`Z z?RfGHR1)@${-}8Up?YdDKeoEIG9!bb_F`W}dXxN5XzVU3O>ok4=k&0CPBy7l>HEQK zOrI^c%pJBLkx#EhNB|Bf6DT5A(hm^zIkpH!vSujjVA zEpjs=;`M?j3?~XR%BeV0{(>&VP3d=qnG#hu+K%hzmX!IC^>Q3cOtO4Z&u$4g|N1=< zI_MEex{fpiRhj|?rtfBHPbO)HjdxiMz7IrLQu?zLX{PO6mhtAfoj-msBLIMxD_fHI z!7T2g@3pL1_NRuEIBTeGxCzTn=UA@BpWCA?XU$vWj<)E$?y#c5$t3+5R>c5>d6pu` zX3Y(ROJ^2aBfkHgE!&q!D-rI`r^wumMbT{gEEa-~xqOv@=*We(KDgrhsyB(_nzvzpNOK`|R?wXA1 zaqkQd-Iqsxo5vrn2F-c99KI__u-|yMmbIm|Nz`bfJLdf|c`sD5uOfN2Y;nI~>9nCo z1qGC;g~}Df%j({!IE{xU57Z=dD?L>>fgshZt#-+rhfTBLYv@jt=9~Vb$GfNJC>Z~G zy}R}%#ZTJ#Cuq8-s!_jrv^V08b-SdB+4EosA}E$Pffk!hCzh9Ey|3Hg zRVp4Y4Ez(wZPZU?NhOI}SmFN*pmXFa_ywYyRV7p!kc0jR?1Rh0c0BdAxR-r*4}iq? z8;>LLd?Dlz)be*7?tgd<_Aa;-pL4nei^`Z*-ki^IiuB)=>(Sj7a_qE$k-$vJGJ{{z z2%oT*8vJ^09PX_ZWKzQt?o}&QX@;*) z-S#`>+dJrp(f*aC8A%`}l!Svb((QR|@iGrW`m@`#Mvr_r^o|3ayu{uVIbD0NcCN2cCRal89IWq)j@zLq#GSK`%;cr71o>842 za&Zl^Q(PIGMqwynJ1_(551Y3$IQ!G*JItSln?qc=(v@;*Ckisva>HhfMS@(@LR6)f z0@1R97MuOSY!w6+`WhDDPD?p!x~e>8?H0dJ*lIFJl4U9Spe(Z)lr=dv`w7a1?4+JS zteUXX#9ViEzHM#zD`HSjM^boHB7KCts}E##jI~noK8<s(TsEa$`CQjKW zoblszEabr_R&HB5D|m`B_X(+>b_4r~9+;H}-Xh|4Zz-cWgRRXjHTHvC3uM4Vz3eIO zkl~Q=el6@0bsHF>r#9Dn@-Ec%eHGE;cJjcfM<#H6@e2ageVzBVrNe?N+LX~&nJ5O9 z)!L*hhN<%l@FO7|WV++zyLhyYujjr5HL^u&)I~3nSka$N4nzneL1x#SeF$XmhJH)1 z(Ljr3EN)Ze9LZwxm-`#`cnwY7Kh+E5_mN-H&eev2(<6$F2f7O{aAA_aE1vVeDL!YgN-;WqL1~n%|a4ZQXvKhf@53yJ3<{4sN@(=7O9*3Iv5%GMe5S z5a#@x;^Y5`#GGvRoFOtdtxtP=j}`;rkM}fum$1~QzWAmssJOyDn4Qy+LCZDeqhw02 zS|^0S{a6Lg%cjCBUMa*(wnwUPZO8H#C7k@>jvu*Y8d??Z6t(97;N9tlIiP;hY$qBm z;5BOWueCz6=p=h;-g`>1Vn#9F@Lr}Lz@>g14!k*R-d2ceau8-Q9!fKT%9t@A*3=o3 zYdHFVJ%e$&XX-2Pl&zr2!?;&`_JF1RMJ%n_w$q&&Aoe8c_59Hepuh_@-LLz_CY2~KI42txArEqVi=Y#SRp&yOLfH~-MhEcb2H=V zkBYW{i`@!xF4|)p`N(eAPAKYlKkW?d;(3S>(wjic;HQW>mfaPX=@`$`YVywKl#7yu3Cu9c{r4esT1QP>FOYt`_$?yifMB?_2~jZJLIb!Sr>JqT zR5ns7>tqXg?k1X^^xxMyvCjui8QztfTfhBpf^lwc%wJt}^r`Ak*O)&9`b$Q(5X&emyo+@fq#`SBjCXr9BQy zZ_Zu#mVG7XgV|3WXyf|4DZt$OmF%qvx;Z4w#jW-6eek-^zOu2rCE?!pYGiwP1AB-< zr(LQQL~Toiyjp39*I<4xnDf?x2k}A>xml(zjW3eTN+&;<9dv9={8ufskCcd|!$gsn zmR_TGWDT)Wo9tiHD?%pM`Pez`U-a!+cOp(o*BXI*VG36e30pmZEoeb)Htf0Fq@!A? z^MMuB>9Vkv5g%n^C`gc~^Av|+)Ut7@59obXb8tJR_+$+1F(J3!MVi-;S(W(4{8h1= zv9u4<_c2{Z-d3O@R#_=CwRN@ISJylWVj>4>O3>vKe5 zq02e#BD>@y)jQ}PfWcIfQM8E7GBXT97*Llu3ZE~suOXer3sspu7&rZtfqu4>TayiW zPUj(s&@u{T$P%b^GprlFP~=?L)0x0UTRwf?9-Z{*ft`Y_hD?r3&zY({Y<`VI)Mg<+ zhhPaB2h%#=gX=j&#(^N&4p)9(JVoH86AalXaJGV&N!T_1XN_vqMeu$W{-M2f%`cPA zWL)14W?3`5ei1kcUoor@^TGkTc2D=*0-VG0!cp-hj-Tkd|O-5m?@0!+XnNyo_xd=K;}wn1o#i zB&z9OsEgTh)fL!kzBSHY5Zt@**patl12dS>k%yXFR>{`hIAbF?NyI{(fjJ zSu`hr_U_baN=UaGbUl4SJ#1?}0!;qT(&(QBhGv}MO>zY&OgizH6jF-WC; zk|9t_Z(x2}(OkgWouv4?oc3dvDt&TOSy1iG3@zBWCf!kq%qWe2H7d%6Kt9RpdS zSDjO=@(7(5$tL6Yvt=fq$?znQk{qGjH++sxyH48M3{zJlpVjXb8w=h6$}E79O@lKs z4!nzZ@IACM8mGt7z%dn5rf=?OC9@Rgasx@RlMt zfX}TyvHfL)#MYP_=C^*ytjmc^rd$ zWHUgi5fFaK=hd48)_fo%*YsC{K5T?N4X#EQxX=w6G6xrunqZtT-DN81XFPk%Q|D&D z6z)K5zpic^-?)*lK!Pf%FRmw7WC?K#2v0JZnOAA(xSV(6n%K zumO(kq5LraL%qc!47VteK;pW3_60D`*Ua@Wo+sfp0CkMu!GSURdl~umsbRadDpJ)x z{j{f`qh@pgKMs;iuyi(p!eRp^@xEZzy=8{>#Hs{hm;1?8D-D}8j(6TW=iZfJ+bO?X z-?i{rpWcfPHpdut+tMakV3o#2=|0qfIaHwZ+yP-Hf}KU@_cS^7UukD$qPRX`lgUF3%OJxaMAv5@)N1Y8&B4jwk9djb046t&>-qc#=#9|9 z)>h<3{+k5EjwwubHO{FHC6n!jc~IN2Yi=vh*3`PJa7AfTVi*42J6TT5cJ+8wKDIcEVh_(d%S z$DnZxh!zX@xl37Q8ZZ|zb$i2d!SJHsxoA!HgAQT|Jg(|drj;V`xNL@yRJp4aSZ#p% zqQ)8*UGKAqWbUBc|A=LpCNUt~h=k9-4zk{_zz_roWglm&7iph@BUb$oRU@cI)$|E< zKk0oyC`nB+m=j{haaCz-1^Y5`<(qlS^#St6y#dk0DDIEQPW=FtrYd{&FPeX#+k1p; z0h~{LR+Wb1aqBsZ4Oo9*C25m0cPP_3mc}sR``^?%moiNqsLz!1xU~~0s^*N+`pl8S z4Mo##ED>UQhoFs);tQya(^+Ov_Apwx;QO!Kzy`uVkUU=PT;U5PWRaw6^0^! zl&Og3Y>U17p}-+wnr*+^qAUX`yzBo9gF*=OlC%SgqO%OzoZ50>mgMr&BTb7S>#lVG z6Fb29!-1|l0tc{fhAhQwmM!uMxEuhTz8x&yR}sCObFXDR+~8VWih&ILsNeV&WFF9E zt^k|F&o`9-N(!uqXe{^n4)oC_{h&=uIQocq6}3JdcCp^}_7H8e$Lq_?x41C>PlZu# z75DwzD#zV^D%YD#63!fF{gN4Uc6{hNG!@!@_Qt` zmZ3jdZ~18h233p6iHlh1tW7n?hz%&;)Me|JC>Wn{Y0n_&jo_)4;?R*5887}??XJ2?n7?UiKb@kx z9=5MrFqo+Y7AEuc@D86q&9&M6y&g=0Lz5ly3+|hUkc3?sl}8cqce1K=g1$N-9l~RR zp*yDuC8RU@pMK?pkoUVCD8p`zO%A+qL7;cdob@nE>;a}6|6te&+0v)HxZ5W#j| zSN^iR1fs9!4w}%Nk#f=V?;=S5`Rm_QoG<}zw zx?39Us6r2=X@-?(^3>F^OPq_z-vNbY+rjWV{-)e>HVsD*?X$IP&<~K@TJt<>R`{vm zOqB+iu5jo;qaUj!s&pMK=B=cf_mtyBlnN+`y=V)=nfgADfaPEcW0&GgSA0sGVvbk- z9#rs7n(c~MEc$sy_myou;bo{k4xlX5`GkKk zEDJ8S?DOzV{lUKoxA#UzF$Aj{lAtxvdJB`v~sx;?~vm^<(0y0 z;Y8F{Wye?77|JulX?F~2Gl^a zPjr%#5m(9I4TUmnCE@|r)a>5!mYC~s)Jxq5vq4rS-vxKJcu7ENGu8far^j~y)`YbW z^E(GWD6IZcDnJN#Z&ungk-QZ97Ihg3?&c@nyi;pAQJ;iSil&1UU!5cl?_Z#0;`csr z{5D&$EN8kb`s|x=|MPv?q*$2-%AQ#$7f2*Lf?2}Ozps%XOy)dX3ETUqp?hbA2k&ix zF6b|9*L?(P&jtMV10p=BFu37nNK)-CuJYE3|Giz?Fggr-p0i`f$j{W$&-Abp@Xee{ zT^kdTvf%<_j}!oX%u+mTnt&Y89rKI*2W#rOw= z5Nn0N+3;BEAC%YQe5ZWGLS!RmMBm#V42>k(`L7=K3mN6fQ- zU_t!@MB)EcX8r%k=T^G37JK&lpemvliRnIYMCSai(&P|F4FTwTq6F|eWSN(wQj}#j z>+3MQ{5Bi!9e2&g=E2*T^FL0OyU!@II%xdr`_=8H*Pl| zBHfsc=h6lxBTmV%T+82f;_OKNp%C48<31GB9+)9Uq&10+`5M!YrNv(*?PSi5h;Fy|chy-T-P1mTT`GW8zW9ZP_AB|=Eh(u@zpuB}-*;7bc8B0m?-f2Fce>7p z$sH*eF)bILfHeV|zi#rLJN|b`6wahsdj@@6Mr$wpaU{No*(@k)DQtd!*bZ>?`b=D*Ty6 zd~%)aY*uI@X!Sg+I*`87SZ=^N24MScN&y+3ig+fj8?u^ z^GP3K?Iiyzb?Zfblb*G=>6=>IIIs$=^G&$_<4TuD zbX7YXsY@9(BoE0PNZH39dBc8F)>0f5mad@=IZkl`X#!zx$t!3!xT{u{j|1zB9)wVRGeYMgqbH;y$U0Dc;#VMcj$wylq#|8PMNC(Y!Nb zr9rY9$ja9ShTHo&#lI>Q31;!X3974uIePV$18hkbOs^{MQ zSq|Yn(+{XEu9Si{zXcsRQ!s+lZd;lT)(nR^A*kUq2+Llnp=r}N`Rhgp9Wzuau3v|-J2cj%N=T*>6*SfHdg2p*g4eKL|20(Yz??3z z{__4A{*Ua9RxXcZJg5`M;7$-4%=%(-J{K5Jw=70@-%)QV4hZ?F9SIq@!DO z1iz2aOMYAOtJgsdErFqzHHEX(-STW;r#p!aI7U#;}K@u10yxghYIo4Lu46zhJ!_?^rKjEW)LurU2E(I#JwC-cq( zwlyy~`oV+x9v!Sd>SK&MCc*tmQ15iglv0nPMsw$69d?fR=?1pZD4W8(@p2>%jLdj0h^b*RDccdXWZteCx8{H%$FwYTq|x+B4_n+z zDCn4JFoISk4FsnCZQY^m>yIvMZ+lVsQBC?U2HyrSTCj(7N}<0I`;IGw#CR8;_7`H=~E`J1sl3iSDCLL zVr2WAx=^}z7`16HYpgI~4tpg?TYpg8;Z}v5lWo_6MH~~&UjgL?XdD|+=?$?W68MiO)h*)0`5sqD8$EjRh z+B$R&COz9P?7aTD%+Xz0YyAE_VhwcR&@9nPn)qX7Wtl!hOw~3oF!w&8EkCI)c*<2T zljyX0Jii3%6Um`oZj~w>Xzg$T^T7ZIf$o?*IevWJvu}P?rYL0IJo_|2VuHeRyU0uf zCvG6!AJs;7CpZw-%A9%U6hG94eUC3o5^MVdu8DQuOquM*$&q&^Wy{H-Lt*DF?V-!z z*&%(3E)QQ+Q2i`nWL9U;_|@n_VfwtTw^U)*Te5q%VXN^`rMA9R%NCj1b%HL(;WHot zDV3FMMQ&3Pl*P9T?6GaqJ7BrJ;`mSl7;?VUnQ$O0yG-!HKpmQ`Ep^qTnsBu&-SC|c zmeN?3&PKMo%~lhWBWVq?)afANvt7as1Cz3iJ2Mj|h1L`G`>Ooz^1)CJbV_S@E-!T$ z$crGZuW!W3sa2M_9yzq9;X5uj_1ovml=zJg`o=f*BKM00BLvQKs?gq|<26fj4Y*nt zk025}IGp}_$CL8q5ep+YIpMcCGq6m&Jh{bNs|mPP$8W&Iq4y+B3A4oa?{Xg@4$rW( z1QDaDnxD;f=|oyWX|vCqjBZ+F zhn8IYjsTt%@&_u1{cSsC#tHS?tY`)}^3-o9*1 za=);Mx@dBX*5xyzp@P!Eam_aib!v#PMameIyf@S?Io51i0_B|2>M&sVTK%p*vZ$wDmvpQ>HJOq$+n(?X zfH`AsS+0aK3Wp&&mXdn7x~6A)Ev2xz-lcH7bgYw@OidJZxHlP?GX~Ch@u$%BWPF00 zWqDYA9tu6!>n>0n>cqLXzNl!7$V){0p+|{g`n&k+Kpp;UhawDxeM|__HB)0^yk77& z=iP|dLQ6P8RUT1upXJ1~VmpaG`xSxx5pN<$wPO)A`d!8j`UnM}5|lu~?xHs_>lo>p zOg@_7r2g}uX^THbzfvig1;f$65dg_duvmtuRH5X)8UoOyj}jc~YzQIA9?^yi+Ts@y zX;m}*RU~FW&wRl03Gt7;v?>oT+#oL5AMuA+P%leq7!H8GsFsl2K1M%bW z<@~0I{2#0QL2;O)^DrZEfAa~Xl#O{Izg7z~sm}QRU%VxitnDvq_k+0PO)08F8Ghmu{=Y#gRFL?YOJ9ZuXGMhV|}1W2ZHgbO-4CUQW<|3)LJ|ZzZ|TDjdNB z32m+l5jWl2@+w0x@jFH~>k6ob_{R`iorTNbf7ZP-)fcCS1$9Seh580WNHyQwYh3`r z$sTaz-Fgk7ip{A{a5m&*A}c1SFt!FvyT{J$JwJAR&(f*XD`LYTy@{xWC$(CWa>F6P z5W;f2*r{iyKOFd&hU#hyMkB)*-f;_LnOr(1PHIdNjXs0pg_i~Di_rz}Q*m|Yur0r6 zh+;0JJzhihI0NO#+3RU%w|BT4C0$j|aOM#T%vJtwN+$NbhbYs{&EdrR;30l`$Md4HvHonEygx%f zn8oMXb^t^)hu?^tl?%j3*A|7g0rypWemAzYO)q9pjrvJpt?X)H|F5-_?-7>dgSiJG z8ldYrJy7I_2J_G4ZFwY{K^V+OZmmHzNw;X;m+HS8*LjMHS+o>UPgP9)wPGn@M)aWa znpV#RXaSFL*^+l^L*HWUqUALoKgC@lTv(-X8Xi0m>?Jg;&T8iwfoAVkHS8JRsUBK- z+a-jseFfnfTh{uZ*+IXUIsjv# zGzS-aFxz{}@`wMZLS%p4hjb+s3d4I8-AGvYq`hqcYG9i48PN)!Mqr=@lmn=g3W0ty zya*&;rR?YJ#3|T1DEDwD#{$-b{psK&g<{>}-c7Ur@(`W>!K@v(1DaLrPxCn?50%+X zn6`Dj*ZfdHIhmjG(=nB){bA@88XO${iahYoWa(4hi&nKKT_W8nbkV>3M)gCbxgzOl z5nN%OcH>~(Wpw9={+u>P()!V_X z#2=y_1xz#4E2}iC_GO0~Z~1&zW^5Lyr%Uni(F5hiKs>rnp0GEV3fj^5|+ZUOQ|$t_EFOM9C??zW3WU1zBfKJ z%+_Y5Klf?DVy^a&#i+NSgZ`M&5q}`b2q^E{miFmX+2=ocopNSf z(hyD!nj!RN(r}AugNCT3d(<(s?3!_}BXH`(mjT7cm~6vJK7ByXV$P6xwhb48A%sF` z9~Kfy;A~k%(rc7K1jK-3#BU+w#=Drg z(A-NYCOW|OuA89RY3`i$#$=3!=KRnybyRMU(8CmYjFAQS=_i8aga){}c=Aboj!fH_ z*A?dH#*0SCD ze4-S`jei9@TgmCz;~`UeWG0x`7rX|>9BCcb^g4og2IyLccc??ni~v##;J z)Spk;qj)=YKXd(o8k%~G(@6^4!%> zpmHdbvV3xiYgcgeo;EpBFUIKe#!%M$&0fvHJGbR8#G~4`HXr!cD-65P;Y^?DU9c(a$NR zzqh}C5I1!#$2jt{s6A}+`X$Yf<&f|)(mrf3jC5h&wb$Cocli_1Baa>>m{fE)PYK#? z|9<57A4Tqe`uS3!4?%7I1h>v3zjt0~t}MI^oJY@DjI;;}8H2R1x|0lRc$StB@t`_C zhgf>Ho@^g?Gmf`~%MHuOEBpHZ;s5N_W~6{ot!lFH4=Om!cvjWeTw^Q=ruLrGCKl+G zL_r&SIsn4+GKx5tC1eGf$Q z={L(+>yPjF>95UQKelDuxv&E;$^-n)giMMEhT_1w+xT;TF>Q###B>8C#jK5YiogCc zwlc?XkW>NuJP;d!ZBY?-S5Q* zqz3TmZJ>3%-Pts?gUNkoVRp9jc-(xbuNP4?Ew7X4$m2Fifh{K|ukT({lJyF`cKpJL z4O@Fyj>LucHI=INoq+KbCBYkZ%fnEk3BSN5AfN6gg8ZGU6x{_?OCTl(mPyzTW`$2 zQKne=&xzxI_C0*-51Qq4g?~s~JoAOeXIqMt($J*UOjpl-oGza;_J4meTg~Z6I;55q zh&cW)V%@zSM1+WA;!bmdILLW3_kT1k`rrOK$WNECQ{r{Jdrr(8bLUv>t{)J$e~x)1 z;xPb5+P3$WMaqBnpZ=%6dti(@QKg=~i3GR2>2%~L)AR7!~=R8?@_}?lebXj zAQBGw<1_^qhsBCef#qI{->N6R4!(LIj^3s(j#6(|_Wr7N&?c!ZuaLi%3)b$D`;!{> z_5H=)saHmKV{U)?I4?5kEs)q?kwl&a&%C>~)YOEub1=p>vl&2%_k098HZEhuPT2uB zumrCIp_v5Rum@v;WG;ayUzmKPp|vnUzkbz0jZV7 zP?BQ#?Xp2qmQa6G+JS4UE~<$OsWZG{G|Su*6K4CBb{czsOPjO&wT(A|fe=}8On*vU z>79XgpXz(Y?3f4HdX^0N9x#1FjYU&RFsX4M@8_tefoH__Ey_3DY|VSVxWx6j5X5UH_fw<1AWaB|hE&`6?nie;|1c-&izA&$v5`Tdw%*TET%Jh~@_TuX)r>W& z+K~L<>(jS7+4*v76@hTSqmJ*P_GGGm1+azj9GenyV19_=lBx}#9PtRBK2ucb@U#C+ ztjT+E|4q^&$*Yq1arEh%7ALF zF3C`_+j^oVW?a7}8Z>8au(~BeqLsh)YEr?J^4v_E2{9jv=Rl6KrStB;w5v_B{phs= zPpkJ>G}P&S6tv77ysxLNRGx-9Z=WD-Y`_qrnE|Eyz5Y6BEOH%0=);d~R|>8sKPbFH z+eq~y*@dg0UoQ`R3neK7$|o`T1j74fO{{;ypckrRHgJj8WwOOB15p#zy!k>);@9|0 z`~&}zarI!F7;htJ|HCx7gDhs=GXBlOzfPUjD4!JHM8KL-lzrDXb$gDI^0>|_Xw}M5 z!!AV&v`Qg#h_;vJ-48g;jOm)h21*$b-49GOS@wwj0o%B!q(#YAPK0k(7nhaeJ!PkQ z$$OY5VrB;fvdbOBJO?8yi}U$u^3mV*t&H_Map`}Roro^nG2mHozx|B#L`^fB6Cp9c z3z_%H2*^V28zJqQ_t|l4vZ^}3uBiM=yHvqdev|}5bsbxjT|sU=D_B?S>q zXf|dr7zdSJPgHJ}>vJ0T%7*?15pyHE+SSc#6G#zk2v=XY|Yo85W>Pyd2|%_9<+}T0 z;sRG7ME(k|-;mDGWd-JPt?yBH;NiT!t9bYb?!Phj=21!Kf8T#i+cafVrp{@O(!FQ z>_o;H#m3m{sMttBk@m|hH)v=cR|JG8w0~d8wM_Mo^-YlZ8#^?ird{b;Xa7AZh(_k; z03|s_Ed=gs6I+179%LcHM#(`g|E#b;MTzo+jV>dltyuR24lGh9iY)SD zE;~_z)zJnP$}QMLO+E?snYdZr{Xp$HVtfqmfU2+$@oDWTUL zG-$EV_q{P_;qN_Q7Vp$Y?v9*Aey-$b*T4N(+KkaZK^|GMZr7zV|HvaRhOC$%-+-r* z_6<0AOE~wnM_&3KZz(ViW1c_3UwqL>o`kVX%s(cwKi3XU4JrK-C-qoMB(I>0Mc?@wGFAn+L2_vW9 z*E*>$%B{$oX{241X^}CyexC@j-y?gTAn*LZ;Z=TJyqD`a(<2pxsVj_R>&A8Qw9$Gs z)uL(Sh9f0fn|Otp;IK>O42Bkq2zz)VP4C1FKaZYbxkb(Np^rVBIU!QRrNu;z*kX?q z=?{OvEbn#0I&s#%IQpYdpS;vfq4OTQsb~%@DAb6o$tksL1A%wO9n$uKJ(w!Xq_5tFfgSWM zfDB3gyeC6$d!=7yIvcUjA8Iz2H&b4&mY#w=^M~$$-?J98w%xd;zCz#pMfc9arSm7d z8G3oq!kdOu)GxA4BCH+e4d;PKPcOH-#cxM?{JE|t9;{Ta--`>0qG_T?Zr7;*fyn{j z1y4_Oz#$*Z3qp)9x}uM;j_mnY)h~2Abwy37%yy0|x|a~VpKk4Vh!?c}n2 zagzL9Elfm!W5(ijPtLWx8}o!Go4#Oj@ZAlxGuGY4L@z~YGKf+(LWRgRK~8X%wma@^ z?Ks_%ZfUcYyujJNe+I-daWuVQeexF8RdECSLBaQmwMDoxLQ*r&eK9M&0Uz?aro_x; zugu_mdB=oS8lHO}z_vxht(+DPbauKhyZfx~89bP14mdHWJh&f!ZC0as&#`^S2wF9s zhHka8zq)cRj}-eEt_3Zu2pB-X#e$rB-B2I4ou+Ab#vw$k08!J`#OT@VB!T z3_qEpdLlu)6;2L}w;hQr$h(!B#Z6M5e$L4&#p+W?K=gs_2jhj>cSx8+eChk;4rqaH z^{sWM3N1AZaymU^8WH2cVRg@;XvAOToK|-u!ehRhoSaN!8H;NfqVTd9zsS#-GW;Wy zssXfvMILkA(<2H>3uUd$!r`z)<75wBZ3s^@nnr)Hli0b~ZGW?&UFkhFnemXb-QkGb zrFrTF_F^sfk~%v!@}(dQtOS8``Kl%d1Hi-lXT_R-Rs^}h#IlD(pq^V_`G|g^d(C{$ z&0O%@=0MV52(p#VHp=!2(q^?of6mdDUTX$vwC|OT^-`eXdJRs^2-#iA1~6G+Cdp7+ zA|6Cd6<^uycP{m5sk**ZGp4Kz7jNn$^QR;?qbU|G_2J*!lA|?nuu`7tz`r4=+C^)$ zj={)H4lxo0U_d~NMd>7-T1)(zS{#pmT93gRUmZkBSEtJGt!MT}J zrMYVb-z3Odhh`t`5WcR8aVLPI*ni(}&TDS?jf z$F84m>$N9WvvPk2cCO@P_Fip&ftBLsvO(IY+#o5!h+cgRAG}tX#U_JxACc>?a#Xu0 z=q(mVi9s_MVhVXsuurb)3@~X3eHtj+$rjzv8%2J{vK}F)`u(inq&scJ{zSBrYovWX zr}es*QM@nijfg+qc5vdftJsYj7HwDwZ~XQs=*_f{c6{1&C5ihYL>SklDQbYU_y#aE zxBT>nO7*t@XC%5XU9^P8*GS_=@HR8JueZ|8}RHaubGxV*sTnuT;N^ z@;!oRa5fNI(Gx z_|uDnb;xU{FT@i6yEkX~QD|-$lSDeGCINb~#2)`JHah{YUu02;W^nS9QMSq))xaVG zFj=MmCzO<5GPOL<-aYWEyJ+&#p7uYNrSz;&&ULsk@ke=eP6t%v|e5pjZD9}L(y8Ac*fnb zEbN97v`I6R7f#UrGPtRD#g;}|&$TB+Vx|7g@U2?&V`f8R{e{^UTZTMX4fdBKleKsm zTUm+qQ?$2ctXCWLYWMpRD%)m$-obdulD98jKdtlr+}kH}+U3r<&?ORPG34lSb;{C= zss*#vVS@y-X0m=PSsDp=e5iK;kxyGo+qZtIrM_|~W2>a?iox_^3C4(c2Fd|U1LzVa z=?xEgU)yc`rToCw*~u@G%c9YpuCwJ}0$#uGsL7Z!0iVbUlXR`~QBV?CZe`6CA@%37 zG^JN7op1hSr8tCKew*|6#)^DuN)ORl5#0h`1C1vwo3)t~op3vy~J?JAmTEH;MuSq2H`7;Z zsGPtUfS!m~z}_ss=ivkz4V_;Lc76s3_(y?EK{*gBnx0dr&O>R`DH2TKmr@T)tJS*{ ziPM#(czh55S{KN6+2ywtow5wL0Rxr}-&Ct11MR~-qhAK`w$9I~vfLm*698e$Ecdx~ z0B+#mA*O64n7{VhSm0>uqc}00R@RZnx+hGXB{Sx@hgE0D@3=(0e^ykM0`1FlO_lYx z4q+p*Rm7h^R$L}5dXsApL^3Jwv|Shth19l0{`7RCN@hSjtI5?`K;|bE1`mzeNpOX8 z6OYN03|TkG04`3(sBB(rRG?C(L4mp@SL=oBECz_8h7i zPHKa#f<{I*mBLyaZM#%Jd(2rzE=F+XxE+^0fLYB)3OM5fW3+Z5CWieu2j3VmI?bSq zV0rUbkTQjT>&YtG*Rn7n8uJ4Cq* zmAWVpE##rn5pJTx4-)qu1O#QX$(~2oQgFxPuAG=rMXNtdH=s4NJgoHOhrV>i4q{UL z2UCvG_Ds zSXR=yNHs=>a$lxqfFn5`WvyB{opc$h!Xe+iu&ge)c3N4dRl+MLbDdRz>TL&2xL>@i z+(lB5BfZeUJb>#tgel@i)|LXXdz#u%ujC;`VW-e7Q6~Pg;w2>mOjO3BO4L6<;UnEE zeJ3&UY=RbV$h&fq5~y)gCS#US*mbVKfrOC@@;5E80&k? z-zo=QHjTv}Q%s55+bBjMv3DW!c27IA`=tyoPIa!S_Yfyz>k>LATD6d`(uEqF8|3$^ z#OB7Uv|FU;=A50z=U~Y0xzU?i6`4Kw6c(zmO|Nh`STXM7(c5J`Q*-1l&pzTa$>Z~T zVal3Fy}wNi1tYTb+?iMTJXGSaw!KC>C9v)OO(chBnRlyq(TLtq+AwAFlqc!ux}LRJ zFGQ_3QlG!E7allN*OJAbF?&}t>MLrke-0}hr~fg--l@L$3bMy4ZXvczEaRS^cZoJj zEbQw=$4Ep~%yXhf&zmz#*pKSSk?yTiS}VEoj@md5|7_B(;Lqj8#j3CsFIC2WML5q& z@LBo!RbZN`w#V;Bu#2}qT(PKCXG4>pg<>@c(MLS4*ZgVH&0jCSl~rZAnEV)=M0f=X zDNaL6$gQv~MCZPFkzuPiPY34rvZkiqch80=`BBfj9z^o=kd1SP@n6{^j$&Qz;o2@V&PKD~8sr;Vl6trWBT& z!gcXDfOW=Kl;p>hI4s688jCC3^ovH%m8mgS7~vAO5TX`AInCs?4tsKPRfHN3T(n#E z2Ultk?IN*}I5)6gdf@3!LxyguGuA`gHw_@Dg^89`lp% zJl|xGdp=vHn4v!douvP+G+4E+O}pEDE#%_G-JS8l*RB^$KS0)R?IP|90S6k}o=_vs zNwFkG)URgmc-5cdg8m-)_x37hATs4}X1JpI${cJ(FxMyk?+szta3kjfZt5Tr0o6pZ zhjvN2hq@*0cfUZ9<;(}t88c2jK(Cim9hC|8PK7htf{|vm$@sZ%R#fD<#?KfToz`F77t|>=LY@6d%?x>DD?*MZ~j7 zn$k}TGnj9j4*3v6<=cJc_0viO?dE8qcLV;Xvz!=PRDya3u$9(AWx!Tirgbj+raM_3 zu7HgMN>^5@o#d2c^cy=f5Sm8DeGtu`y>Y} z27C+VD2G^4R@0j981D@c?D{I&d+3 z3q(!0@MiL6k4TXbl+6b!>HX>P!kd`6&JO;p1~9|$g7Q`8RBd31g8BVaFe}9c6JOvT zqV79b2`|?dv(R5&=Gcb;!tcKizt`~OfFYo0ZO%2RY@o%){@nk=^$R6p{Y;|JWB-G2vRI6z*O^f$Q?{NnTL z21U)7ed-g?RYkjN&jLsPxFWhEw__jPz=c`E$5%Pw@<9FpM!(rK`X3&I@(?X=|yL<;!m5{Bz*b$dEUe;6d>7pw-VK;jBOH;fr zCFV@@vM7@1W?4EJM%+~niM0AE%;(^$__}!019kju?(Eb#@>hs@71%|f?J*+OX=EnV zxfmK#^YjH^9FxdqBkqwzt#2!ul(@2R)eLb7pnxwKzwoz z@_VN(<4$`U@BG?txux)xmv$^Sqv{D+mOEbbwMH?bl*c+d)K_>Sd4~_}{CA1M1C%I2 zLpZmITb`?pp|H|%n_Jbvxz^OsmwDNtm9tFshH%s$1RteG4Fs-WN#T(i?!vew!`>jk zbJpV5YkDM=fs?KhNKe?uQFxmOF*fHuKA~fxdFp}DIEH9g*8&BeQ_L`~soNRGE zOTAMVhy{{K?H+Pdp#QeIT%V9j1hQ)X9%g;AK^#6uW_}2e08p6? zQsaP1?R@6>6;Fh6lP7ig299rr@sOD z?F1FH_mmTjWLbucY@lBI;LbE>t=jBs%>4a;QHyYYX8V>uJ>&F#n$B`^U%<5b!6cLn zC1XT1iq0mav25K=%y0_OwXa@z=t`Jw-iW znCEr%OXkhyNCRabAm3IZ7g_(Tcr2EiYnw93<53Go40p29U)W_8M5a=&OPPT8sDcKIer!xUe>jZ7sc8iq2~B~>zTWz?x?cg6uJ zMpg*mVV!<15`@0`u$ZsZ#C7T?O%g&7bCP^ zqzfNGo%l#8slQ-@d@7iS13$ue5ob2zscCCZEco3=4N0BLgnUX zs8|1fo7I=v0?>MBf$6!KnhrX{Rq39^m+EioMGT9>4DmY^Ni ziQ5y$=EhQH+|sDNW^(c?Eji_dPR1wMh)WvDO#Q2(mSom%$$o1=8d#fY`mk~3m;GWjlvD01 z*PvsXUZ*|}p%j_EiteWDUh7okW}-6pTm}CES{5iXQ^bRE zp|y6C+F8+ln`C_jI1DCKAd*euFm)5TAG+w^qzRi6fo#jzUOaXmzaTw(>Oe*R;pgVB z1Wy*r%au27v=Rfwjfl4T94SK_%<_-C8eVz)SFV9g{h3$Hzf%3DQ}?iwpeMVC$DmhY z_{uj)eYNfGTc*6U({9>SV0485jqMd>tGH5-6;xb`!NLA4=kNYL01Q;qP~B5yAb*#& z$V|o!kq>p74Nqp8a)v51&)%I32uz)MK?boWk>9Oid?47i!u8o^07}KmX!RlA$2%aR z!%JK(3ZCe_9thp>E_l1Ewk&FT>C(VglJJXh`pQN~Ko=4B$&H0s!Qg*ePkv~Y-n54D z8fU-WxLBM6b(gK7lL0r3H0&yQX2iOFDgB})M62_3m2 ze$DwSSDdjMy3EU641qdA>?6;2X(>P|Q0;Jig3B+8-9DR=1Fr_&Vy0a+ZmFB;Pz_q+ zS=|{U0%o9~JoY4G1hbhymbl-w#&0X*IyjLdB^w-_c4J?dSOE0@OPU&Ku_CslN^$rs z6ACON^qsw05gavmNZ9&!U60+?5UluPVkwIGEi0=jx4Ldl6AF)>U|%HM4@>#ZvO}2 z+s_b2bqHbpHa-~?eBo2k#HQO$C545|e_c7govQSWzFfP))3Zv61q9=ahNFhH{|Th{ zfBaK#7AZY83{N$@ku=ife?pN?vAv5pFq*A$VW%pqoNLCsC_oZF%~)s!ST2`orQ87B zx6p-@*ru_L>o-W&TM=khQ*nek=fJh1OwHJkwmXV$FPBYo6?3mi)(ZFo2ZRK_p6@$l zpmTs}8#nex<@EF#8Xp(WbY4NoXhLozUQ0UP5AfaC0%LB(J}L19ZGQYO{<|e6X~M~u z(aW3`%Q@P6jvK(b?rq!yI9>EbtR@>6BR;E~blTlFkJg;=b*{9c=DE!>DloS1=5|Ue z;{6vxKm;`mwxHp(&pd zI+Yws==96^&>y*zVkw*1p_QT_HV6 z$km+Y>c)ETScg%Nx#|RA`2%JXK)YEc;>6Spfxxu{4FF%R21@dPnKsd{@2cFa*$)4v z4hmbn(aMa0jrP|vp1e9tZfy8MKLfZ>b~Tzj(vfkt5#_ZVzQyqe;+mZdPQG=6=G6`| z3)F9eX(EgYs8}aGgk>(&RQj&)w=RLNqY$YC(Un$rD zp=c2L)GY3KeV<_Zh7#)zDy%En( z{7Pzen3I^@VZaTbjMvMF|H@W0KMUdDUV0BD*e#u->@koL2RcPW2SxWCHI_C-hRsCS zHzNIVq|v-{?B15DD>(j_)&pn2Adad5%Nu_R+tx?gOt?Sg449%4o#XBe3UYFVPO@sh zLzL&Eorj*EZW!ZdTQtxY_ycUCNv^0y+J2|#ai7Z1ZG-AyKn#3Z8< zHD#;%)MKuXBIg0E^y55yv*?QRbFWryo#qDFTA;<`ke7U>v`*R&WL;LAqWPSHnP`ps z=3A?`J6*qxOp2a;68=g}-^Z0%#|HzpqiC42fz-Rm-rrlIKscRYYs>YKI5HV;9mtrw0hVt( z&wbZWWpja$8KSxUgm4mebXHb3hV32EHhz z1b&;eOM#Ml7ZRQOEhD&cc3SYL&k#65(o}FL3a64b$WV2Jk~XCW7=;Ti@goO@=<;3l z7{bGUcXZBjhOyVaK94taTy+}ibjxX8mbJijjz9B7WQB+Mhl+xNfZT)1l5x+Do6Nb<4WS16yxJ@B?FRckg2YD80}AF+^wqk>iREavz%xM8t=8 zo$@=CdChfu6|sX)9xY?7Jg8qVk zqFwL-Dvc%$`i!Ok$69AKm_cm^(Qlwb=PnK9{Sfm%HY5#fNS73+jfC7OkZHb%KsQ=A zTo|4hewmDao->_Uy{FCdx-Y19-{!i;3}&Vh}^6RfN?J?kZch6f4 zhMp+MEz72&R?vP4j?T5rMDTX@&j0+U1!&vV^1m9!`sFB!n!pSnf{|vU6qhE?=bH$B zc1WdK_!y5%8%86SjP$;qEbqyi$Tu*0BK5gyC{clF)fevKMu;Fqb>GKgmW~>syrf;? z`vLoL2;3GMJ`wH_N|4Y|cKay#s+zAB`R0Kx#A_ys3XT8-fxC!PaPO1$hOm!7$0cZ; zt#hD*`+GX2{F%+PNQ8L=YKcVdRXJ?fo@ynX?p+}hX% zc1uP(rY1U#g;X5A1VUuQ)=yB}g+Y{dPb{feUloH^P0iXMWx3!;RXI)yzg0xhN9ab_ zN5IZ#xp2wdniY5T4)P^s6e|Mc*PI1>5~h~XI53c&rGPcp1Wivr@)hu>8@%}1AzKjX zenZ2oB|27Ve%EdxFfp$epK7HcMUZ_Y=(@mo02v1hkAqrOEDPiEi>ttoSpBij7d z_S0$C>IW<7p+CN?yAhGvmDiOT{kF7vhH40gyiK5n*Cxij)?X*3#RC!fJ|BkJ`Bv<+ ze;pzGR`xrb!J_R0Tx4q2%P6;=R?cs3*RU#0^Q9pdavsBn*Is7$e zGa+!XP*K`~rRF=i!F*~|4x5|JHP6sWO#D}W-)uLv@017x8aZkgl?^oahP*X0<9jf3 zdh$szyNamQZFMT_)ToIE<0qYs5P4EqTO}QOgdOK1O z-sXoG+@)BT9$A!{`oe!`xKu!sMl&fJ?kS8oYRuoXe#2UQB;6AO^KIC+=GfDGMvIt=4`;4_*;iGW7^f))p)UX{{m+_!Ge*IXeUaH$k-{UjCc~E!dqS2E!g5L$PiZ!0?=wV zoM<-4@{ngX3H58U-y!B-%?|~}__9h=PF;M^5ywV@LdF98hY;=RhN`%T)MJAq{guw0 zKUo;IOwFn}abxt8U}vB%L(wCYwa|!%=CU1Af+nYPT{k0inGmH+nJFCFo(DXV`w5x0%uJMTfI*(1XD5tDF-T&}^p_VZ+Y3 zT$S(qo<0ZBL2dV!CA8C`fDgi?BuU0SzrC4nI6CQxVZ|A`1jk=nd{R3XUDN8cmn#4E z6#;T8fEJIY4Fl^=jDf?x5sPE<{b-%5D5v>CMG;PSCF8R#5MD1~cTS(TMmou4?p zJ3OT8^va3{56D(e|=4Q-Ji5}ej5NH3PNUy0q!Jvfg% z3?-98zC4yoJG|;cekJj`JiD=QyucXnbAD}zbUfJeXvT>7wv55irt)5aGimkCOL^5ghRG@UV`RY zoqp(7+dN|r;7gtBZrD4yamJ_A7%3_`QstmN%qs96lRG6J=&e&m)w(~S_J9wU!``la z8$~jJ1d{Hpll3R>M2b`EL`9!k(z|c)|IoC#mGwb}^_Uc=Es!j1WJ4!CNo)D>!2E_p z_x;_T31fHeN^zwfu}W}0Hal%l>j3J}ai@k6r2dph{yW4xpH|En$dB560nt?jG`xr* zkvkYWSm-tpQbEG3?`PeAj6Lt^I*TsVD84#OeF9J92s|qoKu)S^TORG?J6665TRk|T zYqKz<-wfQ%DT&C94Du@Aq|PHfv!-^^rcld?HRzf{6_+SE(Va@_;NGV&&`(O#DgR8| zA*xBdgfbQT=g!nBJ_~>7t2HuuLBG!Y z=p*sQ?@m_kKbR8=LLfHvGk7Lj`Pl6RW3v&nR2F&{zwQauYl!z|+f89eEn2DX%aMAJ zVQQ=X1Ed|qW=@6Kpp zU_hqlsNS^1X7IO@q8N|M17F9izm{cu7+Dp7O*`-(z03dXVgCR4r$UrbV51nj2OPFL zhc!F<-q!Tp;M5P&M~!fc=IUevg>5HgX6~p-tMhN9_4R`em*mk$S?GlXKTfa37wp6} zL7iuEw2g=sQ_>JQf=DFU%RMM+Gh36N3>Qo4P`QrM+A|ZI+M{2lb{ajpgj*30b0*k6 zSfFo(ay+3s))^@`jQ9UlSFh1Oisc_=%5EB!!aBmbJY4d6#h zgDUMWL1kh$c#{o#ZzGpxF>mx7#biH9e-|Aupel3A#zjV;-fOYWV=zKWGHTGVuoYIj zm_7LhpxX=iK&D~*bkkx=OI~ZP8$A)zatm`JcRxD5iXJ{2gO0|lsrf+i6i6c|gng}t z1iN|HQ9ucFa^TdT>Y5qzhA;5uul(6jkcQSqH>cV43MFH$QIA@Gd;g;K`mWJiX`H{8 zP`3`v;6F6D`2%`ZlG;YQqu<&U?WpHJr!!xDZ3m|*{HResDt8=S`&G5K&CiE7Av9yY zs%QNR{RTgJs4^Hu|sEs4)m&fKA2)4hG4 zpsw8~*B6aF-K0&C!&j=$C^lt@k;%9hB1B4N(+$jDA@8=9@}rtL{?kj*=0uK#%QGmi zMQBtH#Z`om%yWDhil5dl4|@5#5~7>G$Wntoms6xSZadvAWc7(jjTMBk%L7C=$M?TO zH^`rZ^^Fd)t&!HvVGWifnaX-1V#Ni&-<+J(PMIwVLcGHztR>aDedyx%Spq}MOiX!$ zE%|jh`3H5l-0XIwZV8sXyRM48{?$|7Z1w;A^}ULM62+gc%Rx^X`(_81f8)=IIa=RM z(QLh%6GaOtu$4K%)Zb{UE*(gF`$aR*zai{0?uBi-B4ir))4G7tUmA0 zzNq+OG4enh_tq$=#&0T5nUm?LZ^>;_iO!mYB0@SJI0E7RYN9iMww2Drl3%;U>il2% zk=s1iJ+!c;;5z?X9Jv@1u=^Oa%u3 zA2Ti%bRf~fpBg}Jhq)gWmDExbvfL^x(s?w<_;x2MIUpxg1E6MqteomcCGrT%b7K5M z)`en1M$08^uHOAe`jyP+3#GiBH=^CmM>jM?b!Rtl5~&h%I;^ft5_rAe`n1mkP%7r& z9=a)k03$Bc7EG?KmgB8q&mDhiOkw?kvceUUA8zd$q=vTPzs;T{u%$A4+e zbyaR3jZzPgy`UU%#yU-U_Z9ANT>)A*mKHV}Q&rL$sFk5GIhyhn(!G`TuQ}V)2*tk8 z?)!`vk+uw6W?T7N1$^<*fS2bv1}M6l7%6neeR5K6N*SkyE_#t}cs;3K7wJm{N5szC zjwUH1C<*i4bNM|WC>GXWU@cNz(J7Vgt-3)>o-p$@S&wC|0E&xdA69Ihw^X;hO~FF5 zXFLXi{)@l#|KY}4YG3>vYOf5kOUq6k=0DTvN|XMJH!!=CGbG9OI025xc&$=JJqmZZ z0AvZrTS+_mSz%(%3dj$b7wD@l*X5jN4`lDoqR}pmE?r>zzLze0>XkkO7ZSD2hk2hN zxaO|MdspaAoycKcIDj&esN{8`EYAJgj>{=a{BsK1l=;12=;!fB>m}?XLZQ|i-DO&o zF+EvR&`S&KEcTeG1~+QW$pqs+`0dER#1pJM(Y z)X4$*uCMj9n5(dOF=!IW(C?@evGKz~Dl=OB-EBw1lwl%HL4SjU;koA&1`nju2tTCl zw8{^4Sv$Ai{3a%fb{Hr#EF#6wC2wZ9L`O9Au;Gbio#o;uQS{8mbtvawCxzy{z{c`i zZ>a2|=zM=C?O*oZxo*_#O7~_b`;Y1)a*1*DB}FPW*PUmGkT$%q3609RR??4=5o=dY zTt=;VroJghK5+2Tf{@xZIJ$z!$7M!$*T`<->%Sf%o~+=1Uz(&&Kpf)7TVgAJyzeG6 z*XSJwH2etEk77(p!8XP79BLspsy^e>hBt zBcO;c0&3RpTy9OOj14rRf_h{IeAby51H@hS-I}cfLeHqG;-M*?uQ2b$FFBs5N7gJk z$9(5cyw0QBqnqNW_L#d)I&niqDMPhrtLR5{^setL&EEn8B7w*@zY{|NFP5f)f1farcb=!^X}ruDox;Ri6h zL*!2L=o7zHk8;?CEY)%Oxl;TH&c4~Otug)?Al_XT{y1n^n@Xwf3J-7GnbKp5d2;Oz zG7&r8h(6k9P3>~}vfOK*m%5&%x{@g@z$$IHGoBD($5Y*t_W zahQ>L+h6zDscMH`0{vQ6YuPD04}70%?QdLq%?7 zqnPjLdj7IkVhf)s)yn+-SUGCPZA;BCm_Tm)QT`>Tcs!@T{BiKLdhXLhttCsR=cYaQ z^%xd)&NP6C>a(yKUxPk9_$`^kybFMq(RBS|~b13rW{n z(aC{Yb9=%5PxMDYimN;MeW9X;(_+efCw+Oq@T(pxS2r8+RTVNX^iNzK^QL-y)fb%Q zvhuRL@`-$BOn`QPsn{@)lcvTD{Y3g_1t@7o=5)BXHO8Gt1lMhd+l{^4o37%#%a<`? z%^bJLW!U!{n1Q>5Fi*YC9lPz*`2wezI&owumjSet5mtFG29**l2L zJILzjsE)D`3o{I4FM)jzO*JWFVac`Fb``1W>Ey*fDgHqTdQ8rMu4xZf!exfIj=#mt3X!1l&aD0RZ|D~L_?_vyvzgN(0-F72Xmh>oYZ z7ZIt$RlBO`3=7UDcBhgwrqE~x7ThGeyx-S2y?ufX4-6fs^mW<>ok46R_kerm?r;Kw+;{9nkc0;(ik;2ff+_Qo#2 zd9H3Xy=IVGbRgcC(Mo@Kz+(6@2)}gkD0d}x;2DGyr($5uh3!SWlFT(+{;t~gx7ABv za84!rLW6CF+)pb|pOB23SJ^6^UO#?Jk>>I{r8n6JxbxmOF!U$hgerNRzvN1U=;!c| z{qSkOGt)y2kS)FvHQbny1S*j--ln#;FGjd;7H7?)3kK@SWz2}I9PPULdi+BJA&k=M zhe=`UV+%~{8OeU!i+vH<4W|uMd3`eg89HG5nsT4H`4eFT#hw3l{*(hcrqRmGL(`h; zJi61aw6g(s{s++QmxhBdh-e|7YdJWs-O*<$j>8%G^>901y6-tjjr z400S6trVS(0aw~4@8FyR4G!byYo@ibE+zJ5+5hQuScUXVpK&`h>F9Jy!U@X%HQVDe zb&n`3Z=Sxh7IId=n*Mt8VjQ`3WEPxPrNFmyAj)c$rel$}cU33DB3`>r zZLY#Uh_uhp4S8fEI`VxLU>ms<6K)6gI-FkWJvmU*t1 zW{Rl}-VegAne!Y3T??XeyI}5U8i-5lD~K* zuf$Y~Gn%Xmm3wp=2V&QbeW~P}>&026Ihh-o6Ql;oboc>l`D}NNZfDeT0d1T6=q^^}bPwo1Myvi=F~hwyEMr3GRtl^*sm+d(%n_T` zMfX2zY?zbWm?d`GnS%b1YXfv?l#c6BTNjTTq84vZ0(2@1qRB;Vz~@m(HESksBw7ql zO;paiZS6bz@()~K;=$RG89ETuSgkZ@rF=I;kcj~ZMEZ+Lb%=W*VOkp5V1ho_1bRTY z82o*b8I}XHrcyQ#>YL9DT2@4OFKp29Z-$PA-!O2H2g8y0ZDYr%R zdCB3EFK75nr>`1WBWrGmp%S)rG+Ld#-w#;zb>8=sk4cm+_J}&+_WAn?nrz#Fy2EV0}HFyD3aVp>e=nA6NFB(TLV7X8UmhM~p zMDB8z7L@Ryca){TI9C`$z5_yaPtjt*?SsHWa;-=Ln;sEER$VtlztsQ54dnC|zfA37 z-bg`xqU&nr`F?bHlEjlH0aC=wCa1l<5mQLrarrSTW&HtmK-TArGoRiyd;wj!01faa z{Ab0ghy}>Lh!EJ8>rq+!TQ&QcV*~85d9pEO12DayesnMzhQSDHKcI1|PS^DoK4Nw* zMl{>U)nC$E0Hsfhf=!l!@u;9Sdn%?)-OMW40+AQ~2`Dv_#!wWp_dJ_Gj z)@{?c=+MZ5 z{gyAl^%><28mT$~6L?m0ycJ-j0kecfzWRKM2fq`+fpuh~qPadk zf)Fqb9(qGFRbGK<;+WrfiQhPG8_S)}EXCHJ0Np^eypn3kC_O{{tMl(GhwY{@vet%C z`twLxLcs=w%L4;nFcfe#o?1Dey51AO#|s3SN#RGL`E!E*X>Dh3Ep)TO_HcZG>5>z^ z@u$*S?7FJ*dg>fYz}FXis?z9yO2TFwtzOE!_YB From 20db958a7d02bd6112ac002c51ce4ebc72a74dad Mon Sep 17 00:00:00 2001 From: Elliot Huffman Date: Mon, 12 Jan 2026 13:15:13 -0500 Subject: [PATCH 13/15] Checkpoint --- docs/SHIELD/Discover/Installation.md | 73 +++++++++++++++++----------- 1 file changed, 44 insertions(+), 29 deletions(-) diff --git a/docs/SHIELD/Discover/Installation.md b/docs/SHIELD/Discover/Installation.md index fb2b60a..b5c6833 100644 --- a/docs/SHIELD/Discover/Installation.md +++ b/docs/SHIELD/Discover/Installation.md @@ -5,41 +5,57 @@ ## Overview -This application is a self-hosted application that exists in the customer tenant on an Azure App Service, collecting and processing the requisite data only within the customer tenant before provided abstracted & fully anonymized data results back to SHI for reporting. All requirements can be set up by the delivery team or customer prior to engagement. +This application is a self-hosted application that exists in the customer tenant on an Azure App Service, collecting and processing the requisite data only within the customer tenant before provided abstracted & fully anonymized data results back to SHI for reporting. All requirements can be set up by the delivery team or customer prior to engagement. --- -## Requirements +## Setup Steps/Requirements -- New Azure Subscription -(SHIELD Installer will handle below, not required by customer if using Installer) -- Powershell: - - Latest [v7](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell){:target="_blank"} installed (ideally from the [Microsoft Store](https://www.microsoft.com/store/productId/9MZ1SNWT0N5D?ocid=pdpshare){:target="_blank"}) +### Using SHIELD - Desktop's Installer module + +1. Create new Dedicated Azure Subscription. +2. Run the installer to set up SHIELD automatically. + +--- + +### Deploying by hand + +1. Create new Dedicated Azure Subscription. +2. Install PowerShell Dependencies + - Latest [v7](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell){:target="_blank"} release installed (ideally from the [Microsoft Store](https://www.microsoft.com/store/productId/9MZ1SNWT0N5D){:target="_blank"}) - Modules: [Az](https://www.powershellgallery.com/packages/Az){:target="_blank"}, [Microsoft.Graph.Beta](https://www.powershellgallery.com/packages/Microsoft.Graph.Beta){:target="_blank"} - Scripts: [Grant-MIGraphPermission](https://www.powershellgallery.com/packages/Grant-MIGraphPermission){:target="_blank"} -- Blank Azure App Service (Web App) +3. Create a new resource group named: `SHIELD` +4. Create a new Azure App Service (Web App) - OS: Linux - - Minimum SKU: P0v4 - - Runtime Stack: Node 24 LTS - - Resource Group Name: SHIELD + - Minimum SKU: P0v4 + - Runtime Stack: Node 24 LTS - Azure Cost Estimate associated (as of 1/8/2025): ![Azure Cost Estimation Table](assets/images/screenshots/Pricing_Table.png) -- Permissions - - The User logging in to SHIELD: Discover requires either Global Admin or the following: - - Global Reader - - Security Administrator - - User Administrator - - **The service principal (System Assigned Managed identity is recommended) must be granted**: - - `Owner` for the Azure Subscription assigned to app - - `AppRoleAssignment.ReadWrite.All` - - `Application.ReadWrite.All` - - Additional permissions will be self-assigned by the app to save time and begin data collection, the extent of which can be found [here](https://docs.shilab.com/SHIELD/Prerequisites/Required-Graph-API-Permissions/){:target="_blank"}. -- **Network Inspection excluded for Microsoft Traffic** - - According to [Microsoft Documentation](http://aka.ms/pnc){:target="_blank"}, Traffic Inspection of any kind via a tool like Palo, Zscaler, or nginx (caching) violates Microsoft’s Terms & Conditions (as well as each major cloud provider) as traffic that was decrypted and is heading to Microsoft is indistinguishable from man in the middle attacks. +## Permissions + +- The User logging in to SHIELD: Discover requires either Global Admin or the following: + - Global Reader + - Security Administrator + - User Administrator +- **The service principal (System Assigned Managed identity is recommended) must be granted**: + - `Owner` for the Azure Subscription assigned to app + - `AppRoleAssignment.ReadWrite.All` + - `Application.ReadWrite.All` + - [Additional permissions](../Prerequisites/Required-Graph-API-Permissions.md) will be self-assigned by the app to save time and begin data collection. + +### Networking + +- Network Endpoints: + - + - + - https://*.azurewebsites.net +- Disable network traffic inspection/unwrapping/decryption + - According to [Microsoft Documentation](http://aka.ms/pnc){:target="_blank"}, Traffic Inspection of any kind via a tool like Palo, Zscaler, or nginx (caching) violates Microsoft's Terms & Conditions (as well as each major cloud provider) as traffic that was decrypted and is heading to Microsoft is indistinguishable from man in the middle attacks. - As a result, all traffic inspected is promptly dropped by Microsoft. As we rely on Azure Networking for SHIELD to run, this prevents SHIELD from functioning. - - Please validate that **ALL** Microsoft traffic is excluded from any form of Network Inspection: this is a requirement for SHIELD to function, as it is against Microsoft’s terms and conditions. + - Please validate that **ALL** Microsoft traffic is excluded from any form of Network Inspection: this is a requirement for SHIELD to function, as it is against Microsoft's terms and conditions. --- @@ -68,7 +84,7 @@ This application is a self-hosted application that exists in the customer tenant - No custom execution except for designed workload (no viruses possible) - No update downtime - Vulnerability patching done before public announcement of vulnerability - - Self-healing + - Self-healing ### Miscellaneous Considerations @@ -90,9 +106,9 @@ This application is a self-hosted application that exists in the customer tenant ### High-level Data Flow Diagram SHIELD: Discover does not collect PII or similar data – it is only focused on the scope of configurations within the Microsoft security stack, and not on any private employee or customer data. Specifics on what data collected is listed in the next section. -As a self-hosted application, data collected lives in the customer environment until it is anonymized and sent to SHIELD’s database via the Data Gateway. The Data Gateway structure is available to review upon request. +As a self-hosted application, data collected lives in the customer environment until it is anonymized and sent to SHIELD's database via the Data Gateway. The Data Gateway structure is available to review upon request. -![SHIELD Discover Module Data Flow](/SHIELD/Discover/assets/images/screenshots/shield_discover_module_data_flow.jpg) +![SHIELD Discover Module Data Flow](assets/images/screenshots/shield_discover_module_data_flow.jpg) ### Example Data Structure & Output @@ -103,8 +119,7 @@ SHIELD Discover collects the following data: - Principal ID that ran the report - Principle Object ID - Assigned License – The Service Plan IDs of the license(s) that are assigned (direct or indirect) to the specific principal - - Assigned Services – The service configuration assignment determining ‘benefitting’ from a service. This includes the service configuration type if possible (feature, such as ‘Conditional Access,’ a service within the Entra ID license) + - Assigned Services – The service configuration assignment determining 'benefitting' from a service. This includes the service configuration type if possible (feature, such as 'Conditional Access,' a service within the Entra ID license) - Consumed Services – Usage telemetry retrieved to indicate if the specific principal is consuming/using the service, regardless of license status - -For a complete look at the Data Structure, please refer to the below block or utilize [SwaggerEditor](https://editor-next.swagger.io/){:target="_blank"} for rendering. \ No newline at end of file +For a complete look at the Data Structure, please refer to the [Data Gateway API Spec](https://specs.shilab.com/){:target="_blank"}. From f7d15db13220dd8fd804d3422ee0f5d47fd78d75 Mon Sep 17 00:00:00 2001 From: jtdauria-shi Date: Mon, 12 Jan 2026 20:18:30 -0500 Subject: [PATCH 14/15] Moved Installation under SHIELD Prereqs and Added Azure Pricing Markdown Table --- docs/SHIELD/{Discover => Prerequisites}/Installation.md | 9 +++++---- mkdocs.yml | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) rename docs/SHIELD/{Discover => Prerequisites}/Installation.md (90%) diff --git a/docs/SHIELD/Discover/Installation.md b/docs/SHIELD/Prerequisites/Installation.md similarity index 90% rename from docs/SHIELD/Discover/Installation.md rename to docs/SHIELD/Prerequisites/Installation.md index b5c6833..627b566 100644 --- a/docs/SHIELD/Discover/Installation.md +++ b/docs/SHIELD/Prerequisites/Installation.md @@ -32,7 +32,10 @@ This application is a self-hosted application that exists in the customer tenant - Runtime Stack: Node 24 LTS - Azure Cost Estimate associated (as of 1/8/2025): -![Azure Cost Estimation Table](assets/images/screenshots/Pricing_Table.png) +| Premium v4 Service Plan | vCPU(s) | RAM | Storage | Pay as you go | 1 year savings plan | 3 year savings plan | 1 year reserved | 3 year reserved | +|-----------------|-------------------|---------------------|-----------------|-------------------|---------------------|-----------------|-------------------|---------------------| +| P0v4 | 1 | 4 GB | 250 GB | **$86.870**/month | **$70.365**/month ~ 19% savings | **$58.203**/month ~ 33% savings | **$65.000**/month ~ 25% savings | **$53.831**/month ~ 38% savings | +| P1v4 | 2 | 8 GB | 250 GB | **$173.740**/month | **$140.730**/month ~ 19% savings | **$116.406**/month ~ 33% savings | **$130.086**/month ~ 25% savings | **$107.668**/month ~ 38% savings | ## Permissions @@ -108,8 +111,6 @@ This application is a self-hosted application that exists in the customer tenant SHIELD: Discover does not collect PII or similar data – it is only focused on the scope of configurations within the Microsoft security stack, and not on any private employee or customer data. Specifics on what data collected is listed in the next section. As a self-hosted application, data collected lives in the customer environment until it is anonymized and sent to SHIELD's database via the Data Gateway. The Data Gateway structure is available to review upon request. -![SHIELD Discover Module Data Flow](assets/images/screenshots/shield_discover_module_data_flow.jpg) - ### Example Data Structure & Output SHIELD Discover collects the following data: @@ -122,4 +123,4 @@ SHIELD Discover collects the following data: - Assigned Services – The service configuration assignment determining 'benefitting' from a service. This includes the service configuration type if possible (feature, such as 'Conditional Access,' a service within the Entra ID license) - Consumed Services – Usage telemetry retrieved to indicate if the specific principal is consuming/using the service, regardless of license status -For a complete look at the Data Structure, please refer to the [Data Gateway API Spec](https://specs.shilab.com/){:target="_blank"}. +For a complete look at the Data Structure, please refer to the [Data Gateway API Spec](https://specs.shilab.com/){:target="_blank"}. \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index e9ce9c8..8349ad8 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -145,6 +145,7 @@ nav: - Overview: SHIELD/index.md - Prerequisites: - Overview: SHIELD/Prerequisites/index.md + - Installation: SHIELD/Prerequisites/Installation.md - Graph API Permissions: SHIELD/Prerequisites/Required-Graph-API-Permissions.md - Getting Started: SHIELD/Getting-Started.md - Usage Guide: SHIELD/Usage-Guide.md @@ -223,7 +224,6 @@ nav: - Discover: - Overview: SHIELD/Discover/index.md - - Installation: SHIELD/Discover/Installation.md - Deployment: SHIELD/Discover/Deployment/index.md - Usage Guide: SHIELD/Discover/Usage-Guide.md - Plugins: From 08665e210837d7942c0c2b458ac237889a1e9614 Mon Sep 17 00:00:00 2001 From: jtdauria-shi Date: Mon, 2 Feb 2026 16:40:34 -0500 Subject: [PATCH 15/15] Added the Architectural Analysis Overview and a diagram to installation --- docs/SHIELD/Deploy/Usage-Guide.md | 4 + docs/SHIELD/Prerequisites/Installation.md | 18 +++ .../Architectural-Analysis-Overview.md | 127 ++++++++++++++++++ mkdocs.yml | 1 + 4 files changed, 150 insertions(+) create mode 100644 docs/SHIELD/Reference/Architecture/Architectural-Analysis-Overview.md diff --git a/docs/SHIELD/Deploy/Usage-Guide.md b/docs/SHIELD/Deploy/Usage-Guide.md index 44cc914..4e5edce 100644 --- a/docs/SHIELD/Deploy/Usage-Guide.md +++ b/docs/SHIELD/Deploy/Usage-Guide.md @@ -16,6 +16,9 @@ After core deployment is complete, the Deploy module allows you to: These actions are performed through the **Lifecycle Infrastructure** interface on the SHIELD home screen. +!!! info "Additional Information" + For more information on how SHIELD evaluates tenant configuration against baselines and produces the architectural report, see [Architectural Analysis Overview](../../SHIELD/Reference/Architecture/Architectural-Analysis-Overview.md). + --- ## Defender for Endpoint Workspace Creation @@ -76,6 +79,7 @@ Once core deployment is complete, your SHIELD UI will provide management cards f ## Related Pages +- [Architectural Analysis Overview](../../SHIELD/Reference/Architecture/Architectural-Analysis-Overview.md) - [Deploy Overview](index.md) - [Deployment Guide](../Getting-Started.md) - [Reference Docs](Reference/index.md) diff --git a/docs/SHIELD/Prerequisites/Installation.md b/docs/SHIELD/Prerequisites/Installation.md index 627b566..b0def31 100644 --- a/docs/SHIELD/Prerequisites/Installation.md +++ b/docs/SHIELD/Prerequisites/Installation.md @@ -111,6 +111,24 @@ This application is a self-hosted application that exists in the customer tenant SHIELD: Discover does not collect PII or similar data – it is only focused on the scope of configurations within the Microsoft security stack, and not on any private employee or customer data. Specifics on what data collected is listed in the next section. As a self-hosted application, data collected lives in the customer environment until it is anonymized and sent to SHIELD's database via the Data Gateway. The Data Gateway structure is available to review upon request. +```mermaid +flowchart LR +SHI[SHI] + +subgraph tenant["Customer Tenant"] + serviceConfiguration[Service Configuration Scope Noted to Object ID. Configuration **not** recorded] + tenantConfiguration[Tenant Configuration Observed, such as a Conditional Access policy] + objectIDs[Object IDs in Scope Determined] +end + +serviceConfiguration --> tenantConfiguration +tenantConfiguration --> objectIDs +objectIDs --> serviceConfiguration + +SHI -.Initial Installation.-> tenant +serviceConfiguration-->|Object IDs with associated Scopes reported to Data Gatway, no PII Associated| SHI +``` + ### Example Data Structure & Output SHIELD Discover collects the following data: diff --git a/docs/SHIELD/Reference/Architecture/Architectural-Analysis-Overview.md b/docs/SHIELD/Reference/Architecture/Architectural-Analysis-Overview.md new file mode 100644 index 0000000..53d72f4 --- /dev/null +++ b/docs/SHIELD/Reference/Architecture/Architectural-Analysis-Overview.md @@ -0,0 +1,127 @@ + +The SHIELD system runs a full architectural analysis by gathering tenant data, runs a parallel analysis on all configuration items, and saves the results. Afterward, tenant data is compared to the baseline configuration, and a report is generated. This overview provides a more detailed outline of this process. + +## Input Validation & Locking +When the scan is deployed, the system checks if there is already an analysis in progress. + +- If there is no scan occurring, the system locks the engine to begin the analysis and moves on the next step. +- If there is a scan is in progress, the button is disabled to prevent concurrent operations. + +## Progress Bar +Once the analysis begins, a progress bar displays the status of three different steps: + +1. **Retrieving Tenant Metadata** +2. **Analyze Architecture** (During which a sub-progress bar is displayed for each baseline configuration, along with the status of the analysis) + 1. Gathering data from tenant + 2. Comparing tenant data to the baseline configuration + 3. Building report + 4. Status + - **Done** - Displayed once the analysis is finalized and there are no errors reported. + - **Error** - Displayed if a critical error is hit during any of the three previous checkpoints. +3. **Saving Architecture Report** + +### 1. Retrieving Tenant Metadata +The system gathers metadata, such as users and devices, associated with the current tenant and architecture, via the `initializeArchitectureReport()` function. The data is then stored in the system, so it can be analyzed in the next step. + +#### Information Stored +Data is stored in one of two ways: + +1. **Raw data** for all Conditional Access policy configurations is retrieved from the Azure tenant. This information is cached in application memory for the duration of the analysis. This is automatically cleared in the step immediately before the engine lock is released. +2. **Summary data** of the architectural analysis report is retained in a digital repository according to our data retention policy. The data is mostly Universally Unique Identifiers (UUIDs), numbers, and dates. This includes: + - A unique identifier that represents each run of the architectural analysis + - Tenant ID under analysis + - Total users in the tenant + - Total guest users in the tenant + - Total member users in the tenant + - Total devices associated with the tenant + - The principal name associated with the user used to authenticate into the tenant being audited + - User account used to store and report the architecture report to SHI + - Timestamp when the record was created + - Timestamp when the record was last updated + - A list of UUIDs corresponding to users and their associated SHIELD baseline configuration items + - The list also includes a string, specifying if a tenant policy was found that matches the baseline policy, classified as either 'full' or 'partial'. User identifiers with no 'full' or 'partial' matches are excluded. + +### 2. Analyze Architecture +All the SHIELD baseline configurations are added to a list, and each configuration is analyzed independently via the `analyzeArchitecture()` function. During this step the system will: + +- Retrieve live data from the tenant (e.g., Microsoft Graph) +- Compare tenant data to baseline configuration +- Record discrepancies, matches, and assignments +- Report findings back to the deploy engine + +### 3. Saving the Architecture Report +Once all the configuration items have been analyzed, a report is created via the `saveArchitectureReport()` function. This serializes and saves the results of the analysis, including findings, discrepancies, and additional metadata for later review and reporting. + +## Finalization +Once the system is finished with the analysis and the report has been saved, the timestamp of the last analysis is updated. Next, the graph data cache is cleared, and the engine is unlocked. If the system ran into any errors during the process, those are also logged. + +## Summary Table + +| | Responsibility | +|------------|----| +|`analyze`| Begins the entire Architectural Analysis process, analyzing all configuration items in the architecture | +|`analyzeArchitecture()`| An asynchronous analyzation method called on each item in the configuration list | +|`configurationItemList`| A list of all the configuration items that were gathered during the retrieval phase | +|`DeployEngine`| The engine that powers the system running the Architectural Analysis | +|`initializeArchitectureReport()`| Gathers and stores metadata about the current tenant and architecture | +|`isDeploying`| Checks if the system is running a scan or deploying a policy | +|`Promise.all`| Analysis operations are collected into a list and executed in parallel | +|`saveArchitectureReport()`| Saves the results of the analysis and stores the results | +|`writeDebugInfo`| Logs errors that occur during analysis | + +--- + +## Conditional Access Policies + +To get a better understanding of the analysis process and how the system compares customer policies to baseline policies, let's look at a specific policy. For Conditional Access Policies, the system analyzes a single Conditional Access Policy configuration item via the `analyzeConditionalAccessPolicy` function, a specialized analysis function. There are three steps to analyzing a Conditional Access Policy: + +1. **Type Validation** - The system checks if the configuration item is a valid instance or not. +2. **Create New Instance** - A new instance of `CspmConditionalAccess` is created, passing the configuration item and `graphBeta` flag. +3. **Delegation to Internal Analysis** - Data is gathered and analyzed via the `analyzeConditionalAccessPolicyInternal()` function. + +### Delegation to Internal Analysis + +#### Locking +During this step, the system will check if there is already an analysis in progress. If not, the system locks the engine to begin the analysis. + +#### Progress Bar +Once the analysis begins, a progress bar displays the status of each step. + +#### Data Fetch + +The system calls the `getCustomerTenantGraphData()` function to analyze the current Conditional Access Policies from Microsoft Graph. + +#### Comparison + +The `compareConditionalAccessPolicy()` function validates the URL path and calls the `compareConditionalAccessPolicies()` function, which does the following: + +- Scans the baseline configuration +- Compares each policy to the baseline +- Assess the degree of match, either 'full', 'partial', or 'none' + - **Full Coverage**: All of in scope are fully covered by the policy. The policy matches the baseline for every user. + - **Partial Coverage**: A percentage of users in scope are covered by the policy, but the policy only partially matches the baseline for those users. + - **No Coverage**: No users are covered by the policy. The policy does not provide any baseline coverage. + - **Unassigned**: Users are not assigned to the deployed policy. +- Builds an assignment and exclusion list for reporting + +#### Reporting + +A report is created via the `sendConfigurationMatchAssessmentToDeployEngine()` function to record the results found in the previous steps. + +#### Error Handling & Unlocking + +Errors are logged and updated in the progress bar, and the lock is then released. + +## Summary Table + +| | Responsibility | +|---|----------------| +|`analyzeConditionalAccessPolicy`| Analyzes a single Conditional Access policy configuration item +|`analyzeConditionalAccessPolicyInternal()`| Analyzes the Conditional Access Policies internally +|`compareConditionalAccessPolicies()`| Scans the baseline configuration, compares each policy to the baseline, assesses the degree of match, and builds a list for reporting +|`compareConditionalAccessPolicy()`| Validates the URL path and prepares the system to compare Conditional Access Policies +|`ConfigurationItem.analyzeArchitecture()`| Delegates each configuration item to the correct analyzer +|`CspmConditionalAccess`| Implements the logic for fetching, comparing, and reporting Conditional Access policies +|`DeployEngine.analyze()`| Orchestrates analysis for all configuration items in the architecture +|`getCustomerTenantGraphData()`| Pulls in the current Conditional Access Policies from Microsoft Graph +|`sendConfigurationMatchAssessmentToDeployEngine()`| Records the results of the analysis and creates an architecture report \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 8349ad8..f7ddd79 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -241,6 +241,7 @@ nav: - Reference: - Architecture: - Overview: SHIELD/Reference/Architecture/index.md + - Architectural Analysis Overview: SHIELD/Reference/Architecture/Architectural-Analysis-Overview.md - Threat Model: SHIELD/Reference/Architecture/Threat-Models/ISV-To-Customer.md - Review Template: SHIELD/Reference/Architecture/Review-Template.md - Development: