Network Security Monitoring

Chapter 6: Security Information and Event Management (SIEM)

Content
In this Chapter, we will cover the following topics:
• SIEM Processing Phases
• SIEM Benefits and Limitations.
• SIEM Functionalities
• SIEM Architecture and Components
• SIEM Implementation Methodologies
• SIEM Basic Requirements:
• SIEM Deployment Models:
• SIEM Use Cases
What is SIEM?

❑ It is a software solution that helps monitor, detect, and alert security events. It presents a
centralized view of the ongoing activities within the IT infrastructure.
❑ SIEM combines the functionalities of Security Information Management (SIM) and Security
Event Management (SEM) into a single platform.
✓ Security Information Management (SIM): Focuses on collecting and storing security data from various
sources like firewalls, intrusion detection systems (IDS), antivirus software, and user activity logs. It allows
for historical analysis and trend identification.

✓ Security Event Management (SEM): Focuses on real-time monitoring and analysis of security events. It
correlates data from various sources to identify potential threats, prioritize incidents, and generate alerts.

We can say that SIEMs have two general layers, a base layer of log management functionality (SIM)
and an additional layer for security analytics (SEM)
SIEM vs SOC

❑ The SIEM helps security operations center (SOC) to collect all the external
and internal data from the devices, monitor, and analyze them.
❑ The SIEM solution is at the heart of SOC, which helps SOC analysts in
correlating and analyzing network security events and identifying unusual
or suspicious activity on organization's IT infrastructure.
❑ The main aim of SIEM is to perform analysis on the log data and detect
threats. This process is made easier by collecting all the logs in one
centralized location.
SIEM Major Processing Phases

❑ Collect data from various sources: network devices, servers, domain controllers, etc.
❑ Normalize and aggregate collected data combines collected data

❑ Analyze the data to detect and discover threats

❑ Pinpoint security breaches and enable companies to investigate alerts
Overall Benefits of SIEM

1. Collects and analyzes data from all sources in real time: SIEM tools have to take in data from every
source, so they can detect, monitor, and respond to threats effectively.
2. Utilizes machine learning to add context and situational awareness to help increase efficiency:
SIEM tools are now equipped with machine learning capabilities. This helps in identifying threats
quickly and enables threat monitoring from internal as well as external threats.
3. Flexible and scalable architecture improves time to value and visibility over the network: With the
amount of data coming in, a big data architecture that is both scalable and flexible.
✓ SIEM solutions can handle complex implementation and are capable of being deployed in the virtual environment,
in the cloud, or on premises.
✓ If there is good visibility over the network, then all the malicious behaviors and alert causing incidents can be
observed closely.
Overall Benefits of SIEM

4. Provides enhanced investigation and incident response and management

✓ SIEM solutions are capable of providing clear analytics that help improve decision-making and response
time.
✓ Data visualization and business context can help analysts interpret and respond to data in a better
manner.
✓ SIEM performs different kinds of techniques to find alert causing incidents. This will help the organization
to increase the efficiency of their investigation.
✓ SIEM solutions provide use cases after the log is collected. This helps the security team to detect and
respond to threats quickly.
Overall Benefits of SIEM

4. Provides enhanced investigation and incident response and management

✓ SIEM solutions are capable of providing clear analytics that help improve decision-making and response
time.
✓ Data visualization and business context can help analysts interpret and respond to data in a better
manner.
✓ SIEM performs different kinds of techniques to find alert causing incidents. This will help the organization
to increase the efficiency of their investigation.
✓ SIEM solutions provide use cases after the log is collected. This helps the security team to detect and
respond to threats quickly.
5. Forensics
✓ SIEM can be used at the time of forensic investigation to find the event that initiated the attack by
analyzing the previous records. So when the same kind of incident happens
Limitations of SIEM

1. SIEM has a blind spot for unstructured data.

2. SIEM applications fail to distinguish between sensitive and non-sensitive data.
This means that they are unable to tell the difference between authorized file
activities and suspicious activities. This could cost customer data, company
security, or intellectual property.
Typical SIEM Functionalities
 FUNCTIONALITY
Limitations of SIEM
1. Log collection: SIEM collects logs from heterogeneous sources like Windows systems, Unix/Linux
systems, applications, databases, routers, switches, and other devices. It uses both agent-based or
agentless log collection methods.
2. Correlation: It links events as well as related data into meaningful bundles that describe real security
incident, threat, vulnerability, or forensic finding. It is performed based on log search, rules, and alerts.
3. Real-time alerting: It analyzes events and sends alerts to SOC analyst for informing them about the
immediate issues, either by messaging, email, or dashboards.
4. IT compliance: SIEM includes regulatory compliance reports like PCI DSS, FISMA, GLBA, SOX, HIPAA,
etc. It is also capable of customizing and creating new compliance reports for future regulatory acts.
5. Threat hunting: It enables security team to run queries on data, analyze, and filter the data to identify
threats or vulnerabilities.
6. Threat intelligence: SIEM is capable to analyze data and identify threats in the network. It not only
identifies threats but also understands their possible relation to events.
7. Log forensics: It enables users to track the event activity or an attacker through log search capability.
Limitations of SIEM
8. Application log monitoring: It can monitor application logs, log files, event logs, service logs,
and system logs on Windows servers, Linux servers, and Unix servers.
9. Object access auditing: SIEM notifies the users about their files and folders—who access them,
deleted them, edited them, moved them, etc. It represents the object access reports in human-
readable formats and sends alerts if unauthorized people access any of the files/folders.
10. User activity monitoring This feature of SIEM enables in tracking suspicious behavior of users.
11. Dashboards: SOC analyst uses dashboards to perform the right actions at the right time and
takes correct decisions during network anomalies.
12. Reporting: It reports users about security-related incidents and events like malware activities,
successful and failed logins, and various other malicious activities.
13. File integrity monitoring: SIEM facilitates real-time file integrity monitoring (FIM) through
securing sensitive files and folders and satisfying regulatory compliances.
SIEM Architecture and Its Components

▪ The typical SEIM environment consists of four major components.

Components of SIEM
1. Data Sources
▪ Most of the applications and the software running in them are capable of generating logs by
default. The different kinds of devices which generate logs are explained below:
✓ Network devices, such as routers, switches, printers, laptops, desktops, mobile devices,
virtual proxy networks, etc.
✓ Security tools such as firewalls, host intrusion prevention system, firm wares, antivirus
security systems, IDS, IPS, antimalware applications, etc.
✓ Servers such as operating system logs, web servers, mail servers, application servers,
proxy servers, real-time servers, collaboration servers, etc.
✓ Applications such as antimalware applications (tools), Internet browsers, operating
systems, and software like operating systems, etc.
Components of SIEM
2. Collectors/Agents/Connectors
• The collector is the entity that receives the information about the event which is generated by an
originator in the network.
• The basic activity that a collector does is that it collects and normalizes the information obtained
from various devices before forwarding it to the central engine.
• There are different types of collectors which are installed. Each of them is assigned a different
task. While one collector gathers the information from network devices and the other collector or
an agent collects the data from the servers.
Components of SIEM
3. Central Engine
▪ Central engine is the location where data correlation and log analysis take place.
▪ Data correlation is the process of matching series of normalized log data to determine a set of related events based on a
certain set of rules.
▪ Security analytics is the core service of central engine which involves analyzing logs and events data to perform events
correlation, real-time monitoring, alerting, reporting, incident management, and response
▪ It uses rule-based correlation, statistical or algorithmic correlation, and other methods to relate different events to each
other, whereas the data analysis is the process of identifying the patterns and anomalies in the correlated log data that
signifies the activity of any intrusion attempt or policy violation.
▪ Reporting and analyzing the log data also take place in the central engine. The analyzing and monitoring of tasks are
done in the central engine.
▪ Reporting of that error may take place in many ways like alerting the administrator by sending an email, popping up a
ticket on the desktop, or in the way that user prefers.
Components of SIEM
4. Database
❑ Logs are stored for a certain period of time depending upon the retention policy.
❑ Log retention is the process of removing the older data which have crossed
retention period from the servers.
❑ The logs which are collected from various devices are stored in central
repository/databases.
❑ The log data collected from each of these devices and applications have
different sizes, importance, and accessibility.
❑ In most practices, the databases are not physical devices that can be installed
in a particular place. They are generally cloud storages because they are used
to store huge amounts of data
 SIEM Implementation Steps
❑ Implementing and deploying a SIEM solution requires careful planning, execution and ongoing maintenance to
ensure that it is effective in detecting and responding to potential security incidents. Here are some general
steps to consider:

1. Define your requirements. Start by identifying your organization's security requirements and
objectives. This includes understanding your current security posture, potential security risks and
threats, regulatory compliance requirements, and budget constraints.

2. Choose a SIEM solution. Evaluate different options to find one that meets your organization's requirements.
Consider factors such as ease of deployment, scalability, customization options and vendor support.
3. Plan your deployment. Develop a detailed deployment plan that outlines the steps and timeline for implementing
your SIEM solution. This should include tasks such as configuring log sources, defining security policies and rules,
and testing the solution in a nonproduction environment.
4. Configure your SIEM. Once your SIEM is deployed, configure it to collect and aggregate log data from your
organization's different sources. This may involve configuring log sources such as network devices, servers,
applications and security devices.
 SIEM Implementation Steps
5. Create security policies and rules. Develop security policies and rules that define how your SIEM should respond to
security events and incidents. This may include setting thresholds for alerting, defining incident response workflows, and
creating automated responses to certain types of security events.

6. Test and refine your SIEM. Refine your policies and rules as necessary to ensure that your SIEM is effective in
detecting and responding to potential security incidents.

7. Monitor and maintain your SIEM solution. Regularly monitor and maintain your SIEM to ensure that it continues to
meet your organization's security requirements. This may include updating your security policies and rules, monitoring for
new types of security threats, and performing regular security audits.
Implementation Methodologies:
❑ Phased SIEM deployment includes: Two approaches; Input Driven Approach & Output Driven
Approach 1: Input Driven
➢ Phase 1: Deploying Log Management Component:
✓ The log management organization should first deploy log management and collection architecture either by using
separate central log management solution or SIEM's log management capability.

➢ Phase 2: SIEM deployment based on the requirement of the network.

❑ Advantages
✓ Easy to deploy and greater visibility to user and resource access activities
✓ Improved scalability and performance
✓ Already collected data can be used to perform functions related to security analytics
✓ Data can be used for the fulfillment of non-security requirements
✓ Allows us to create forensic reports at the time of emergency
Implementation Methodologies:
❑ Approach 2: Output Driven: Use-Case-by-Use-Case.
➢ The SIEM tool does the purpose by collecting the logs, analyzing them, sending alerts, and can also be used
to create reports. But at the time of deployment, this predesigned SIEM may not work effectively. In this case,
an output-driven approach is introduced.
➢ By considering the desired output, this method is implemented. Sequential, one-by-one implementation of
use case helps to reach the desired scope and objective.
➢ The components, like data sources, logs, flows, context, etc., are taken one by one, and they are analyzed by
the monitor tool, and then the alerts and reports are made.
➢ Based on the reports and the alerts created, the severity of the condition is detected, and the respective
action is taken. The required log management and SIEM components should be deployed in support of
each use case.
❑ Advantages:
✓ Possible to build more complex use cases with greater scope
✓ As one particular incident is taken care at a time, the efficiency of the SIEM is increased
✓ Automated threat intel along with traditional monitoring can be done
 SIEM’s Scope

❑ The scope is a driver behind the implementation of SIEM.

Without a proper scope, the organization may fail while implementing SIEM in their system. Along with that if the
use cases and requirements are defined, then it makes the deployment of a SIEM easier, and the output will be
more efficient.

Major Scope Determents are : Audit and Compliance, Security, Operations

SIEM Operational Scope

1. Audit and Compliance

❑ When the driver is IT compliance, the process of log collection, retention, and review is taken into
consideration.
❑ SIEM includes regulatory compliance reports like PCI DSS, FISMA, GLBA, SOX, HIPAA, etc. SIEM is also
capable of customizing and creating new compliance reports for future regulatory acts.
❑ To evaluate the level of security, risk management techniques, and regulations of a network are evaluated at
the time of the audit.
❑ Example of logging relevance to different standards:
✓ PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) applies to all organizations that handle credit card
transactions. PCI mandates logging-specific details and log review procedures to prevent credit card fraud within
companies that store, process, or transmit credit card
✓ ISO 27001: ISO 27001 is a direct descendant of ISO 17799 and British Standard 7799. ISO specifies requirements for
managing the security of information systems. Audit logging and review of audit logs, as well as their retentions, are
prescribed
SIEM Operational Scope

2. Security
❑ When the driver is security, real-time monitoring, and analysis of logs is performed
continuously.
❑ The information collected through logs may include syslog events, user IDs, system activities,
timestamps, successful or unsuccessful access attempts, configuration changes, network
address and protocols, and file access activities.
❑ This information is used to identify any suspicious activity, security events, or indicator of
compromise. All these techniques are done sequentially with minimal human interaction.
SIEM Operational Scope

3. Operations
❑ When the driver is operations, the main focus is on device management, hardware/software
maintenance, troubleshooting, etc.
❑ As there are different kinds of devices and applications in a network, each of them produces logs,
and to store all these logs, analyzing and monitoring them is a difficult task.
❑ Important events may get lost in the huge cluster of data. There is a need to surface the relevant
logs, and the data which are irrelevant have to be ignored.
SIEM Use Cases
▪ Collecting logs at one centralized location, managing them, analyzing them, making reports, and at the same time keeping
them secure is a hard task. SIEM is implemented to perform these tasks in a simpler and customized way, and they
considered it as use cases.
▪ Once the scope is identified for SIEM implementation, SIEM use cases are defined to create manageable SIEM
environment.
▪ Use cases are a series of actions which can provide details about a particular action. These use cases can be a rule, report,
alert, or dashboard that satisfies a set of needs or requirements.
▪ Use cases are the goals behind the SIEM implementation, which enables successful implementation of SIEM in IT
infrastructure.
Primary use cases that can impact implementation are listed below:

❑ Detecting insider abuse and unauthorized access: In a network, the attack may happen from inside like a
legitimate user or from outside by an attacker who wants to gain accesses. SIEM is used to detect insider
abuse and unauthorized access.
❑ Forensic analysis and correlation: At this stage, the attempt to compromise the network is also stored in
the log data. SIEM performs forensic analysis on the log data and generates a report. These data are stored
and can be used to correlation with the present data to find a suspicious incident in resemblance to previous
attempts
❑ Monitoring user activity: The attack may happen from inside too. So to monitor the user activities in the
network like the files they accessed, login attempts, changing of passwords, commands they executed, the
server they are connected to, etc., SIEM is implemented.
❑ Increase efficiency: SIEM is implemented in a network not only to connect the devices and collect data but
also it can be used to communicate between each device and do the work in a more efficient way. When the
SIEM detects an ongoing attack, it sends an alert to the admin, and it redefines the rules of a firewall and IDS
which allowed the attack in the first place and makes them initiate steps in order to prevent the threat in its
initial stage.
❑ Satisfying compliance: The IT compliance is the set of rules that an IT company or organization and the
employees working in it should follow. To ensure the security of an organization, these set of rules are
designed. SIEM satisfies these compliances.
 SIEM Solution Comparisions

SIEM Open
Solution Source Vendor Major Advantages Major Disadvantages
Requires technical expertise for deployment
- Free and customizable and management
- Strong focus on anomaly detection and vulnerability Limited out-of-the-box integrations compared
Wazuh Yes Wazuh management to commercial SIEMs
- Powerful search and analytics capabilities - High licensing costs
Splunk No Splunk - Scalable to handle large datasets - Complex to set up and manage
- Strong network traffic analysis (NTA) capabilities - Vendor lock-in due to proprietary technology
QRadar No IBM - Integration with IBM X-Force threat intelligence - Can be expensive for smaller organizations
Micro - User-friendly interface - High licensing costs
ArcSight No Focus - Advanced threat intelligence capabilities - Complex configuration process
Strong user behavior analytics (UBA) for insider threat - Limited scalability compared to some
LogRhyt detection competitors
LogRhythm No hm - Pre-built integrations with various security tools - Can be expensive for smaller organizations
- Requires technical expertise for deployment
and customization
ELASTIC Free and open-source with large community support - Limited out-of-the-box features compared to
SIEM Yes Elastic Integrates with other open-source security tools some commercial SIEMs
- Free and open-source with pre-configured security tools - Limited scalability and customization
Security Commun <br> compared to other SIEMs
Onion Yes ity-driven - Easy to deploy for basic security monitoring - Requires ongoing maintenance and updates
 More Use cases: Non-legitimate or legitimate services on non-standard ports

The new use case is created either based on a security incident that happened, or risk assessment, or a
new attack type discovered in recent trends.
❑ Non-legitimate or legitimate services on non-standard ports:
Attackers or malware might install unauthorized services on a compromised system. These services often run-on
non-standard ports to avoid detection by firewalls or intrusion detection systems (IDS/IPS) configured to monitor
common ports.
General Examples:
✓ Remote access tools used by attackers for maintaining control over a compromised system.
✓ Command and control (C2) servers used by malware to communicate with attackers.
✓ Malicious software can use network protocols like HTTP, or SSH, to encrypt transmission in legitimate traffic. However, it
would be easier for the malware operator to install such types of network protocols on a nonstandard port.
✓ Attackers can use standard services to hide their command-and-control communication. And running these on non-
standard ports can be easier for their configuration and collection purposes. This can be a indication of malware infection.
 More Use cases: Non-standard or standard services on non-standard ports ….example

▪ Scenario: Malware or attackers might attempt to use DNS tunneling to exfiltrate data or establish a
command and control (C2) channel with a remote server. In this scenario, the malicious traffic is
disguised as DNS queries on port 53.

▪ How it works:
➢Traditional DNS requests follow a specific format and structure. Attackers can modify this format
to embed data within the DNS request itself. This data could be stolen information, commands for
the compromised system, or communication between the attacker and the malware.
➢The compromised system sends these disguised DNS requests to a specific DNS server
controlled by the attacker. The attacker's server then interprets the data embedded within these
requests and performs the desired actions.
 More Use cases: Services Running on Non-Standard Ports….SIEM Detection

▪ SIEM Detection will be based on two main approaches

1. Log Collection and Analysis: The SIEM collects logs from DNS servers and potentially network
devices like firewalls. It analyzes these logs for anomalies in DNS traffic patterns.
2. Identifying Suspicious Activity: Here's how a SIEM can identify potential DNS tunneling
attempts

➢ Unusually large DNS request sizes: Legitimate DNS requests are typically small, containing information
about the domain name being queried. Large DNS requests with seemingly random data might indicate
embedded information.

➢ DNS traffic to unusual destinations: Organizations typically have well-defined DNS servers they
communicate with. Frequent DNS traffic directed towards unexpected IP addresses, especially those known
to be malicious, could be a red flag.

➢ High volume of DNS traffic: A sudden surge in DNS traffic, especially from specific infected devices, could
be a sign of a tunneling attempt.
 More Use cases: Services Running on Non-Standard Ports….SIEM Detection

For example, in LogRhythm, you can detect whether services are running on nonstandard ports. It makes use of
three SIEM rule for such anomalies and generates alert for the same. The three rules are as follows:

➢ Rule 428 Susp:Port Misuse:HTTP HTTP traffic not using standard port 80

➢ Rule 434 Susp:Port Misuse:SSH OutOutbound SSH traffic not on standard SSH port 22

➢ Rule 448 Susp:Port Misuse:SSH In Susp:Port Misuse: SSH In

More Use cases: Non-Standard Use of Standard Ports

❑ The attackers make use of standard protocol ports to bypass firewalls or network detection, Systems and to
mix with normal network activity.
❑ The most commonly used standard ports are TCP:80 (HTTP), TCP:443 (HTTPS), TCP:25 (SMTP), and
TCP/UDP:53 (DNS).
❑ Attacker may use the same protocols associated with the port or different protocols to encrypt command
and transmission in legitimate traffic. To detect such type of anomalies, you have to analyze network traffic
for identifying uncommon data communication, also analyze packet information to determine those
communications that are not according to the expected protocol behavior for the port that is being used.
❑ The LogRhythm utilizes SIEM rules for detecting anomalies and generating alert for the same. SIEM Rule
Examples
✓ non-HTTP traffic using standard HTTP port 80
✓ non-DNS traffic using standard DNS port 53
✓ non-SSH traffic using standard SSH port 22
✓ non-SSL/TLS traffic using standard port 443
More Use cases: Non-Standard Use of Standard Ports

❑ The attackers make use of standard protocol ports to bypass firewalls or network detection, Systems and to
mix with normal network activity.
❑ The most commonly used standard ports are TCP:80 (HTTP), TCP:443 (HTTPS), TCP:25 (SMTP), and
TCP/UDP:53 (DNS).
❑ Attacker may use the same protocols associated with the port or different protocols to encrypt command
and transmission in legitimate traffic. To detect such type of anomalies, you have to analyze network traffic
for identifying uncommon data communication, also analyze packet information to determine those
communications that are not according to the expected protocol behavior for the port that is being used.
❑ The LogRhythm utilizes SIEM rules for detecting anomalies and generating alert for the same. SIEM Rule
Examples
✓ non-HTTP traffic using standard HTTP port 80
✓ non-DNS traffic using standard DNS port 53
✓ non-SSH traffic using standard SSH port 22
✓ non-SSL/TLS traffic using standard port 443
Incident Response Flow

▪ Incident response combines various cyber security processes under a single

procedure for combating incidents and to gain quicker response; better control and
management; ease of communication; improved use of resources; distribution of
tasks evenly; efficient reporting; and so on.
 Incident Response Flow

1. Step 1: Preparation
✓ Includes performing audit of the resources and assets to determine the purpose of security.
✓ Defining the rules, policies, and procedures that drive incident response process,
✓ Building and training an incident response team.
✓ Defining incident readiness procedures
✓ Gathering required tools.

2. Step 2: Incident Recording and Assignment

✓ Identification of an incident, defining proper incident communication plan for employees and this can include
communication methods involving informing to IT support personnel or raising an appropriate ticket.
✓ Based on the ticket or the IT professional’s intimation, the incident response team will look into the issue
and if it qualifies as an incident, an incident response team will be assigned, and the compromised device
will be sent to incident response team for further investigation.
 Incident Response Flow

3. Step 3: Incident Triage

✓ The incident will be analyzed and validated.
✓ The incident will be categorized and also prioritized in this phase.
✓ The incident response team will further analyze the compromised device to find incident details such as the type of
attack, severity, target, impact, method of propagation, and vulnerabilities it exploited.

4. Step 4: Notification
✓ The incident information will be informed to various stakeholders including management, third-party vendors, and clients.
✓ If the incident is confirmed and validated, the incident responders will communicate the issue to management for gaining
necessary approvals and permissions.
 Incident Response Flow

5. Step 5: Containment

✓ Simultaneously with the notification phase, the containment phase follows where the incident response team will be
containing the incident.

✓ Containment of incident is the crucial phase in order to stop the spreading of infection to other organizational assets.

6. Step 6: Evidence Gathering and Forensic Analysis

✓ Accumulate all the possible evidence related to incident and submit that to the forensic department in order to investigate
the gathered evidence.

✓ Analysis of an incident would reveal details, such as method of attack, vulnerabilities exploited, security mechanisms
averted, network devices infected, and applications compromised, that have acted as pathways to the incident.
 Incident Response Flow

7. Step 7: Eradication
The incident response team will remove or eliminate the root cause of the incident and close all the attack vectors
to prevent similar incidents in future.

8. Step 8: Recovery
✓ After eliminating the causes for the incidents, the incident response team is responsible for restoring the affected
systems, services, resources, and data through recovery.

✓ It is the responsibility of the incident response team to ensure that there is no disruption to the services or business of the
organization owing to the incident. Therefore, they need to recover the compromised devices, applications, systems, or
terminals as soon as possible either by replacing them or fixing the issue quickly.
 Incident Response Flow

9. Step 9: Post-Incident Activities

Till this stage, the incident will be contained, and the systems will be recovered. Post-incident activities include;
incident documentation, incident impact analysis, review and revise policies, and incident disclosure.
➢ Incident Documentation
✓ The incident responders will have to document the complete process, starting from detection to recovery.
✓ This document will serve as a future reference for understanding the practices employed to handle the
incident, present the report for legal counsel, submit it to the management.
➢ Incident Impact Assessment
✓ Incident impact analysis where, by analyzing all the information, they will assess the impact of damage or
loss created by the incident to the organization and its assets.
➢ Review and Revise Policies
✓ After assessing the impact caused, the incident response team will review and revise the policies,
preparation and protection procedures, security controls, and so on for preventing future incidents.
 Incident Response Flow

10. Incident Disclosure

After identifying the impact of the incident, the incident response team will close the incident. After closing the
incident formally, the incident response team will discuss with the management whether to disclose the details
of the incident or not.