mirror of
https://github.com/domainaware/parsedmarc.git
synced 2026-02-17 07:03:58 +00:00
Update Splunk dashboards
This commit is contained in:
Sean Whalen
@@ -1,6 +1,17 @@
|
|||||||
<form theme="dark">
|
<form theme="dark" version="1.1">
|
||||||
<label>Aggregate DMARC data</label>
|
<label>Aggregate DMARC data</label>
|
||||||
<description>A summary of aggregate DMARC report data</description>
|
<description>A summary of aggregate DMARC report data</description>
|
||||||
|
<search id="base_search">
|
||||||
|
<query>
|
||||||
|
index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$
|
||||||
|
| table *
|
||||||
|
| rename spf_results{}.domain as envelope_domain spf_results{}.result as spf_result spf_results{}.scope as spf_scope dkim_results{}.selector as dkim_selector dkim_results{}.domain as dkim_domain dkim_results{}.result as dkim_result
|
||||||
|
| fillnull value=null source_reverse_dns source_base_domain dkim_selector dkim_domain dkim_result source_type source_name
|
||||||
|
| search dkim_selector=$dkim_selector$ dkim_domain=$dkim_domain$ source_type=$source_type$ source_name=$source_name$
|
||||||
|
</query>
|
||||||
|
<earliest>$time_range.earliest$</earliest>
|
||||||
|
<latest>$time_range.latest$</latest>
|
||||||
|
</search>
|
||||||
<fieldset submitButton="false" autoRun="true">
|
<fieldset submitButton="false" autoRun="true">
|
||||||
<input type="dropdown" token="spf_aligned" searchWhenChanged="true">
|
<input type="dropdown" token="spf_aligned" searchWhenChanged="true">
|
||||||
<label>SPF alignment</label>
|
<label>SPF alignment</label>
|
||||||
@@ -27,10 +38,6 @@
|
|||||||
<label>Reporting organization</label>
|
<label>Reporting organization</label>
|
||||||
<default>*</default>
|
<default>*</default>
|
||||||
</input>
|
</input>
|
||||||
<input type="text" token="source_reverse_dns" searchWhenChanged="true">
|
|
||||||
<label>Source reverse DNS</label>
|
|
||||||
<default>*</default>
|
|
||||||
</input>
|
|
||||||
<input type="text" token="header_from" searchWhenChanged="true">
|
<input type="text" token="header_from" searchWhenChanged="true">
|
||||||
<label>Message header from</label>
|
<label>Message header from</label>
|
||||||
<default>*</default>
|
<default>*</default>
|
||||||
@@ -51,14 +58,42 @@
|
|||||||
<label>Source IP address</label>
|
<label>Source IP address</label>
|
||||||
<default>*</default>
|
<default>*</default>
|
||||||
</input>
|
</input>
|
||||||
|
<input type="text" token="source_reverse_dns" searchWhenChanged="true">
|
||||||
|
<label>Source reverse DNS</label>
|
||||||
|
<default>*</default>
|
||||||
|
</input>
|
||||||
<input type="text" token="source_base_domain" searchWhenChanged="true">
|
<input type="text" token="source_base_domain" searchWhenChanged="true">
|
||||||
<label>Source base domain</label>
|
<label>Source base domain</label>
|
||||||
<default>*</default>
|
<default>*</default>
|
||||||
</input>
|
</input>
|
||||||
|
<input type="dropdown" token="source_type" searchWhenChanged="true">
|
||||||
|
<label>Source type</label>
|
||||||
|
<default>*</default>
|
||||||
|
<initialValue>*</initialValue>
|
||||||
|
<choice value="*">any</choice>
|
||||||
|
<fieldForLabel>source_type</fieldForLabel>
|
||||||
|
<fieldForValue>source_type</fieldForValue>
|
||||||
|
<search>
|
||||||
|
<query>index="email_ess" sourcetype="dmarc:aggregate"
|
||||||
|
| stats count by source_type</query>
|
||||||
|
</search>
|
||||||
|
</input>
|
||||||
|
<input type="text" token="source_name" searchWhenChanged="true">
|
||||||
|
<label>Source name</label>
|
||||||
|
<default>*</default>
|
||||||
|
</input>
|
||||||
<input type="text" token="source_country" searchWhenChanged="true">
|
<input type="text" token="source_country" searchWhenChanged="true">
|
||||||
<label>Source country ISO code</label>
|
<label>Source country ISO code</label>
|
||||||
<default>*</default>
|
<default>*</default>
|
||||||
</input>
|
</input>
|
||||||
|
<input type="text" token="dkim_selector" searchWhenChanged="true">
|
||||||
|
<label>DKIM selector</label>
|
||||||
|
<default>*</default>
|
||||||
|
</input>
|
||||||
|
<input type="text" token="dkim_domain" searchWhenChanged="true">
|
||||||
|
<label>DKIM domain</label>
|
||||||
|
<default>*</default>
|
||||||
|
</input>
|
||||||
<input type="time" token="time_range" searchWhenChanged="true">
|
<input type="time" token="time_range" searchWhenChanged="true">
|
||||||
<label>Time range</label>
|
<label>Time range</label>
|
||||||
<default>
|
<default>
|
||||||
@@ -71,10 +106,8 @@
|
|||||||
<panel>
|
<panel>
|
||||||
<title>SPF alignment</title>
|
<title>SPF alignment</title>
|
||||||
<chart>
|
<chart>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | chart sum(message_count) by spf_aligned</query>
|
<query>| stats sum(message_count) as message_count by spf_aligned</query>
|
||||||
<earliest>$time_range.earliest$</earliest>
|
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="charting.chart">pie</option>
|
<option name="charting.chart">pie</option>
|
||||||
<option name="charting.drilldown">none</option>
|
<option name="charting.drilldown">none</option>
|
||||||
@@ -83,10 +116,8 @@
|
|||||||
<panel>
|
<panel>
|
||||||
<title>DKIM alignment</title>
|
<title>DKIM alignment</title>
|
||||||
<chart>
|
<chart>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | chart sum(message_count) by dkim_aligned</query>
|
<query> | stats sum(message_count) by dkim_aligned</query>
|
||||||
<earliest>$time_range.earliest$</earliest>
|
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="charting.chart">pie</option>
|
<option name="charting.chart">pie</option>
|
||||||
<option name="charting.drilldown">none</option>
|
<option name="charting.drilldown">none</option>
|
||||||
@@ -96,10 +127,8 @@
|
|||||||
<panel>
|
<panel>
|
||||||
<title>Passed DMARC</title>
|
<title>Passed DMARC</title>
|
||||||
<chart>
|
<chart>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | chart sum(message_count) by passed_dmarc</query>
|
<query>| stats sum(message_count) by passed_dmarc</query>
|
||||||
<earliest>$time_range.earliest$</earliest>
|
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="charting.chart">pie</option>
|
<option name="charting.chart">pie</option>
|
||||||
<option name="charting.drilldown">none</option>
|
<option name="charting.drilldown">none</option>
|
||||||
@@ -110,12 +139,11 @@
|
|||||||
<panel>
|
<panel>
|
||||||
<title>Reporting organizations</title>
|
<title>Reporting organizations</title>
|
||||||
<table>
|
<table>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:aggregate" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | chart sum(message_count) by org_name | sort -sum(message_count)</query>
|
<query>| stats sum(message_count) as message_count by org_name | sort -message_count</query>
|
||||||
<earliest>$time_range.earliest$</earliest>
|
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="drilldown">none</option>
|
<option name="drilldown">none</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
<format type="number" field="sum(message_count)">
|
<format type="number" field="sum(message_count)">
|
||||||
<option name="precision">0</option>
|
<option name="precision">0</option>
|
||||||
</format>
|
</format>
|
||||||
@@ -124,12 +152,11 @@
|
|||||||
<panel>
|
<panel>
|
||||||
<title>Message sources by reverse DNS</title>
|
<title>Message sources by reverse DNS</title>
|
||||||
<table>
|
<table>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | fillnull value="none" | chart sum(message_count) by source_base_domain | sort -sum(message_count)</query>
|
<query>| fillnull value="none" | stats sum(message_count) as message_count by source_base_domain | sort -message_count</query>
|
||||||
<earliest>$time_range.earliest$</earliest>
|
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="drilldown">none</option>
|
<option name="drilldown">none</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
<format type="number" field="sum(message_count)">
|
<format type="number" field="sum(message_count)">
|
||||||
<option name="precision">0</option>
|
<option name="precision">0</option>
|
||||||
</format>
|
</format>
|
||||||
@@ -138,26 +165,35 @@
|
|||||||
<panel>
|
<panel>
|
||||||
<title>Message volume by header from</title>
|
<title>Message volume by header from</title>
|
||||||
<table>
|
<table>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | chart sum(message_count) by header_from | sort -sum(message_count)</query>
|
<query>| stats sum(message_count) as message_count by header_from | sort -message_count</query>
|
||||||
<earliest>$time_range.earliest$</earliest>
|
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="drilldown">none</option>
|
<option name="drilldown">none</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
<format type="number" field="sum(message_count)">
|
<format type="number" field="sum(message_count)">
|
||||||
<option name="precision">0</option>
|
<option name="precision">0</option>
|
||||||
</format>
|
</format>
|
||||||
</table>
|
</table>
|
||||||
</panel>
|
</panel>
|
||||||
</row>
|
</row>
|
||||||
|
<row>
|
||||||
|
<panel>
|
||||||
|
<title>Message sources by name and type</title>
|
||||||
|
<table>
|
||||||
|
<search base="base_search">
|
||||||
|
<query> | stats sum(message_count) as message_count by source_name, source_type | sort -message_count</query>
|
||||||
|
</search>
|
||||||
|
<option name="drilldown">none</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
|
</table>
|
||||||
|
</panel>
|
||||||
|
</row>
|
||||||
<row>
|
<row>
|
||||||
<panel>
|
<panel>
|
||||||
<title>DMARC passage over time</title>
|
<title>DMARC passage over time</title>
|
||||||
<chart>
|
<chart>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | chart sum(message_count) by _time,passed_dmarc</query>
|
<query>| timechart sum(message_count) as message_count by passed_dmarc</query>
|
||||||
<earliest>$time_range.earliest$</earliest>
|
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="charting.axisTitleX.text">Time</option>
|
<option name="charting.axisTitleX.text">Time</option>
|
||||||
<option name="charting.axisTitleX.visibility">visible</option>
|
<option name="charting.axisTitleX.visibility">visible</option>
|
||||||
@@ -168,6 +204,7 @@
|
|||||||
<option name="charting.drilldown">none</option>
|
<option name="charting.drilldown">none</option>
|
||||||
<option name="charting.legend.placement">right</option>
|
<option name="charting.legend.placement">right</option>
|
||||||
<option name="height">280</option>
|
<option name="height">280</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
</chart>
|
</chart>
|
||||||
</panel>
|
</panel>
|
||||||
</row>
|
</row>
|
||||||
@@ -175,15 +212,16 @@
|
|||||||
<panel>
|
<panel>
|
||||||
<title>Message disposition over time</title>
|
<title>Message disposition over time</title>
|
||||||
<chart>
|
<chart>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | chart sum(message_count) by _time,disposition</query>
|
<query>| timechart sum(message_count) as message_count by disposition</query>
|
||||||
<earliest>$time_range.earliest$</earliest>
|
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="charting.axisTitleX.text">Time</option>
|
<option name="charting.axisTitleX.text">Time</option>
|
||||||
<option name="charting.axisTitleY.text">Messages</option>
|
<option name="charting.axisTitleY.text">Messages</option>
|
||||||
<option name="charting.chart">line</option>
|
<option name="charting.chart">line</option>
|
||||||
|
<option name="charting.chart.nullValueMode">zero</option>
|
||||||
|
<option name="charting.chart.showDataLabels">none</option>
|
||||||
<option name="charting.drilldown">none</option>
|
<option name="charting.drilldown">none</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
</chart>
|
</chart>
|
||||||
</panel>
|
</panel>
|
||||||
</row>
|
</row>
|
||||||
@@ -191,10 +229,8 @@
|
|||||||
<panel>
|
<panel>
|
||||||
<title>Message volume by source country</title>
|
<title>Message volume by source country</title>
|
||||||
<map>
|
<map>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | iplocation source_ip_address | stats count by Country | geom geo_countries featureIdField="Country"</query>
|
<query> | iplocation source_ip_address | stats count by Country | geom geo_countries featureIdField="Country"</query>
|
||||||
<earliest>$time_range.earliest$</earliest>
|
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="drilldown">none</option>
|
<option name="drilldown">none</option>
|
||||||
<option name="height">566</option>
|
<option name="height">566</option>
|
||||||
@@ -206,14 +242,13 @@
|
|||||||
<panel>
|
<panel>
|
||||||
<title>Source countries</title>
|
<title>Source countries</title>
|
||||||
<table>
|
<table>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | stats sum(message_count) by source_country | sort -sum(message_count)</query>
|
<query>| stats sum(message_count) as message_count by source_country | sort -message_count</query>
|
||||||
<earliest>$time_range.earliest$</earliest>
|
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="count">20</option>
|
<option name="count">20</option>
|
||||||
<option name="drilldown">none</option>
|
<option name="drilldown">none</option>
|
||||||
<option name="percentagesRow">false</option>
|
<option name="percentagesRow">false</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
<format type="number" field="sum(message_count)">
|
<format type="number" field="sum(message_count)">
|
||||||
<option name="precision">0</option>
|
<option name="precision">0</option>
|
||||||
</format>
|
</format>
|
||||||
@@ -224,13 +259,12 @@
|
|||||||
<panel>
|
<panel>
|
||||||
<title>Message sources by IP address</title>
|
<title>Message sources by IP address</title>
|
||||||
<table>
|
<table>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | stats sum(message_count) by source_ip_address,source_reverse_dns,source_base_domain,source_country | sort -sum(message_count)</query>
|
<query>| stats sum(message_count) as message_count by source_ip_address,source_reverse_dns,source_base_domain,source_country | sort -message_count</query>
|
||||||
<earliest>$time_range.earliest$</earliest>
|
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="drilldown">none</option>
|
<option name="drilldown">none</option>
|
||||||
<format type="number" field="sum(message_count)">
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<format type="number" field="message_count">
|
||||||
<option name="precision">0</option>
|
<option name="precision">0</option>
|
||||||
</format>
|
</format>
|
||||||
</table>
|
</table>
|
||||||
@@ -238,15 +272,15 @@
|
|||||||
</row>
|
</row>
|
||||||
<row>
|
<row>
|
||||||
<panel>
|
<panel>
|
||||||
<title>SPF alignment details</title>
|
<title>SPF details</title>
|
||||||
<table>
|
<table>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | fillnull value="none" | stats sum(message_count) by header_from,envelope_from,spf_results{}.result,spf_aligned,source_base_domain | sort -sum(message_count)</query>
|
<query>| stats sum(message_count) as message_count by header_from,envelope_from,spf_result,spf_aligned,source_base_domain
|
||||||
<earliest>$time_range.earliest$</earliest>
|
| sort -message_count</query>
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="drilldown">none</option>
|
<option name="drilldown">none</option>
|
||||||
<format type="number" field="sum(message_count)">
|
<option name="refresh.display">progressbar</option>
|
||||||
|
<format type="number" field="message_count">
|
||||||
<option name="precision">0</option>
|
<option name="precision">0</option>
|
||||||
</format>
|
</format>
|
||||||
</table>
|
</table>
|
||||||
@@ -254,14 +288,14 @@
|
|||||||
</row>
|
</row>
|
||||||
<row>
|
<row>
|
||||||
<panel>
|
<panel>
|
||||||
<title>DKIM alignment details</title>
|
<title>DKIM details</title>
|
||||||
<table>
|
<table>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_base_domain=$source_base_domain$ source_country=$source_country$ | fillnull value="none" | stats sum(message_count) by header_from,dkim_results{}.selector,dkim_results{}.domain,dkim_results{}.result,dkim_aligned,source_base_domain | sort -sum(message_count)</query>
|
<query>| stats sum(message_count) as message_count by header_from,dkim_selector,dkim_domain,dkim_result,source_base_domain
|
||||||
<earliest>$time_range.earliest$</earliest>
|
| sort -message_count</query>
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="drilldown">none</option>
|
<option name="drilldown">none</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
</table>
|
</table>
|
||||||
</panel>
|
</panel>
|
||||||
</row>
|
</row>
|
||||||
|
|||||||
@@ -1,5 +1,13 @@
|
|||||||
<form theme="dark">
|
<form theme="dark" version="1.1">
|
||||||
<label>Forensic DMARC Data</label>
|
<label>Forensic DMARC Data</label>
|
||||||
|
<search id="base_search">
|
||||||
|
<query>
|
||||||
|
index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$
|
||||||
|
| table *
|
||||||
|
</query>
|
||||||
|
<earliest>$time_range.earliest$</earliest>
|
||||||
|
<latest>$time_range.latest$</latest>
|
||||||
|
</search>
|
||||||
<fieldset submitButton="false" autoRun="true">
|
<fieldset submitButton="false" autoRun="true">
|
||||||
<input type="text" token="header_from" searchWhenChanged="true">
|
<input type="text" token="header_from" searchWhenChanged="true">
|
||||||
<label>Message header from</label>
|
<label>Message header from</label>
|
||||||
@@ -37,12 +45,11 @@
|
|||||||
<panel>
|
<panel>
|
||||||
<title>Forensic samples</title>
|
<title>Forensic samples</title>
|
||||||
<table>
|
<table>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$ | fillnull value="none" | stats count by arrival_date_utc,parsed_sample.headers.From,parsed_sample.headers.Sender,parsed_sample.headers.To,parsed_sample.headers.Reply-To,parsed_sample.headers.Subject | sort -arrival_date_utc</query>
|
<query>| table arrival_date_utc authentication_results parsed_sample.headers.From,parsed_sample.headers.To,parsed_sample.headers.Subject | sort -arrival_date_utc</query>
|
||||||
<earliest>$time_range.earliest$</earliest>
|
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="drilldown">none</option>
|
<option name="drilldown">none</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
<option name="totalsRow">false</option>
|
<option name="totalsRow">false</option>
|
||||||
<format type="number" field="count">
|
<format type="number" field="count">
|
||||||
<option name="precision">0</option>
|
<option name="precision">0</option>
|
||||||
@@ -54,10 +61,8 @@
|
|||||||
<panel>
|
<panel>
|
||||||
<title>Forensic samples by country</title>
|
<title>Forensic samples by country</title>
|
||||||
<map>
|
<map>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$ | iplocation source.ip_address | stats count by Country | geom geo_countries featureIdField="Country"</query>
|
<query>| iplocation source.ip_address| stats count by Country | geom geo_countries featureIdField="Country"</query>
|
||||||
<earliest>$time_range.earliest$</earliest>
|
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="drilldown">none</option>
|
<option name="drilldown">none</option>
|
||||||
<option name="height">519</option>
|
<option name="height">519</option>
|
||||||
@@ -69,12 +74,11 @@
|
|||||||
<panel>
|
<panel>
|
||||||
<title>Forensic samples by IP address</title>
|
<title>Forensic samples by IP address</title>
|
||||||
<table>
|
<table>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:forensic" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$ | fillnull value="none" | iplocation source.ip_address | stats count by source.ip_address,source.reverse_dns,Country | sort -count</query>
|
<query>| iplocation source.ip_address | stats count by source.ip_address,source.reverse_dns | sort -count</query>
|
||||||
<earliest>$time_range.earliest$</earliest>
|
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="drilldown">none</option>
|
<option name="drilldown">none</option>
|
||||||
|
<option name="refresh.display">progressbar</option>
|
||||||
<format type="number" field="count">
|
<format type="number" field="count">
|
||||||
<option name="precision">0</option>
|
<option name="precision">0</option>
|
||||||
</format>
|
</format>
|
||||||
@@ -83,10 +87,8 @@
|
|||||||
<panel>
|
<panel>
|
||||||
<title>Forensic samples by country ISO code</title>
|
<title>Forensic samples by country ISO code</title>
|
||||||
<table>
|
<table>
|
||||||
<search>
|
<search base="base_search">
|
||||||
<query>index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$ | stats count by source.country | sort - count</query>
|
<query>| stats count by source.country | sort - count</query>
|
||||||
<earliest>$time_range.earliest$</earliest>
|
|
||||||
<latest>$time_range.latest$</latest>
|
|
||||||
</search>
|
</search>
|
||||||
<option name="drilldown">none</option>
|
<option name="drilldown">none</option>
|
||||||
<format type="number" field="count">
|
<format type="number" field="count">
|
||||||
|
|||||||
Reference in New Issue
Block a user