From 32cfede9ac689f157b54e1a1027af4afa13ae9a6 Mon Sep 17 00:00:00 2001 From: Sean Whalen Date: Thu, 2 May 2019 22:08:16 -0400 Subject: [PATCH] 6.3.7 Work around some unexpected IMAP responses reported in issue #75 --- CHANGELOG.md | 8 +- grafana/Grafana-DMARC_Reports.json | 3305 +++++++++++++++++ grafana/README.rst | 1 + parsedmarc/__init__.py | 2 +- .../forensic/dmarc_ruf_report_linkedin.eml | 108 + setup.py | 2 +- 6 files changed, 3423 insertions(+), 3 deletions(-) create mode 100644 grafana/Grafana-DMARC_Reports.json create mode 100644 grafana/README.rst create mode 100644 samples/forensic/dmarc_ruf_report_linkedin.eml diff --git a/CHANGELOG.md b/CHANGELOG.md index 88ca6cd..ca231bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,13 +1,19 @@ +6.3.7 +----- + +- Work around some unexpected IMAP responses reported in issue #75 + 6.3.6 ----- -- Work around some unexpected IMAP responses reported in issue #70 and issue #75 +- Work around some unexpected IMAP responses reported in issue #70 - Show correct destination folder in debug logs when moving aggregate reports 6.3.5 ----- - Normalize `Delivery-Result` value in forensic/failure reports (issue #76) + Thanks Freddie Leeman of URIports for the troubleshooting assistance 6.3.4 ----- diff --git a/grafana/Grafana-DMARC_Reports.json b/grafana/Grafana-DMARC_Reports.json new file mode 100644 index 0000000..30db900 --- /dev/null +++ b/grafana/Grafana-DMARC_Reports.json @@ -0,0 +1,3305 @@ +{ + "__inputs": [ + { + "name": "DS_ELASTICSEARCH-DMARC-AG", + "label": "Elasticsearch-dmarc-ag", + "description": "", + "type": "datasource", + "pluginId": "elasticsearch", + "pluginName": "Elasticsearch" + }, + { + "name": "DS_ELASTICSEARCH-DMARC-FO", + "label": "Elasticsearch-dmarc-fo", + "description": "", + "type": "datasource", + "pluginId": "elasticsearch", + "pluginName": "Elasticsearch" + } + ], + "__requires": [ + { + "type": "datasource", + "id": "elasticsearch", + "name": "Elasticsearch", + "version": "1.0.0" + }, + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "6.1.4" + }, + { + "type": "panel", + "id": "grafana-piechart-panel", + "name": "Pie Chart", + "version": "1.3.6" + }, + { + "type": "panel", + "id": "grafana-worldmap-panel", + "name": "Worldmap Panel", + "version": "0.2.0" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "iteration": 1556527571208, + "links": [], + "panels": [ + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 28, + "panels": [ + { + "content": "# DMARC Summary\r\nAs the name suggests, this dashboard is the best place to start reviewing your aggregate DMARC data.\r\n\r\nAcross the top of the dashboard, three pie charts display the percentage of alignment pass/fail for SPF, DKIM, and DMARC. Clicking on any chart segment will filter for that value.\r\n\r\n***Note***\r\nMessages should not be considered malicious just because they failed to pass DMARC; especially if you have just started collecting data. It may be a legitimate service that needs SPF and DKIM configured correctly.\r\n\r\nStart by filtering the results to only show failed DKIM alignment. While DMARC passes if a message passes SPF or DKIM alignment, only DKIM alignment remains valid when a message is forwarded without changing the from address, which is often caused by a mailbox forwarding rule. This is because DKIM signatures are part of the message headers, whereas SPF relies on SMTP session headers.\r\n\r\nUnderneath the pie charts. you can see graphs of DMARC passage and message disposition over time.\r\n\r\nUnder the graphs you will find the most useful data tables on the dashboard. On the left, there is a list of organizations that are sending you DMARC reports. In the center, there is a list of sending servers grouped by the base domain in their reverse DNS. On the right, there is a list of email from domains, sorted by message volume.\r\n\r\nBy hovering your mouse over a data table value and using the magnifying glass icons, you can filter on our filter out different values. Start by looking at the Message Sources by Reverse DNS table. Find a sender that you recognize, such as an email marketing service, hover over it, and click on the plus (+) magnifying glass icon, to add a filter that only shows results for that sender. Now, look at the Message From Header table to the right. That shows you the domains that a sender is sending as, which might tell you which brand/business is using a particular service. With that information, you can contact them and have them set up DKIM.\r\n\r\n***Note***\r\nIf you have a lot of B2C customers, you may see a high volume of emails as your domains coming from consumer email services, such as Google/Gmail and Yahoo! This occurs when customers have mailbox rules in place that forward emails from an old account to a new account, which is why DKIM authentication is so important, as mentioned earlier. Similar patterns may be observed with businesses who send from reverse DNS addressees of parent, subsidiary, and outdated brands.\r\n\r\nFurther down the dashboard, you can filter by source country or source IP address.\r\n\r\nTables showing SPF and DKIM alignment details are located under the IP address table.\r\n\r\n***Note***\r\nPreviously, the alignment tables were included in a separate dashboard called DMARC Alignment Failures. That dashboard has been consolidated into the DMARC Summary dashboard. To view failures only, use the pie chart.\r\n\r\nAny other filters work the same way. You can also add your own custom temporary filters by clicking on Add Filter at the upper right of the page.\r\n\r\n# DMARC Forensic Samples\r\nThe DMARC Forensic Samples dashboard contains information on DMARC forensic reports (also known as failure reports or ruf reports). These reports contain samples of emails that have failed to pass DMARC.\r\n\r\n***Note***\r\nMost recipients do not send forensic/failure/ruf reports at all to avoid privacy leaks. Some recipients (notably Chinese webmail services) will only supply the headers of sample emails. Very few provide the entire email.\r\n\r\n# DMARC Alignment Guide\r\nDMARC ensures that SPF and DKM authentication mechanisms actually authenticate against the same domain that the end user sees.\r\n\r\nA message passes a DMARC check by passing DKIM or SPF, **as long as the related indicators are also in alignment.**\r\n\r\n| \t| DKIM \t| SPF \t|\r\n|-----------\t|--------------------------------------------------------------------------------------------------------------------------------------------------\t|----------------------------------------------------------------------------------------------------------------\t|\r\n| **Passing** \t| The signature in the DKIM header is validated using a public key that is published as a DNS record of the domain name specified in the signature \t| The mail server's IP address is listed in the SPF record of the domain in the SMTP envelope's mail from header \t|\r\n| **Alignment** \t| The signing domain aligns with the domain in the message's from header \t| The domain in the SMTP envelope's mail from header aligns with the domain in the message's from header \t|", + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 1 + }, + "id": 26, + "links": [], + "mode": "markdown", + "timeFrom": null, + "timeShift": null, + "title": "", + "transparent": true, + "type": "text" + } + ], + "title": "Guide", + "type": "row" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 1 + }, + "id": 30, + "panels": [], + "title": "DMARC Summary", + "type": "row" + }, + { + "aliasColors": { + "true": "#37872D" + }, + "breakPoint": "50%", + "cacheTimeout": null, + "combine": { + "label": "Others", + "threshold": 0 + }, + "datasource": "${DS_ELASTICSEARCH-DMARC-AG}", + "fontSize": "100%", + "format": "none", + "gridPos": { + "h": 9, + "w": 8, + "x": 0, + "y": 2 + }, + "id": 6, + "interval": null, + "legend": { + "percentage": true, + "show": true, + "values": true + }, + "legendType": "On graph", + "links": [], + "maxDataPoints": 3, + "nullPointMode": "connected", + "pieType": "donut", + "strokeWidth": 1, + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "spf_aligned", + "id": "3", + "settings": { + "min_doc_count": 1, + "missing": null, + "order": "desc", + "orderBy": "_term", + "size": "0" + }, + "type": "terms" + }, + { + "field": "date_range", + "id": "2", + "settings": { + "interval": "auto", + "min_doc_count": 0, + "trimEdges": 0 + }, + "type": "date_histogram" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "1", + "meta": {}, + "settings": {}, + "type": "sum" + } + ], + "refId": "A", + "timeField": "date_range" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "SPF Alignment", + "type": "grafana-piechart-panel", + "valueName": "total" + }, + { + "aliasColors": { + "true": "#37872D" + }, + "breakPoint": "50%", + "cacheTimeout": null, + "combine": { + "label": "Others", + "threshold": 0 + }, + "datasource": "${DS_ELASTICSEARCH-DMARC-AG}", + "fontSize": "100%", + "format": "none", + "gridPos": { + "h": 9, + "w": 8, + "x": 8, + "y": 2 + }, + "id": 2, + "interval": null, + "legend": { + "percentage": true, + "show": true, + "values": true + }, + "legendType": "On graph", + "links": [], + "maxDataPoints": 3, + "nullPointMode": "connected", + "pieType": "donut", + "strokeWidth": 1, + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "dkim_aligned", + "id": "3", + "settings": { + "min_doc_count": 1, + "missing": null, + "order": "desc", + "orderBy": "_term", + "size": "0" + }, + "type": "terms" + }, + { + "field": "date_range", + "id": "2", + "settings": { + "interval": "auto", + "min_doc_count": 0, + "trimEdges": 0 + }, + "type": "date_histogram" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "1", + "meta": {}, + "settings": {}, + "type": "sum" + } + ], + "refId": "A", + "timeField": "date_range" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "DKIM Alignment", + "type": "grafana-piechart-panel", + "valueName": "total" + }, + { + "aliasColors": { + "false": "#E02F44", + "true": "#37872D" + }, + "breakPoint": "50%", + "cacheTimeout": null, + "combine": { + "label": "Others", + "threshold": 0 + }, + "datasource": "${DS_ELASTICSEARCH-DMARC-AG}", + "description": "", + "fontSize": "100%", + "format": "none", + "gridPos": { + "h": 9, + "w": 8, + "x": 16, + "y": 2 + }, + "id": 5, + "interval": null, + "legend": { + "header": "", + "percentage": true, + "show": true, + "values": true + }, + "legendType": "On graph", + "links": [], + "maxDataPoints": 3, + "nullPointMode": "connected", + "pieType": "donut", + "strokeWidth": 1, + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "passed_dmarc", + "id": "3", + "settings": { + "min_doc_count": 1, + "missing": null, + "order": "desc", + "orderBy": "_term", + "size": "0" + }, + "type": "terms" + }, + { + "field": "date_range", + "id": "2", + "settings": { + "interval": "auto", + "min_doc_count": 0, + "trimEdges": 0 + }, + "type": "date_histogram" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "1", + "meta": {}, + "settings": {}, + "type": "sum" + } + ], + "refId": "A", + "timeField": "date_range" + }, + { + "bucketAggs": [ + { + "fake": true, + "field": "dkim_aligned", + "id": "3", + "settings": { + "min_doc_count": 1, + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + }, + { + "field": "date_range", + "id": "2", + "settings": { + "interval": "auto", + "min_doc_count": 0, + "trimEdges": 0 + }, + "type": "date_histogram" + } + ], + "hide": true, + "metrics": [ + { + "field": "message_count", + "id": "1", + "meta": {}, + "settings": {}, + "type": "sum" + } + ], + "refId": "B", + "timeField": "date_range" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "DMARC Passage", + "type": "grafana-piechart-panel", + "valueName": "total" + }, + { + "aliasColors": { + "false": "dark-yellow" + }, + "bars": false, + "cacheTimeout": null, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_ELASTICSEARCH-DMARC-AG}", + "decimals": null, + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 11 + }, + "id": 18, + "legend": { + "alignAsTable": true, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "true", + "fill": 2, + "linewidth": 2 + }, + { + "alias": "false", + "fill": 2, + "linewidth": 2 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "spf_aligned", + "id": "3", + "settings": { + "min_doc_count": 1, + "missing": null, + "order": "desc", + "orderBy": "_term", + "size": "0" + }, + "type": "terms" + }, + { + "field": "date_range", + "id": "2", + "settings": { + "interval": "86399s", + "min_doc_count": 0, + "trimEdges": 0 + }, + "type": "date_histogram" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "1", + "meta": {}, + "settings": { + "missing": null + }, + "type": "sum" + } + ], + "refId": "A", + "timeField": "date_range" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "SPF Passage Over Time", + "tooltip": { + "shared": true, + "sort": 2, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "none", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": { + "false": "dark-yellow" + }, + "bars": false, + "cacheTimeout": null, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_ELASTICSEARCH-DMARC-AG}", + "decimals": null, + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 11 + }, + "id": 19, + "legend": { + "alignAsTable": true, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "true", + "fill": 2, + "linewidth": 2 + }, + { + "alias": "false", + "fill": 2, + "linewidth": 2 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "dkim_aligned", + "id": "3", + "settings": { + "min_doc_count": 1, + "missing": null, + "order": "desc", + "orderBy": "_term", + "size": "0" + }, + "type": "terms" + }, + { + "field": "date_range", + "id": "2", + "settings": { + "interval": "86399s", + "min_doc_count": 0, + "trimEdges": 0 + }, + "type": "date_histogram" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "1", + "meta": {}, + "settings": { + "missing": null + }, + "type": "sum" + } + ], + "refId": "A", + "timeField": "date_range" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "DKIM Passage Over Time", + "tooltip": { + "shared": true, + "sort": 2, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "none", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": { + "false": "semi-dark-red", + "true": "dark-green" + }, + "bars": false, + "cacheTimeout": null, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_ELASTICSEARCH-DMARC-AG}", + "decimals": null, + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 20 + }, + "id": 7, + "legend": { + "alignAsTable": true, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "true", + "fill": 2, + "linewidth": 2 + }, + { + "alias": "false", + "fill": 2, + "linewidth": 2 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "passed_dmarc", + "id": "3", + "settings": { + "min_doc_count": 1, + "missing": null, + "order": "desc", + "orderBy": "_term", + "size": "0" + }, + "type": "terms" + }, + { + "field": "date_range", + "id": "2", + "settings": { + "interval": "86399s", + "min_doc_count": 0, + "trimEdges": 0 + }, + "type": "date_histogram" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "1", + "meta": {}, + "settings": { + "missing": null + }, + "type": "sum" + } + ], + "refId": "A", + "timeField": "date_range" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "DMARC Passage Over Time", + "tooltip": { + "shared": true, + "sort": 2, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "none", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": { + "none": "semi-dark-orange" + }, + "bars": false, + "cacheTimeout": null, + "dashLength": 10, + "dashes": false, + "datasource": "${DS_ELASTICSEARCH-DMARC-AG}", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 20 + }, + "id": 8, + "legend": { + "alignAsTable": true, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 2, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "/.*/", + "fill": 2, + "linewidth": 2 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "disposition.keyword", + "id": "3", + "settings": { + "min_doc_count": 1, + "missing": null, + "order": "desc", + "orderBy": "_term", + "size": "0" + }, + "type": "terms" + }, + { + "field": "date_range", + "id": "2", + "settings": { + "interval": "86399s", + "min_doc_count": 0, + "trimEdges": 0 + }, + "type": "date_histogram" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "1", + "meta": {}, + "settings": {}, + "type": "sum" + } + ], + "refId": "A", + "timeField": "date_range" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Message Disposition Over Time", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "columns": [], + "datasource": "${DS_ELASTICSEARCH-DMARC-AG}", + "fontSize": "100%", + "gridPos": { + "h": 10, + "w": 8, + "x": 0, + "y": 29 + }, + "id": 9, + "links": [], + "pageSize": 20, + "scroll": true, + "showHeader": true, + "sort": { + "col": 1, + "desc": true + }, + "styles": [ + { + "alias": "Reporting Organisation", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTargetBlank": true, + "linkTooltip": "Org Extra Contact Info URL (If available)", + "linkUrl": "${__cell_2:raw}", + "mappingType": 1, + "pattern": "org_name.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Messages", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": null, + "mappingType": 1, + "pattern": "Sum", + "thresholds": [], + "type": "number", + "unit": "none" + }, + { + "alias": "Org Extra Contact Info", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "org_extra_contact_info.keyword", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "org_name.keyword", + "id": "6", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "4", + "meta": {}, + "settings": {}, + "type": "sum" + } + ], + "refId": "A", + "timeField": "date_range" + }, + { + "bucketAggs": [ + { + "fake": true, + "field": "org_extra_contact_info.keyword", + "id": "6", + "settings": { + "min_doc_count": 1, + "missing": null, + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "4", + "meta": {}, + "settings": {}, + "type": "sum" + } + ], + "refId": "B", + "timeField": "date_range" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Reporting Organisations", + "transform": "table", + "type": "table" + }, + { + "columns": [], + "datasource": "${DS_ELASTICSEARCH-DMARC-AG}", + "fontSize": "100%", + "gridPos": { + "h": 10, + "w": 8, + "x": 8, + "y": 29 + }, + "id": 10, + "links": [], + "pageSize": 20, + "scroll": true, + "showHeader": true, + "sort": { + "col": 1, + "desc": true + }, + "styles": [ + { + "alias": "Messages", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": null, + "mappingType": 1, + "pattern": "Sum", + "thresholds": [], + "type": "number", + "unit": "none" + }, + { + "alias": "Reverse DNS Base", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTargetBlank": true, + "linkTooltip": "https://${__cell:raw}", + "linkUrl": "https://${__cell:raw}", + "mappingType": 1, + "pattern": "source_base_domain.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "source_base_domain.keyword", + "id": "6", + "settings": { + "min_doc_count": 1, + "missing": "none", + "order": "desc", + "orderBy": "4", + "size": "2000" + }, + "type": "terms" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "4", + "meta": {}, + "settings": {}, + "type": "sum" + } + ], + "refId": "A", + "timeField": "date_range" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Top 2000 Message Sources by Reverse DNS", + "transform": "table", + "type": "table" + }, + { + "columns": [], + "datasource": "${DS_ELASTICSEARCH-DMARC-AG}", + "fontSize": "100%", + "gridPos": { + "h": 10, + "w": 8, + "x": 16, + "y": 29 + }, + "id": 11, + "links": [], + "pageSize": 20, + "scroll": true, + "showHeader": true, + "sort": { + "col": 1, + "desc": true + }, + "styles": [ + { + "alias": "Messages", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": null, + "mappingType": 1, + "pattern": "Sum", + "thresholds": [], + "type": "number", + "unit": "none" + }, + { + "alias": "Header From", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTargetBlank": true, + "linkTooltip": "https://${__cell:raw}", + "linkUrl": "https://${__cell:raw}", + "mappingType": 1, + "pattern": "header_from.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "header_from.keyword", + "id": "6", + "settings": { + "min_doc_count": 1, + "missing": "none", + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "4", + "meta": {}, + "settings": {}, + "type": "sum" + } + ], + "refId": "A", + "timeField": "date_range" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Message Volume by Header From", + "transform": "table", + "type": "table" + }, + { + "circleMaxSize": 30, + "circleMinSize": 2, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "${DS_ELASTICSEARCH-DMARC-AG}", + "decimals": 0, + "esMetric": "Count", + "gridPos": { + "h": 10, + "w": 16, + "x": 0, + "y": 39 + }, + "hideEmpty": false, + "hideZero": false, + "id": 12, + "initialZoom": "1", + "links": [], + "locationData": "countries", + "mapCenter": "(0°, 0°)", + "mapCenterLatitude": 0, + "mapCenterLongitude": 0, + "maxDataPoints": 1, + "mouseWheelZoom": false, + "showLegend": true, + "stickyLabels": false, + "tableQueryOptions": { + "geohashField": "geohash", + "latitudeField": "latitude", + "longitudeField": "longitude", + "metricField": "metric", + "queryType": "geohash" + }, + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "source_country.keyword", + "id": "7", + "settings": { + "min_doc_count": 1, + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "date_range", + "id": "6", + "settings": { + "interval": "auto", + "min_doc_count": 0, + "trimEdges": 0 + }, + "type": "date_histogram" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "4", + "meta": {}, + "settings": {}, + "type": "sum" + } + ], + "refId": "A", + "timeField": "date_range" + } + ], + "thresholds": "0,10", + "timeFrom": null, + "timeShift": null, + "title": "Map of Message Source Countries", + "type": "grafana-worldmap-panel", + "unitPlural": "", + "unitSingle": "", + "valueName": "total" + }, + { + "columns": [], + "datasource": "${DS_ELASTICSEARCH-DMARC-AG}", + "fontSize": "100%", + "gridPos": { + "h": 10, + "w": 8, + "x": 16, + "y": 39 + }, + "id": 13, + "links": [], + "pageSize": 20, + "scroll": true, + "showHeader": true, + "sort": { + "col": 6, + "desc": true + }, + "styles": [ + { + "alias": "Country", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "source_country.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Messages", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": null, + "mappingType": 1, + "pattern": "Sum", + "thresholds": [], + "type": "number", + "unit": "none" + }, + { + "alias": "Reverse DNS Base", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "source_base_domain.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "source_country.keyword", + "id": "6", + "settings": { + "min_doc_count": 1, + "missing": "none", + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "4", + "meta": {}, + "settings": {}, + "type": "sum" + } + ], + "refId": "A", + "timeField": "date_range" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Message Source Countries", + "transform": "table", + "type": "table" + }, + { + "columns": [], + "datasource": "${DS_ELASTICSEARCH-DMARC-AG}", + "fontSize": "100%", + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 49 + }, + "id": 14, + "links": [], + "pageSize": 20, + "scroll": true, + "showHeader": true, + "sort": { + "col": 4, + "desc": true + }, + "styles": [ + { + "alias": "IP Address", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "source_ip_address.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Reverse DNS", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "source_reverse_dns.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Base Domain", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTargetBlank": true, + "linkTooltip": "https://${__cell:raw}", + "linkUrl": "https://${__cell:raw}", + "mappingType": 1, + "pattern": "source_base_domain.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Country", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "source_country.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Messages", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": null, + "mappingType": 1, + "pattern": "Sum", + "thresholds": [], + "type": "number", + "unit": "none" + }, + { + "alias": "Reverse DNS Base", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "source_base_domain.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "source_ip_address.keyword", + "id": "6", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "4", + "size": "1000" + }, + "type": "terms" + }, + { + "fake": true, + "field": "source_reverse_dns.keyword", + "id": "7", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "4", + "size": "1000" + }, + "type": "terms" + }, + { + "fake": true, + "field": "source_base_domain.keyword", + "id": "8", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "4", + "size": "1000" + }, + "type": "terms" + }, + { + "fake": true, + "field": "source_country.keyword", + "id": "9", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "4", + "size": "1000" + }, + "type": "terms" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "4", + "meta": {}, + "settings": {}, + "type": "sum" + } + ], + "refId": "A", + "timeField": "date_range" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Top 1000 Message Source IP Addresses", + "transform": "table", + "type": "table" + }, + { + "columns": [], + "datasource": "${DS_ELASTICSEARCH-DMARC-AG}", + "fontSize": "100%", + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 58 + }, + "id": 16, + "links": [], + "pageSize": 20, + "scroll": true, + "showHeader": true, + "sort": { + "col": 5, + "desc": true + }, + "styles": [ + { + "alias": "Header From", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "header_from.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Envelope From", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": true, + "linkTooltip": "https://${__cell:raw}", + "linkUrl": "https://${__cell:raw}", + "mappingType": 1, + "pattern": "envelope_from.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "SPF Result", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "spf_results.result.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "SPF Aligned", + "colorMode": "cell", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "#E02F44", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "spf_aligned", + "thresholds": [ + "0", + "1" + ], + "type": "number", + "unit": "short", + "valueMaps": [] + }, + { + "alias": "Messages", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": null, + "mappingType": 1, + "pattern": "Sum", + "thresholds": [], + "type": "number", + "unit": "none" + }, + { + "alias": "Reverse DNS Base", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTargetBlank": true, + "linkTooltip": "https://${__cell:raw}", + "linkUrl": "https://${__cell:raw}", + "mappingType": 1, + "pattern": "source_base_domain.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "header_from.keyword", + "id": "6", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "envelope_from.keyword", + "id": "7", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "spf_results.result.keyword", + "id": "8", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "spf_aligned", + "id": "9", + "settings": { + "min_doc_count": 1, + "missing": null, + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "source_base_domain.keyword", + "id": "10", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "4", + "meta": {}, + "settings": {}, + "type": "sum" + } + ], + "refId": "A", + "timeField": "date_range" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "SPF Alignment Details", + "transform": "table", + "type": "table" + }, + { + "columns": [], + "datasource": "${DS_ELASTICSEARCH-DMARC-AG}", + "fontSize": "100%", + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 67 + }, + "id": 15, + "links": [], + "pageSize": 20, + "scroll": true, + "showHeader": true, + "sort": { + "col": 6, + "desc": true + }, + "styles": [ + { + "alias": "Header From", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "header_from.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "DKIM Selector", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "dkim_results.selector.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "DKIM Domain", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": true, + "linkTooltip": "https://${__cell:raw}", + "linkUrl": "https://${__cell:raw}", + "mappingType": 1, + "pattern": "dkim_results.domain.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "DKIM Result", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "dkim_results.result.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "DKIM Aligned", + "colorMode": "cell", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "#E02F44", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "dkim_aligned", + "thresholds": [ + "0", + "1" + ], + "type": "string", + "unit": "short", + "valueMaps": [ + { + "text": "True", + "value": "1" + }, + { + "text": "False", + "value": "0" + } + ] + }, + { + "alias": "Messages", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": null, + "mappingType": 1, + "pattern": "Sum", + "thresholds": [], + "type": "number", + "unit": "none" + }, + { + "alias": "Reverse DNS Base", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTargetBlank": true, + "linkUrl": "https://${__cell:raw}", + "mappingType": 1, + "pattern": "source_base_domain.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "header_from.keyword", + "id": "6", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "dkim_results.selector.keyword", + "id": "7", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "dkim_results.domain.keyword", + "id": "8", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "dkim_results.result.keyword", + "id": "9", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "dkim_aligned", + "id": "10", + "settings": { + "min_doc_count": 1, + "missing": null, + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "source_base_domain.keyword", + "id": "5", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "4", + "size": "0" + }, + "type": "terms" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "4", + "meta": {}, + "settings": {}, + "type": "sum" + } + ], + "refId": "A", + "timeField": "date_range" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "DKIM Alignment Details", + "transform": "table", + "type": "table" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 76 + }, + "id": 32, + "panels": [], + "title": "DMARC Forensic", + "type": "row" + }, + { + "columns": [], + "datasource": "${DS_ELASTICSEARCH-DMARC-FO}", + "fontSize": "100%", + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 77 + }, + "id": 20, + "links": [], + "pageSize": 20, + "scroll": true, + "showHeader": true, + "sort": { + "col": null, + "desc": false + }, + "styles": [ + { + "alias": "Messages", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": null, + "mappingType": 1, + "pattern": "Sum", + "thresholds": [], + "type": "number", + "unit": "none" + }, + { + "alias": "Arrival Date (UTC)", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "arrival_date", + "thresholds": [], + "type": "date", + "unit": "short" + }, + { + "alias": "From", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "sample.headers.from.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "To", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "sample.headers.to.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Reply To", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "sample.headers.reply-to.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Subject", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "sample.subject.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Received", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "mappingType": 1, + "pattern": "sample.headers.received.keyword", + "preserveFormat": false, + "sanitize": true, + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "Auth Failure", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "auth_failure.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "sample.body", + "preserveFormat": true, + "sanitize": false, + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "Delivery Result", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "delivery_results.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Auth Results", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "authentication_results.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "arrival_date", + "id": "6", + "settings": { + "interval": "auto", + "min_doc_count": 0, + "trimEdges": 0 + }, + "type": "date_histogram" + }, + { + "fake": true, + "field": "sample.headers.from.keyword", + "id": "7", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "sample.headers.to.keyword", + "id": "8", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "sample.headers.reply-to.keyword", + "id": "10", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "auth_failure.keyword", + "id": "11", + "settings": { + "min_doc_count": 1, + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "sample.subject.keyword", + "id": "12", + "settings": { + "min_doc_count": 1, + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "delivery_results.keyword", + "id": "14", + "settings": { + "min_doc_count": 1, + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "authentication_results.keyword", + "id": "15", + "settings": { + "min_doc_count": 1, + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "sample.headers.received.keyword", + "id": "13", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "4", + "meta": {}, + "settings": {}, + "type": "count" + } + ], + "query": "", + "refId": "A", + "timeField": "arrival_date" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Forensic Samples", + "transform": "table", + "type": "table" + }, + { + "columns": [ + { + "text": "arrival_date", + "value": "arrival_date" + }, + { + "text": "sample.headers.from", + "value": "sample.headers.from" + }, + { + "text": "sample.headers.to", + "value": "sample.headers.to" + }, + { + "text": "sample.headers.reply-to", + "value": "sample.headers.reply-to" + }, + { + "text": "delivery_results", + "value": "delivery_results" + }, + { + "text": "sample.headers.return-path", + "value": "sample.headers.return-path" + }, + { + "text": "auth_failure", + "value": "auth_failure" + }, + { + "text": "sample.subject", + "value": "sample.subject" + }, + { + "text": "sample.headers.received", + "value": "sample.headers.received" + } + ], + "datasource": "${DS_ELASTICSEARCH-DMARC-FO}", + "fontSize": "100%", + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 86 + }, + "id": 21, + "links": [], + "pageSize": 20, + "scroll": true, + "showHeader": true, + "sort": { + "col": null, + "desc": false + }, + "styles": [ + { + "alias": "Messages", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": null, + "mappingType": 1, + "pattern": "Sum", + "thresholds": [], + "type": "number", + "unit": "none" + }, + { + "alias": "Arrival_Date_(UTC)", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "arrival_date", + "thresholds": [], + "type": "date", + "unit": "short" + }, + { + "alias": "From", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "sample.headers.from", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "To", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "sample.headers.to", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Reply To", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "sample.headers.reply-to", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Subject", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "sample.subject", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Received", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "mappingType": 1, + "pattern": "sample.headers.received", + "preserveFormat": false, + "sanitize": true, + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "Auth_Failure", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "auth_failure", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Body", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "sample.body", + "preserveFormat": true, + "sanitize": false, + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "Delivery_Result", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "delivery_results", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Return-Path", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "sample.headers.return-path", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "arrival_date", + "id": "6", + "settings": { + "interval": "auto", + "min_doc_count": 0, + "trimEdges": 0 + }, + "type": "date_histogram" + }, + { + "fake": true, + "field": "sample.headers.from.keyword", + "id": "7", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "sample.headers.to.keyword", + "id": "8", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "sample.reply_to.address.keyword", + "id": "10", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "auth_failure.keyword", + "id": "11", + "settings": { + "min_doc_count": 1, + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "sample.subject.keyword", + "id": "12", + "settings": { + "min_doc_count": 1, + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + }, + { + "fake": true, + "field": "sample.headers.received.keyword", + "id": "13", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + } + ], + "hide": true, + "metrics": [ + { + "field": "message_count", + "id": "4", + "meta": {}, + "settings": {}, + "type": "count" + } + ], + "query": "", + "refId": "A", + "timeField": "arrival_date" + }, + { + "bucketAggs": [], + "metrics": [ + { + "field": "select field", + "id": "1", + "meta": {}, + "settings": { + "size": 500 + }, + "type": "raw_document" + } + ], + "refId": "B", + "timeField": "arrival_date" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Forensic Samples", + "transform": "json", + "type": "table" + }, + { + "circleMaxSize": 30, + "circleMinSize": 2, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "${DS_ELASTICSEARCH-DMARC-FO}", + "decimals": 0, + "esMetric": "Count", + "gridPos": { + "h": 11, + "w": 8, + "x": 0, + "y": 95 + }, + "hideEmpty": true, + "hideZero": true, + "id": 22, + "initialZoom": "1", + "links": [], + "locationData": "countries", + "mapCenter": "(0°, 0°)", + "mapCenterLatitude": 0, + "mapCenterLongitude": 0, + "maxDataPoints": 1, + "mouseWheelZoom": false, + "showLegend": true, + "stickyLabels": false, + "tableQueryOptions": { + "geohashField": "geohash", + "labelField": "", + "latitudeField": "latitude", + "longitudeField": "longitude", + "metricField": "metric", + "queryType": "geohash" + }, + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "source_country.keyword", + "id": "9", + "settings": { + "min_doc_count": 1, + "order": "desc", + "orderBy": "_term", + "size": "10" + }, + "type": "terms" + }, + { + "fake": true, + "field": "arrival_date", + "id": "7", + "settings": { + "interval": "auto", + "min_doc_count": 0, + "trimEdges": 0 + }, + "type": "date_histogram" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "4", + "meta": {}, + "settings": {}, + "type": "count" + } + ], + "refId": "A", + "timeField": "arrival_date" + } + ], + "thresholds": "0,10", + "timeFrom": null, + "timeShift": null, + "title": "Forensic Sample Sources by Country", + "type": "grafana-worldmap-panel", + "unitPlural": "", + "unitSingle": "", + "valueName": "total" + }, + { + "columns": [], + "datasource": "${DS_ELASTICSEARCH-DMARC-FO}", + "fontSize": "100%", + "gridPos": { + "h": 11, + "w": 5, + "x": 8, + "y": 95 + }, + "id": 23, + "links": [], + "pageSize": 20, + "scroll": true, + "showHeader": true, + "sort": { + "col": 6, + "desc": true + }, + "styles": [ + { + "alias": "Country", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "source_country.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Messages", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": null, + "mappingType": 1, + "pattern": "Sum", + "thresholds": [], + "type": "number", + "unit": "none" + }, + { + "alias": "Reverse DNS Base", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "source_base_domain.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "source_country.keyword", + "id": "6", + "settings": { + "min_doc_count": 1, + "missing": "none", + "order": "desc", + "orderBy": "_count", + "size": "0" + }, + "type": "terms" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "4", + "meta": {}, + "settings": {}, + "type": "count" + } + ], + "refId": "A", + "timeField": "arrival_date" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "DMARC Forensic Sample Source Countries", + "transform": "table", + "type": "table" + }, + { + "columns": [], + "datasource": "${DS_ELASTICSEARCH-DMARC-FO}", + "fontSize": "100%", + "gridPos": { + "h": 11, + "w": 11, + "x": 13, + "y": 95 + }, + "id": 24, + "links": [], + "pageSize": 20, + "scroll": true, + "showHeader": true, + "sort": { + "col": 4, + "desc": true + }, + "styles": [ + { + "alias": "IP Address", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "source_ip_address.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Reverse DNS", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "source_reverse_dns.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Base Domain", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTargetBlank": true, + "linkTooltip": "https://${__cell:raw}", + "linkUrl": "https://${__cell:raw}", + "mappingType": 1, + "pattern": "source_base_domain.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Country", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "source_country.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Messages", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": null, + "mappingType": 1, + "pattern": "Sum", + "thresholds": [], + "type": "number", + "unit": "none" + }, + { + "alias": "Reverse DNS Base", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "source_base_domain.keyword", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "bucketAggs": [ + { + "fake": true, + "field": "source_ip_address.keyword", + "id": "6", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "_count", + "size": "1000" + }, + "type": "terms" + }, + { + "fake": true, + "field": "source_reverse_dns.keyword", + "id": "7", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "_count", + "size": "1000" + }, + "type": "terms" + }, + { + "fake": true, + "field": "source_base_domain.keyword", + "id": "8", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "_count", + "size": "1000" + }, + "type": "terms" + }, + { + "fake": true, + "field": "source_country.keyword", + "id": "9", + "settings": { + "min_doc_count": 1, + "missing": "-", + "order": "desc", + "orderBy": "_count", + "size": "1000" + }, + "type": "terms" + } + ], + "hide": false, + "metrics": [ + { + "field": "message_count", + "id": "4", + "meta": {}, + "settings": {}, + "type": "count" + } + ], + "refId": "A", + "timeField": "arrival_date" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Top 1000 Forensic Sample Source IP Addresses", + "transform": "table", + "type": "table" + } + ], + "refresh": false, + "schemaVersion": 18, + "style": "dark", + "tags": [ + "DKIM", + "Experimental", + "SPF", + "DMARC", + "Email" + ], + "templating": { + "list": [ + { + "datasource": "Elasticsearch-dmarc-ag", + "filters": [], + "hide": 0, + "label": "", + "name": "Filters", + "skipUrlSync": false, + "type": "adhoc" + } + ] + }, + "time": { + "from": "now-2d", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "DMARC Reports", + "uid": "SDksirRWz", + "version": 55 +} \ No newline at end of file diff --git a/grafana/README.rst b/grafana/README.rst new file mode 100644 index 0000000..8dfd4fd --- /dev/null +++ b/grafana/README.rst @@ -0,0 +1 @@ +Dashboards contributed by Github user Bhozar. diff --git a/parsedmarc/__init__.py b/parsedmarc/__init__.py index 355be2e..8f4674e 100644 --- a/parsedmarc/__init__.py +++ b/parsedmarc/__init__.py @@ -38,7 +38,7 @@ from parsedmarc.utils import is_outlook_msg, convert_outlook_msg from parsedmarc.utils import timestamp_to_human, human_timestamp_to_datetime from parsedmarc.utils import parse_email -__version__ = "6.3.6" +__version__ = "6.3.7" logging.basicConfig( format='%(levelname)8s:%(filename)s:%(lineno)d:' diff --git a/samples/forensic/dmarc_ruf_report_linkedin.eml b/samples/forensic/dmarc_ruf_report_linkedin.eml new file mode 100644 index 0000000..e34ee67 --- /dev/null +++ b/samples/forensic/dmarc_ruf_report_linkedin.eml @@ -0,0 +1,108 @@ +From dmarc-noreply@linkedin.com Tue Apr 30 02:09:16 2019 +Received: from mailf-cd.linkedin.com ([108.174.6.228]) + by example.uriports.com with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) + (MTA 2.20) + (envelope-from ) + id 1hLICq-00001z-JU + for dmarc@example.uriports.com; Tue, 30 Apr 2019 02:09:16 +0000 +Received: from [127.0.0.1] ([local]) + by mail516.prod.linkedin.com (envelope-from ) + (ecelerity 3.6.21.53563 r(Core:3.6.21.0)) with UNKNOWN + id AA/01-16018-D1AA1CC5; Tue, 30 Apr 2019 02:09:00 +0000 +Date: Tue, 30 Apr 2019 02:09:00 +0000 +Message-ID: +X-LinkedIn-Class: EMAIL_REPORTS +Subject: DMARC Failure report for example.com Mail-From: IP:10.10.10.10 +To: dmarc-noreply@linkedin.com +From: dmarc-noreply@linkedin.com +Content-Type: multipart/report; report-type=feedback-report; + boundary="_----abcdefghijklmnopqrstuv===_AA/01-16018-D1AA1CC5" +Received-SPF: pass client-ip=108.174.6.228; envelope-from=dmarc-noreply@linkedin.com; helo=mailf-cd.linkedin.com + +--_----abcdefghijklmnopqrstuv===_AA/01-16018-D1AA1CC5 +Content-Type: text/plain; charset="US-ASCII" +Content-Transfer-Encoding: 7bit + +This is an email abuse report for an email message received from IP 10.10.10.10 on Tue, 30 Apr 2019 02:09:00 +0000. +The message below did not meet the sending domain's dmarc policy. +The message below could have been accepted or rejected depending on policy. +For more information about this format please see http://tools.ietf.org/html/rfc6591 . + +--_----abcdefghijklmnopqrstuv===_AA/01-16018-D1AA1CC5 +Content-Type: message/feedback-report + +Feedback-Type: auth-failure +User-Agent: Lua/1.0 +Version: 1.0 +Original-Mail-From: +Original-Rcpt-To: recipient@linkedin.com +Arrival-Date: Tue, 30 Apr 2019 02:09:00 +0000 +Message-ID: <01010101010101010101010101010101@ABAB01MS0016.someserver.loc> +Authentication-Results: dmarc=fail (p=none; dis=none) header.from=example.com +Source-IP: 10.10.10.10 +Delivery-Result: delivered +Auth-Failure: dmarc +Reported-Domain: example.com + +--_----abcdefghijklmnopqrstuv===_AA/01-16018-D1AA1CC5 +Content-Type: message/rfc822 +Content-Disposition: inline + +Return-Path: <> +Authentication-Results: mail516.prod.linkedin.com; iprev=pass policy.iprev="10.10.10.10"; spf=neutral smtp.mailfrom="" smtp.helo="mail02.someserver.com"; dkim=none (message not signed) header.d=none; tls=pass (verified) key.ciphersuite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" key.length="256" tls.v="tlsv1.2" cert.client="OU=Domain Control Validated,CN=*.someserver.com" cert.clientissuer="C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA"; dmarc=fail (p=none; dis=none) header.from=example.com +X-OnPremExternalIP: 10.10.10.10 +Received: from [10.10.10.10] ([10.10.10.10:4227] helo=mail02.someserver.com) + by mail516.prod.linkedin.com (envelope-from <>) + (ecelerity 3.6.21.53563 r(Core:3.6.21.0)) with ESMTPS (cipher=ECDHE-RSA-AES256-GCM-SHA384 + subject="/OU=Domain Control Validated/CN=*.someserver.com") + id CA/91-26019-ABCDECC5; Tue, 30 Apr 2019 02:09:00 +0000 +Received: from DENU02MS0016.someserver.loc (10.156.68.14) by + DENU02MS0017.someserver.loc (10.10.10.9) with Microsoft SMTP Server (TLS) id + 15.0.1367.3; Tue, 30 Apr 2019 04:09:09 +0200 +Received: from DENU02MS0016.someserver.loc ([127.0.0.1]) by + DENU02MS0016.someserver.loc ([10.10.10.8]) with Microsoft SMTP Server id + 15.00.1367.000; Tue, 30 Apr 2019 04:09:09 +0200 +From: Sender +To: LinkedIn +Subject: Subject line, could be UTF8 encoded +Thread-Topic: Thread Topic line, could be UTF8 encoded +Thread-Index: AQHU/abcdW8+abcdLkClF52hP4alIaZT9XGh +Date: Tue, 30 Apr 2019 02:09:09 +0000 +Message-ID: <01010101010101010101010101010101@ABAB01MS0016.someserver.loc> +References: <1111111111.1111111.1111111111111.JavaMail.app@lor1-app3586.prod.linkedin.com> +In-Reply-To: <1111111111.1111111.1111111111111.JavaMail.app@lor1-app3586.prod.linkedin.com> +X-MS-Has-Attach: +X-Auto-Response-Suppress: All +X-MS-Exchange-Inbox-Rules-Loop: sender@example.com +X-MS-TNEF-Correlator: +x-ms-exchange-transport-fromentityheader: Hosted +x-ms-exchange-parent-message-id: <1111111111.1111111.1111111111111.JavaMail.app@lor1-app3586.prod.linkedin.com> +auto-submitted: auto-generated +x-ms-exchange-generated-message-source: Mailbox Rules Agent +x-exclaimer-md-config: 11111111-1111-1111-1111-111111111111 +Content-Type: multipart/alternative; + boundary="_000_0d00000000000000000d000000000000f00000s00000someserverloc_" +MIME-Version: 1.0 +X-Linkedin-fe: false + +--_000_0d00000000000000000d000000000000f00000s00000someserverloc_ +Content-Type: text/plain; charset="iso-8859-1" +Content-Transfer-Encoding: quoted-printable + +Alternative +Text + +--_000_0d00000000000000000d000000000000f00000s00000someserverloc_ +Content-Type: text/html; charset="iso-8859-1" +Content-Transfer-Encoding: quoted-printable + + + + + +HTML Text + + + +--_000_0d00000000000000000d000000000000f00000s00000someserverloc_-- +--_----abcdefghijklmnopqrstuv===_AA/01-16018-D1AA1CC5-- diff --git a/setup.py b/setup.py index f3af5dd..c8f5c99 100644 --- a/setup.py +++ b/setup.py @@ -14,7 +14,7 @@ from setuptools import setup from codecs import open from os import path -__version__ = "6.3.6" +__version__ = "6.3.7" description = "A Python package and CLI for parsing aggregate and " \ "forensic DMARC reports"