From 26f62082c3ac2aaf05791ff472e15d4dddc360f4 Mon Sep 17 00:00:00 2001
From: Sean Whalen <44679+seanthegeek@users.noreply.github.com>
Date: Wed, 27 Mar 2024 15:40:19 -0400
Subject: [PATCH] Update Splunk dashboards

---
 splunk/dmarc_aggregate_dashboard.xml | 156 ++++++++++++++++-----------
 splunk/dmarc_forensic_dashboard.xml  |  36 ++++---
 2 files changed, 114 insertions(+), 78 deletions(-)

diff --git a/splunk/dmarc_aggregate_dashboard.xml b/splunk/dmarc_aggregate_dashboard.xml
index ed40115..89a5920 100644
--- a/splunk/dmarc_aggregate_dashboard.xml
+++ b/splunk/dmarc_aggregate_dashboard.xml
@@ -1,6 +1,17 @@
-<form theme="dark">
+<form theme="dark" version="1.1">
   <label>Aggregate DMARC data</label>
   <description>A summary of aggregate DMARC report data</description>
+  <search id="base_search">
+    <query>
+      index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$
+      | table *
+      | rename spf_results{}.domain as envelope_domain spf_results{}.result as spf_result spf_results{}.scope as spf_scope dkim_results{}.selector as dkim_selector dkim_results{}.domain as dkim_domain dkim_results{}.result as dkim_result
+      | fillnull value=null source_reverse_dns source_base_domain dkim_selector dkim_domain dkim_result source_type source_name
+      | search dkim_selector=$dkim_selector$ dkim_domain=$dkim_domain$ source_type=$source_type$ source_name=$source_name$
+    </query>
+    <earliest>$time_range.earliest$</earliest>
+    <latest>$time_range.latest$</latest>
+  </search>
   <fieldset submitButton="false" autoRun="true">
     <input type="dropdown" token="spf_aligned" searchWhenChanged="true">
       <label>SPF alignment</label>
@@ -27,10 +38,6 @@
       <label>Reporting organization</label>
       <default>*</default>
     </input>
-    <input type="text" token="source_reverse_dns" searchWhenChanged="true">
-      <label>Source reverse DNS</label>
-      <default>*</default>
-    </input>
     <input type="text" token="header_from" searchWhenChanged="true">
       <label>Message header from</label>
       <default>*</default>
@@ -51,14 +58,42 @@
       <label>Source IP address</label>
       <default>*</default>
     </input>
+    <input type="text" token="source_reverse_dns" searchWhenChanged="true">
+      <label>Source reverse DNS</label>
+      <default>*</default>
+    </input>
     <input type="text" token="source_base_domain" searchWhenChanged="true">
       <label>Source base domain</label>
       <default>*</default>
     </input>
+    <input type="dropdown" token="source_type" searchWhenChanged="true">
+      <label>Source type</label>
+      <default>*</default>
+      <initialValue>*</initialValue>
+      <choice value="*">any</choice>
+      <fieldForLabel>source_type</fieldForLabel>
+      <fieldForValue>source_type</fieldForValue>
+      <search>
+        <query>index="email_ess" sourcetype="dmarc:aggregate"
+        | stats count by source_type</query>
+      </search>
+    </input>
+    <input type="text" token="source_name" searchWhenChanged="true">
+      <label>Source name</label>
+      <default>*</default>
+    </input>
     <input type="text" token="source_country" searchWhenChanged="true">
       <label>Source country ISO code</label>
       <default>*</default>
     </input>
+    <input type="text" token="dkim_selector" searchWhenChanged="true">
+      <label>DKIM selector</label>
+      <default>*</default>
+    </input>
+    <input type="text" token="dkim_domain" searchWhenChanged="true">
+      <label>DKIM domain</label>
+      <default>*</default>
+    </input>
     <input type="time" token="time_range" searchWhenChanged="true">
       <label>Time range</label>
       <default>
@@ -71,10 +106,8 @@
     <panel>
       <title>SPF alignment</title>
       <chart>
-        <search>
-          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | chart sum(message_count) by spf_aligned</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query>| stats sum(message_count) as message_count by spf_aligned</query>
         </search>
         <option name="charting.chart">pie</option>
         <option name="charting.drilldown">none</option>
@@ -83,10 +116,8 @@
     <panel>
       <title>DKIM alignment</title>
       <chart>
-        <search>
-          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | chart sum(message_count) by dkim_aligned</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query> | stats sum(message_count) by dkim_aligned</query>
         </search>
         <option name="charting.chart">pie</option>
         <option name="charting.drilldown">none</option>
@@ -96,10 +127,8 @@
     <panel>
       <title>Passed DMARC</title>
       <chart>
-        <search>
-          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | chart sum(message_count) by passed_dmarc</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query>| stats sum(message_count) by passed_dmarc</query>
         </search>
         <option name="charting.chart">pie</option>
         <option name="charting.drilldown">none</option>
@@ -110,12 +139,11 @@
     <panel>
       <title>Reporting organizations</title>
       <table>
-        <search>
-          <query>index="email" sourcetype="dmarc:aggregate" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | chart sum(message_count) by org_name | sort -sum(message_count)</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query>| stats sum(message_count) as message_count by org_name | sort -message_count</query>
         </search>
         <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
         <format type="number" field="sum(message_count)">
           <option name="precision">0</option>
         </format>
@@ -124,12 +152,11 @@
     <panel>
       <title>Message sources by reverse DNS</title>
       <table>
-        <search>
-          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | fillnull value="none" | chart sum(message_count) by source_base_domain | sort -sum(message_count)</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query>| fillnull value="none" | stats sum(message_count) as message_count by source_base_domain | sort -message_count</query>
         </search>
         <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
         <format type="number" field="sum(message_count)">
           <option name="precision">0</option>
         </format>
@@ -138,26 +165,35 @@
     <panel>
       <title>Message volume by header from</title>
       <table>
-        <search>
-          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | chart sum(message_count) by header_from  | sort -sum(message_count)</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query>| stats sum(message_count) as message_count by header_from  | sort -message_count</query>
         </search>
         <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
         <format type="number" field="sum(message_count)">
           <option name="precision">0</option>
         </format>
       </table>
     </panel>
   </row>
+  <row>
+    <panel>
+      <title>Message sources by name and type</title>
+      <table>
+        <search base="base_search">
+          <query> | stats sum(message_count) as message_count by source_name, source_type | sort -message_count</query>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+      </table>
+    </panel>
+  </row>
   <row>
     <panel>
       <title>DMARC passage over time</title>
       <chart>
-        <search>
-          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | chart sum(message_count) by _time,passed_dmarc</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query>| timechart sum(message_count) as message_count by passed_dmarc</query>
         </search>
         <option name="charting.axisTitleX.text">Time</option>
         <option name="charting.axisTitleX.visibility">visible</option>
@@ -168,6 +204,7 @@
         <option name="charting.drilldown">none</option>
         <option name="charting.legend.placement">right</option>
         <option name="height">280</option>
+        <option name="refresh.display">progressbar</option>
       </chart>
     </panel>
   </row>
@@ -175,15 +212,16 @@
     <panel>
       <title>Message disposition over time</title>
       <chart>
-        <search>
-          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | chart sum(message_count) by _time,disposition</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query>| timechart sum(message_count) as message_count by disposition</query>
         </search>
         <option name="charting.axisTitleX.text">Time</option>
         <option name="charting.axisTitleY.text">Messages</option>
         <option name="charting.chart">line</option>
+        <option name="charting.chart.nullValueMode">zero</option>
+        <option name="charting.chart.showDataLabels">none</option>
         <option name="charting.drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
       </chart>
     </panel>
   </row>
@@ -191,10 +229,8 @@
     <panel>
       <title>Message volume by source country</title>
       <map>
-        <search>
-          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | iplocation source_ip_address | stats count by Country | geom geo_countries featureIdField="Country"</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query> | iplocation source_ip_address | stats count by Country | geom geo_countries featureIdField="Country"</query>
         </search>
         <option name="drilldown">none</option>
         <option name="height">566</option>
@@ -206,14 +242,13 @@
     <panel>
       <title>Source countries</title>
       <table>
-        <search>
-          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | stats sum(message_count) by source_country | sort -sum(message_count)</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query>| stats sum(message_count) as message_count by source_country | sort -message_count</query>
         </search>
         <option name="count">20</option>
         <option name="drilldown">none</option>
         <option name="percentagesRow">false</option>
+        <option name="refresh.display">progressbar</option>
         <format type="number" field="sum(message_count)">
           <option name="precision">0</option>
         </format>
@@ -224,13 +259,12 @@
     <panel>
       <title>Message sources by IP address</title>
       <table>
-        <search>
-          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | stats sum(message_count) by source_ip_address,source_reverse_dns,source_base_domain,source_country | sort -sum(message_count)</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query>| stats sum(message_count) as message_count by source_ip_address,source_reverse_dns,source_base_domain,source_country | sort -message_count</query>
         </search>
         <option name="drilldown">none</option>
-        <format type="number" field="sum(message_count)">
+        <option name="refresh.display">progressbar</option>
+        <format type="number" field="message_count">
           <option name="precision">0</option>
         </format>
       </table>
@@ -238,15 +272,15 @@
   </row>
   <row>
     <panel>
-      <title>SPF alignment details</title>
+      <title>SPF details</title>
       <table>
-        <search>
-          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | fillnull value="none" | stats sum(message_count) by header_from,envelope_from,spf_results{}.result,spf_aligned,source_base_domain  | sort -sum(message_count)</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query>| stats sum(message_count) as message_count by header_from,envelope_from,spf_result,spf_aligned,source_base_domain 
+| sort -message_count</query>
         </search>
         <option name="drilldown">none</option>
-        <format type="number" field="sum(message_count)">
+        <option name="refresh.display">progressbar</option>
+        <format type="number" field="message_count">
           <option name="precision">0</option>
         </format>
       </table>
@@ -254,14 +288,14 @@
   </row>
   <row>
     <panel>
-      <title>DKIM alignment details</title>
+      <title>DKIM details</title>
       <table>
-        <search>
-          <query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | fillnull value="none" | stats sum(message_count) by header_from,dkim_results{}.selector,dkim_results{}.domain,dkim_results{}.result,dkim_aligned,source_base_domain | sort -sum(message_count)</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query>| stats sum(message_count) as message_count by header_from,dkim_selector,dkim_domain,dkim_result,source_base_domain 
+| sort -message_count</query>
         </search>
         <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
       </table>
     </panel>
   </row>
diff --git a/splunk/dmarc_forensic_dashboard.xml b/splunk/dmarc_forensic_dashboard.xml
index 6338ccc..be3b290 100644
--- a/splunk/dmarc_forensic_dashboard.xml
+++ b/splunk/dmarc_forensic_dashboard.xml
@@ -1,5 +1,13 @@
-<form theme="dark">
+<form theme="dark" version="1.1">
   <label>Forensic DMARC Data</label>
+  <search id="base_search">
+    <query>
+      index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$
+      | table *
+    </query>
+    <earliest>$time_range.earliest$</earliest>
+    <latest>$time_range.latest$</latest>
+  </search>
   <fieldset submitButton="false" autoRun="true">
     <input type="text" token="header_from" searchWhenChanged="true">
       <label>Message header from</label>
@@ -37,12 +45,11 @@
     <panel>
       <title>Forensic samples</title>
       <table>
-        <search>
-          <query>index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$ | fillnull value="none" | stats count by arrival_date_utc,parsed_sample.headers.From,parsed_sample.headers.Sender,parsed_sample.headers.To,parsed_sample.headers.Reply-To,parsed_sample.headers.Subject | sort -arrival_date_utc</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query>| table arrival_date_utc authentication_results parsed_sample.headers.From,parsed_sample.headers.To,parsed_sample.headers.Subject | sort -arrival_date_utc</query>
         </search>
         <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
         <option name="totalsRow">false</option>
         <format type="number" field="count">
           <option name="precision">0</option>
@@ -54,10 +61,8 @@
     <panel>
       <title>Forensic samples by country</title>
       <map>
-        <search>
-          <query>index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$ | iplocation source.ip_address | stats count by Country | geom geo_countries featureIdField="Country"</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query>| iplocation source.ip_address| stats count by Country | geom geo_countries featureIdField="Country"</query>
         </search>
         <option name="drilldown">none</option>
         <option name="height">519</option>
@@ -69,12 +74,11 @@
     <panel>
       <title>Forensic samples by IP address</title>
       <table>
-        <search>
-          <query>index="email" sourcetype="dmarc:forensic" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$ | fillnull value="none" | iplocation source.ip_address | stats count by source.ip_address,source.reverse_dns,Country | sort -count</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query>| iplocation source.ip_address | stats count by source.ip_address,source.reverse_dns | sort -count</query>
         </search>
         <option name="drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
         <format type="number" field="count">
           <option name="precision">0</option>
         </format>
@@ -83,10 +87,8 @@
     <panel>
       <title>Forensic samples by country ISO code</title>
       <table>
-        <search>
-          <query>index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$ | stats count by source.country | sort - count</query>
-          <earliest>$time_range.earliest$</earliest>
-          <latest>$time_range.latest$</latest>
+        <search base="base_search">
+          <query>| stats count by source.country | sort - count</query>
         </search>
         <option name="drilldown">none</option>
         <format type="number" field="count">