Update UIs

2026-02-17 07:03:58 +00:00 · 2020-01-23 13:58:25 -05:00
parent c50bdf8d7e
commit 95477bb818
4 changed files with 45 additions and 417 deletions
--- a/grafana/Grafana-DMARC_Reports.json
+++ b/grafana/Grafana-DMARC_Reports.json
@@ -2579,7 +2579,7 @@
          "unit": "none"
        },
        {
-          "alias": "Arrival_Date_(UTC)",
+          "alias": "Arrival_Date",
          "colorMode": null,
          "colors": [
            "rgba(245, 54, 54, 0.9)",
@@ -2609,6 +2609,22 @@
          "thresholds": [],
          "type": "number",
          "unit": "short"
+        },
+         {
+          "alias": "Sender",
+          "colorMode": null,
+          "colors": [
+            "rgba(245, 54, 54, 0.9)",
+            "rgba(237, 129, 40, 0.89)",
+            "rgba(50, 172, 45, 0.97)"
+          ],
+          "dateFormat": "YYYY-MM-DD HH:mm:ss",
+          "decimals": 2,
+          "mappingType": 1,
+          "pattern": "sample.headers.sender.keyword",
+          "thresholds": [],
+          "type": "number",
+          "unit": "short"
        },
        {
          "alias": "To",
--- a/kibana/export.ndjson
+++ b/kibana/export.ndjson
--- a/kibana/kibana_saved_objects.json
+++ b/kibana/kibana_saved_objects.json
--- a/splunk/dmarc_forensic_dashboard.xml
+++ b/splunk/dmarc_forensic_dashboard.xml
@@ -38,12 +38,11 @@
      <title>Forensic samples</title>
      <table>
        <search>
-          <query>index="email" sourcetype="dmarc:forensic" | spath "parsed_sample.from.address" | search "parsed_sample.from.address"=$header_from$ | spath "parsed_sample.to{}.address" | search "parsed_sample.to{}.address"=$header_to$ | spath "parsed_sample.subject" | search "parsed_sample.subject"=$header_subject$ | spath "source.ip_address" | search "source.ip_address"=$source_ip_address$ | spath "source.reverse_dns" | search "source.reverse_dns"=$source_reverse_dns$| spath "source.country" | search "source.country"=$source_country$ | fillnull value="none" | stats count by arrival_date_utc, parsed_sample.from.address, parsed_sample.to{}.address, parsed_sample.subject  | sort -arrival_date_utc</query>
+          <query>index="email_ess" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$ | fillnull value="none" | stats count by arrival_date_utc,parsed_sample.headers.From,parsed_sample.headers.Sender,parsed_sample.headers.To,parsed_sample.headers.Reply-To,parsed_sample.headers.Subject | sort -arrival_date_utc</query>
          <earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
        </search>
        <option name="drilldown">none</option>
-        <option name="refresh.display">progressbar</option>
        <option name="totalsRow">false</option>
        <format type="number" field="count">
          <option name="precision">0</option>
@@ -56,7 +55,7 @@
      <title>Forensic samples by country</title>
      <map>
        <search>
-          <query>index="email" sourcetype="dmarc:forensic" | spath "parsed_sample.from.address" | search "parsed_sample.from.address"=$header_from$ | spath "parsed_sample.to{}.address" | search "parsed_sample.to{}.address"=$header_to$ | spath "parsed_sample.subject" | search "parsed_sample.subject"=$header_subject$ | spath "source.ip_address" | search "source.ip_address"=$source_ip_address$ | spath "source.reverse_dns" | search "source.reverse_dns"=$source_reverse_dns$| spath "source.country" | search "source.country"=$source_country$ | iplocation source.ip_address | stats count by Country | geom geo_countries featureIdField="Country"</query>
+          <query>index="email_ess" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$ | iplocation source.ip_address | stats count by Country | geom geo_countries featureIdField="Country"</query>
          <earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
        </search>
@@ -71,7 +70,7 @@
      <title>Forensic samples by IP address</title>
      <table>
        <search>
-          <query>index="email" sourcetype="dmarc:forensic" sourcetype="dmarc:forensic" | spath "parsed_sample.from.address" | search "parsed_sample.from.address"=$header_from$ | spath "parsed_sample.to{}.address" | search "parsed_sample.to{}.address"=$header_to$ | spath "parsed_sample.subject" | search "parsed_sample.subject"=$header_subject$ | spath "source.ip_address" | search "source.ip_address"=$source_ip_address$ | spath "source.reverse_dns" | search "source.reverse_dns"=$source_reverse_dns$| spath "source.country" | search "source.country"=$source_country$ | fillnull value="none" | iplocation source.ip_address | stats count by source.ip_address,source.reverse_dns,Country | sort -count</query>
+          <query>index="email_ess" sourcetype="dmarc:forensic" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$ | fillnull value="none" | iplocation source.ip_address | stats count by source.ip_address,source.reverse_dns,Country | sort -count</query>
          <earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
        </search>
@@ -85,7 +84,7 @@
      <title>Forensic samples by country ISO code</title>
      <table>
        <search>
-          <query>index="email" sourcetype="dmarc:forensic" | spath "parsed_sample.from.address" | search "parsed_sample.from.address"=$header_from$ | spath "parsed_sample.to{}.address" | search "parsed_sample.to{}.address"=$header_to$ | spath "parsed_sample.subject" | search "parsed_sample.subject"=$header_subject$ | spath "source.ip_address" | search "source.ip_address"=$source_ip_address$ | spath "source.reverse_dns" | search "source.reverse_dns"=$source_reverse_dns$| spath "source.country" | search "source.country"=$source_country$ | stats count by source.country | sort - count</query>
+          <query>index="email_ess" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$ | stats count by source.country | sort - count</query>
          <earliest>$time_range.earliest$</earliest>
          <latest>$time_range.latest$</latest>
        </search>
@@ -96,4 +95,4 @@
      </table>
    </panel>
  </row>
-</form>
+</form>