Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

fixes .. . (#2782)

This commit is contained in:
Yaron 2021-08-03 21:21:56 +03:00 коммит произвёл GitHub
Родитель 4b5f3c9841
Коммит cabe91cb63
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
9 изменённых файлов: 21 добавлений и 22 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
Parsers/ASimFileEvent/ARM/FileEventMicrosoftBlobStorage/FileEventMicrosoftBlobStorage.json
Просмотреть файл

@ -28,7 +28,7 @@
"displayName": "Microsoft Blob Storage - File Event Parser",
"category": "Security",
"FunctionAlias": "vimFileEventAzureBlobStorage",
"query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet bloboperations=datatable(OperationName:string, EventType:string)[\n \"PutBlock\", \"FileCreated\",\n \"PutBlob\", \"FileCreated\",\n \"PutPage\", \"FileCreated\",\n \"CreateContainer\", \"FolderCreated\",\n \"CopyBlob\", \"FileCopied\",\n \"QueryBlobContents\", \"FileAccessed\",\n \"GetBlob\", \"FileAccessed\",\n \"AppendBlock\", \"FileModified\",\n \"ClearPage\", \"FileModified\",\n \"PutBlockFromURL\", \"FileModified\",\n \"DeleteBlob\", \"FileDeleted\",\n \"DeleteContainer\", \"FolderDeleted\"\n ];\n StorageBlobLogs\n // **** relevant data filtering;\n | where OperationName in (bloboperations)\n //\n | project-rename \n EventOriginalUid = CorrelationId\n , EventOriginalType=OperationName\n , HttpUserAgent=UserAgentHeader\n , TargetUrl=Uri\n | extend \n EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n , EventProduct='Azure File Storage' \n , EventVendor='Microsoft'\n , EventSchemaVersion='0.1.0'\n , TargetFilePath=tostring(split(Uri,'?')[0]) \n , TargetFilePathFormat='URL'\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[1])\n | extend TargetFileName=tostring(split(TargetFilePath,'/')['-1'])\n | lookup bloboperations on OperationName\n // Aliases\n | extend User=ActorUsername\n , FilePath=TargetFilePath",
"query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet bloboperations=datatable(OperationName:string, EventType:string)[\n \"PutBlock\", \"FileCreated\",\n \"PutBlob\", \"FileCreated\",\n \"PutPage\", \"FileCreated\",\n \"CreateContainer\", \"FolderCreated\",\n \"CopyBlob\", \"FileCopied\",\n \"QueryBlobContents\", \"FileAccessed\",\n \"GetBlob\", \"FileAccessed\",\n \"AppendBlock\", \"FileModified\",\n \"ClearPage\", \"FileModified\",\n \"PutBlockFromURL\", \"FileModified\",\n \"DeleteBlob\", \"FileDeleted\",\n \"DeleteContainer\", \"FolderDeleted\"\n ];\n StorageBlobLogs\n // **** relevant data filtering;\n | where OperationName in (bloboperations)\n //\n | lookup bloboperations on OperationName\n | project-rename \n EventOriginalUid = CorrelationId\n , EventOriginalType=OperationName\n , HttpUserAgent=UserAgentHeader\n , TargetUrl=Uri\n | extend \n EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n , EventProduct='Azure File Storage' \n , EventVendor='Microsoft'\n , EventSchemaVersion='0.1.0'\n , TargetFilePath=tostring(split(Uri,'?')[0]) \n , TargetFilePathFormat='URL'\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[1])\n | extend TargetFileName=tostring(split(TargetFilePath,'/')['-1'])\n // Aliases\n | extend User=ActorUsername\n , FilePath=TargetFilePath",
"version": 1
}
}

2
Parsers/ASimFileEvent/ARM/FileEventMicrosoftQueueStorage/FileEventMicrosoftQueueStorage.json
Просмотреть файл

@ -28,7 +28,7 @@
"displayName": "Microsoft Queue Storage - File Event Parser",
"category": "Security",
"FunctionAlias": "vimFileEventAzureQueueStorage",
"query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet queueoperations=datatable(OperationName:string, EventType:string)[\n \"ClearMessages\", \"DeleteFile\"\n , \"CreateQueue\", \"CreateFile\"\n , \"DeleteQueue\", \"DeleteFile\"\n , \"DeleteMessage\", \"DeleteFile\"\n , \"GetQueue\", \"FileAccessed\"\"\n , \"GetMessage\", \"FileAccessed\"\"\n , \"GetMessages\", \"FileAccessed\"\"\n , \"PeekMessage\", \"FileAccessed\"\"\n , \"PeekMessages\", \"FileAccessed\"\"\n , \"PutMessage\", \"FileCreated\"\"\n , \"UpdateMessage\", \"FileModified\" \n ];\n StorageTableLogs\n // **** relevant data filtering;\n | where OperationName in (queueoperations)\n //\n | extend \n EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n , EventOriginalUid = CorrelationId\n , EventOriginalType=OperationName\n , EventProduct='Azure File Storage' \n , EventVendor='Microsoft'\n , EventSchemaVersion='0.1.0'\n , TargetFilePath=tostring(split(Uri,'?')[0]) \n , TargetFilePathFormat='URL'\n , TargetUrl=Uri\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\n , HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath,'/')['-1'])\n | lookup queueoperations on OperationName\n // Aliases\n | extend User=ActorUsername\n , FilePath=TargetFilePath",
"query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet queueoperations=datatable(OperationName:string, EventType:string)[\n \"ClearMessages\", \"DeleteFile\"\n , \"CreateQueue\", \"CreateFile\"\n , \"DeleteQueue\", \"DeleteFile\"\n , \"DeleteMessage\", \"DeleteFile\"\n , \"GetQueue\", \"FileAccessed\"\n , \"GetMessage\", \"FileAccessed\"\n , \"GetMessages\", \"FileAccessed\"\n , \"PeekMessage\", \"FileAccessed\"\n , \"PeekMessages\", \"FileAccessed\"\n , \"PutMessage\", \"FileCreated\"\n , \"UpdateMessage\", \"FileModified\" \n ];\n StorageQueueLogs\n // **** relevant data filtering;\n | where OperationName in (queueoperations)\n //\n | extend \n EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n , EventOriginalUid = CorrelationId\n , EventOriginalType=OperationName\n , EventProduct='Azure File Storage' \n , EventVendor='Microsoft'\n , EventSchemaVersion='0.1.0'\n , TargetFilePath=tostring(split(Uri,'?')[0]) \n , TargetFilePathFormat='URL'\n , TargetUrl=Uri\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\n , HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath,'/')['-1'])\n | lookup queueoperations on OperationName\n // Aliases\n | extend User=ActorUsername\n , FilePath=TargetFilePath",
"version": 1
}
}

6
Parsers/ASimFileEvent/ARM/FileEventMicrosoftSysmonFileCreated/FileEventMicrosoftSysmonFileCreated.json
Просмотреть файл

@ -19,7 +19,7 @@
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "vimFileEventCreateMicrosoftSysmon",
"name": "vimFileEventMicrosoftSysmonCreated",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
@ -27,8 +27,8 @@
"etag": "*",
"displayName": "Sysmon Event 11 - Create File",
"category": "Security",
"FunctionAlias": "vimFileEventCreateMicrosoftSysmon",
"query": "let Sysmon11=(){\n Event\n | where Source == \"Microsoft-Windows-Sysmon\"\n | where EventID == 11\n | parse EventData with '<DataItem type=\"System.XmlData\" time=\"'Time:datetime\n '\" sourceHealthServiceId=\"'sourceHealthServiceId\n '\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"RuleName\">'RuleName:string\n '</Data><Data Name=\"UtcTime\">'UtcTime:datetime'</Data><Data Name=\"ProcessGuid\">{'ProcessGuid:string\n '}</Data><Data Name=\"ProcessId\">'ProcessId:string\n '</Data><Data Name=\"Image\">'Image:string /// Image is the full path \n '</Data><Data Name=\"TargetFilename\">'TargetFilename:string //// Full Path\n '</Data><Data Name=\"CreationUtcTime\">'CreationUtcTime:datetime \n '</Data></EventData></DataItem>'\n | extend\n EventType='FileCreated'\n , EventProduct='Sysmon'\n , EventSchemaVersion = '0.1.0'\n , EventResult='Success'\n , EventCount=int(1)\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , DvcOs='Windows'\n , TargetFileName_wo_Path=tostring(split(TargetFilename,'\\\\')[-1])\n | project-rename\n DvcHostname = Computer\n , ActingProcessName = Image\n , ActingProcessId = ProcessId\n , ActingProcessGuid = ProcessGuid\n , EventOriginalType=EventID\n , TargetFileCreationTime=CreationUtcTime\n , EventMessage=RenderedDescription\n , TargetFilePath=TargetFilename\n ,TargetFileName=TargetFileName_wo_Path\n | extend\n User = ActorUsername\n , Process = ActingProcessName\n , Dvc = DvcHostname\n , FilePath = TargetFilePath\n };Sysmon11",
"FunctionAlias": "vimFileEventMicrosoftSysmonCreated",
"query": "let Sysmon11=(){\n Event\n | where Source == \"Microsoft-Windows-Sysmon\"\n | where EventID == 11\n | parse EventData with '<DataItem type=\"System.XmlData\" time=\"'Time:datetime\n '\" sourceHealthServiceId=\"'sourceHealthServiceId\n '\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"RuleName\">'RuleName:string\n '</Data><Data Name=\"UtcTime\">'UtcTime:datetime'</Data><Data Name=\"ProcessGuid\">{'ProcessGuid:string\n '}</Data><Data Name=\"ProcessId\">'ProcessId:string\n '</Data><Data Name=\"Image\">'Image:string /// Image is the full path \n '</Data><Data Name=\"TargetFilename\">'TargetFilename:string //// Full Path\n '</Data><Data Name=\"CreationUtcTime\">'CreationUtcTime:datetime \n '</Data></EventData></DataItem>'\n | extend\n EventType='FileCreated'\n , EventProduct='Sysmon'\n , EventSchemaVersion = '0.1.0'\n , EventResult='Success'\n , EventCount=int(1)\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , DvcOs='Windows'\n , TargetFileName_wo_Path=tostring(split(TargetFilename,'\\\\')[-1])\n | project-rename\n DvcHostname = Computer\n , ActingProcessName = Image\n , ActingProcessId = ProcessId\n , ActingProcessGuid = ProcessGuid\n , EventOriginalType=EventID\n , TargetFileCreationTime=CreationUtcTime\n , EventMessage=RenderedDescription\n , TargetFilePath=TargetFilename\n ,TargetFileName=TargetFileName_wo_Path\n | extend\n Process = ActingProcessName\n , Dvc = DvcHostname\n , FilePath = TargetFilePath\n };Sysmon11",
"version": 1
}
}

4
Parsers/ASimFileEvent/ARM/FileEventMicrosoftSysmonFileDeleted/FileEventMicrosoftSysmonFileDeleted.json
Просмотреть файл

@ -19,7 +19,7 @@
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "vimFileEventDeleteMicrosoftSysmon",
"name": "vimFileEventMicrosoftSysmonDeleted",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
],
@ -27,7 +27,7 @@
"etag": "*",
"displayName": "Sysmon Events 23 and 26 - File Deleted",
"category": "Security",
"FunctionAlias": "vimFileEventDeleteMicrosoftSysmon",
"FunctionAlias": "vimFileEventMicrosoftSysmonDeleted",
"query": "let Sysmon23_26=(){\n Event\n | where Source == \"Microsoft-Windows-Sysmon\"\n | where EventID in (23,26)\n | parse EventData with \n '<DataItem type=\"System.XmlData\" time=\"'Time:datetime\n '\" sourceHealthServiceId=\"'sourceHealthServiceId\n '\"><EventData xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"><Data Name=\"RuleName\">'RuleName:string\n '</Data><Data Name=\"UtcTime\">'UtcTime:datetime\n '</Data><Data Name=\"ProcessGuid\">{'ProcessGuid:string\n '}</Data><Data Name=\"ProcessId\">'ProcessId:string\n '</Data><Data Name=\"User\">'User:string\n '</Data><Data Name=\"Image\">'Image:string\n '</Data><Data Name=\"TargetFilename\">'TargetFilename:string\n '</Data><Data Name=\"Hashes\">SHA1='SHA1:string',MD5='MD5:string',SHA256='SHA256:string',IMPHASH='IMPHASH:string\n '</Data><Data Name=\"IsExecutable\">'isExecutable:string\n '</Data>' DataSuffix\n | parse DataSuffix with '<Data Name=\"Archived\">'Archived'</Data></EventData></DataItem>'\n | extend\n EventType='FileDeleted'\n , EventProduct='Sysmon'\n , EventSchemaVersion = \"0.1.0\"\n , EventResult='Success'\n , EventCount=int(1)\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , DvcOs='Windows'\n , ActorUsernameType = 'Windows'\n , TargetFileName_wo_Path=tostring(split(TargetFilename,'\\\\')[-1])\n | project-rename\n DvcHostname = Computer\n , ActorUsername = User\n , ActingProcessName = Image\n , ActingProcessId = ProcessId\n , ActingProcessGuid = ProcessGuid\n , EventOriginalId=EventID\n , TargetFileMD5=MD5\n , TargetFileSHA1=SHA1\n , TargetFileSHA256=SHA256\n , TargetFileIMPHASH=IMPHASH\n , EventMessage=RenderedDescription\n , TargetFilePath=TargetFileName\n ,TargetFileName=TargetFileName_wo_Path\n | extend\n User = ActorUsername\n , Process = ActingProcessName\n , Dvc = DvcHostname\n , FilePath = TargetFilePath\n };Sysmon23_26",
"version": 1
}

2
Parsers/ASimFileEvent/ARM/FileEventMicrosoftTableStorage/FileEventMicrosoftTableStorage.json
Просмотреть файл

@ -28,7 +28,7 @@
"displayName": "Microsoft Table Storage - File Event Parser",
"category": "Security",
"FunctionAlias": "vimFileEventAzureTableStorage",
"query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet tableoperations=datatable(OperationName:string, EventType:string)[\n, \"CreateTable\", \"FileCreated\"\n, \"DeleteTable\", \"FileDeleted\"\n, \"DeleteEntity\", \"FileModified\"\n, \"InsertEntity\", \"FileModified\"\n, \"InsertOrMergeEntity\", \"FileModified\"\n, \"InsertOrReplaceEntity\", \"FileModified\"\n, \"QueryEntity\", \"FileAccessed\"\n, \"QueryEntities\", \"FileAccessed\"\n, \"QueryTable\", \"FileAccessed\"\n, \"QueryTables\", \"FileAccessed\"\n, \"UpdateEntity\", \"FileModified\"\n, \"MergeEntity\", \"FileModified\"\n ];\n StorageTableLogs\n // **** relevant data filtering;\n | where OperationName in (tableoperations)\n //\n | extend \n EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n , EventOriginalUid = CorrelationId\n , EventOriginalType=OperationName\n , EventProduct='Azure File Storage' \n , EventVendor='Microsoft'\n , EventSchemaVersion='0.1.0'\n , TargetFilePath=tostring(split(Uri,'?')[0]) \n , TargetFilePathFormat='URL'\n , TargetUrl=Uri\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\n , HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath,'/')['-1'])\n | lookup tableoperations on OperationName\n // Aliases\n | extend User=ActorUsername\n , FilePath=TargetFilePath",
"query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet tableoperations=datatable(OperationName:string, EventType:string)[\n, \"CreateTable\", \"FileCreated\"\n, \"DeleteTable\", \"FileDeleted\"\n, \"DeleteEntity\", \"FileModified\"\n, \"InsertEntity\", \"FileModified\"\n, \"InsertOrMergeEntity\", \"FileModified\"\n, \"InsertOrReplaceEntity\", \"FileModified\"\n, \"QueryEntity\", \"FileAccessed\"\n, \"QueryEntities\", \"FileAccessed\"\n, \"QueryTable\", \"FileAccessed\"\n, \"QueryTables\", \"FileAccessed\"\n, \"UpdateEntity\", \"FileModified\"\n, \"MergeEntity\", \"FileModified\"\n ];\n StorageTableLogs\n // **** relevant data filtering;\n | where OperationName in (tableoperations)\n //\n | extend \n EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n , EventOriginalUid = CorrelationId\n , EventOriginalType=OperationName\n , EventProduct='Azure File Storage' \n , EventVendor='Microsoft'\n , EventSchemaVersion='0.1.0'\n , TargetFilePath=tostring(split(Uri,'?')[0]) \n , TargetFilePathFormat='URL'\n , TargetUrl=Uri\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\n , HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath,'/')['-1'])\n | lookup tableoperations on OperationName\n // Aliases\n | extend FilePath=TargetFilePath",
"version": 1
}
}

4
Parsers/ASimFileEvent/ProductParsers/FileEventMicrosoftBlobStorage.yaml
Просмотреть файл

@ -37,6 +37,7 @@ ParserQuery: |
// **** relevant data filtering;
| where OperationName in (bloboperations)
//
| lookup bloboperations on OperationName
| project-rename
EventOriginalUid = CorrelationId
, EventOriginalType=OperationName
@ -51,12 +52,11 @@ ParserQuery: |
, EventProduct='Azure File Storage'
, EventVendor='Microsoft'
, EventSchemaVersion='0.1.0'
, TargetFilePath=tostring(split(Uri,'?')[0])
, TargetFilePath=tostring(split(TargetUrl,'?')[0])
, TargetFilePathFormat='URL'
, SrcIpAddr=tostring(split(CallerIpAddress,':')[0])
, SrcPortNumber=tostring(split(CallerIpAddress,':')[1])
| extend TargetFileName=tostring(split(TargetFilePath,'/')['-1'])
| lookup bloboperations on OperationName
// Aliases
| extend
FilePath=TargetFilePath

14
Parsers/ASimFileEvent/ProductParsers/FileEventMicrosoftQueueStorage.yaml
Просмотреть файл

@ -24,15 +24,15 @@ ParserQuery: |
, "CreateQueue", "CreateFile"
, "DeleteQueue", "DeleteFile"
, "DeleteMessage", "DeleteFile"
, "GetQueue", "FileAccessed""
, "GetMessage", "FileAccessed""
, "GetMessages", "FileAccessed""
, "PeekMessage", "FileAccessed""
, "PeekMessages", "FileAccessed""
, "PutMessage", "FileCreated""
, "GetQueue", "FileAccessed"
, "GetMessage", "FileAccessed"
, "GetMessages", "FileAccessed"
, "PeekMessage", "FileAccessed"
, "PeekMessages", "FileAccessed"
, "PutMessage", "FileCreated"
, "UpdateMessage", "FileModified"
];
StorageTableLogs
StorageQueueLogs
// **** relevant data filtering;
| where OperationName in (queueoperations)
//

5
Parsers/ASimFileEvent/ProductParsers/FileEventMicrosoftSysmonFileCreated.yaml
Просмотреть файл

@ -13,7 +13,7 @@ References:
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Description: ASIM Sysmon/Event File Creation Event Parser (event number 11)
ParserName: vimFileEventCreateMicrosoftSysmon
ParserName: vimFileEventMicrosoftSysmonCreated
ParserQuery: |
let Sysmon11=(){
Event
@ -49,8 +49,7 @@ ParserQuery: |
, TargetFilePath=TargetFilename
,TargetFileName=TargetFileName_wo_Path
| extend
User = ActorUsername
, Process = ActingProcessName
Process = ActingProcessName
, Dvc = DvcHostname
, FilePath = TargetFilePath
};Sysmon11

4
Parsers/ASimFileEvent/ProductParsers/FileEventMicrosoftSysmonFileDeleted.yaml
Просмотреть файл

@ -13,7 +13,7 @@ References:
- Title: ASIM
Link: https://aka.ms/AzSentinelNormalization
Description: ASIM Sysmon/Event File Deletion Event Parser (event number 23)
ParserName: vimFileEventDeleteMicrosoftSysmon
ParserName: vimFileEventMicrosoftSysmonDeleted
ParserQuery: |
let Sysmon23_26=(){
Event
@ -56,7 +56,7 @@ ParserQuery: |
, TargetFileSHA256=SHA256
, TargetFileIMPHASH=IMPHASH
, EventMessage=RenderedDescription
, TargetFilePath=TargetFileName
, TargetFilePath=TargetFilename
,TargetFileName=TargetFileName_wo_Path
| extend
User = ActorUsername