mirror of
https://github.com/domainaware/parsedmarc.git
synced 2026-03-26 16:32:48 +00:00
Remove DKIM specific filters from splunk dashboards
Filtering on data that does not exist led to incomplete dashboards
This commit is contained in:
Sean Whalen
@@ -39,14 +39,6 @@
|
||||
<label>Envelope from</label>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="text" token="dkim_selector" searchWhenChanged="true">
|
||||
<label>DKIM selector</label>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="text" token="dkim_domain" searchWhenChanged="true">
|
||||
<label>DKIM domain</label>
|
||||
<default>*</default>
|
||||
</input>
|
||||
<input type="dropdown" token="disposition" searchWhenChanged="true">
|
||||
<label>Message disposition</label>
|
||||
<choice value="*">any</choice>
|
||||
@@ -76,9 +68,9 @@
|
||||
<title>SPF alignment</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ dkim_results{}.selector=$dkim_selector$ dkim_results{}.domain=$dkim_domain$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | chart sum(message_count) by spf_aligned</query>
|
||||
<earliest>$time_range.earliest$</earliest>
|
||||
<latest>$time_range.latest$</latest>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | chart sum(message_count) by spf_aligned</query>
|
||||
<earliest>-7d@h</earliest>
|
||||
<latest>now</latest>
|
||||
</search>
|
||||
<option name="charting.chart">pie</option>
|
||||
<option name="charting.drilldown">none</option>
|
||||
@@ -88,7 +80,7 @@
|
||||
<title>DKIM alignment</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ dkim_results{}.selector=$dkim_selector$ dkim_results{}.domain=$dkim_domain$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | chart sum(message_count) by dkim_aligned</query>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | chart sum(message_count) by dkim_aligned</query>
|
||||
<earliest>$time_range.earliest$</earliest>
|
||||
<latest>$time_range.latest$</latest>
|
||||
</search>
|
||||
@@ -101,7 +93,7 @@
|
||||
<title>Passed DMARC</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ dkim_results{}.selector=$dkim_selector$ dkim_results{}.domain=$dkim_domain$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | chart sum(message_count) by passed_dmarc</query>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | chart sum(message_count) by passed_dmarc</query>
|
||||
<earliest>$time_range.earliest$</earliest>
|
||||
<latest>$time_range.latest$</latest>
|
||||
</search>
|
||||
@@ -115,7 +107,7 @@
|
||||
<title>Reporting organizations</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ dkim_results{}.selector=$dkim_selector$ dkim_results{}.domain=$dkim_domain$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | chart sum(message_count) by org_name | sort -sum(message_count)</query>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" | chart sum(message_count) by org_name | sort -sum(message_count)</query>
|
||||
<earliest>$time_range.earliest$</earliest>
|
||||
<latest>$time_range.latest$</latest>
|
||||
</search>
|
||||
@@ -129,7 +121,7 @@
|
||||
<title>Message sources by reverse DNS</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ dkim_results{}.selector=$dkim_selector$ dkim_results{}.domain=$dkim_domain$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | fillnull value="none" | chart sum(message_count) by source_base_domain | sort -sum(message_count)</query>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | fillnull value="none" | chart sum(message_count) by source_base_domain | sort -sum(message_count)</query>
|
||||
<earliest>$time_range.earliest$</earliest>
|
||||
<latest>$time_range.latest$</latest>
|
||||
</search>
|
||||
@@ -143,7 +135,7 @@
|
||||
<title>Message volume by header from</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ dkim_results{}.selector=$dkim_selector$ dkim_results{}.domain=$dkim_domain$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | chart sum(message_count) by header_from | sort -sum(message_count)</query>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | chart sum(message_count) by header_from | sort -sum(message_count)</query>
|
||||
<earliest>$time_range.earliest$</earliest>
|
||||
<latest>$time_range.latest$</latest>
|
||||
</search>
|
||||
@@ -159,7 +151,7 @@
|
||||
<title>DMARC passage over time</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ dkim_results{}.selector=$dkim_selector$ dkim_results{}.domain=$dkim_domain$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | chart sum(message_count) by _time,passed_dmarc</query>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | chart sum(message_count) by _time,passed_dmarc</query>
|
||||
<earliest>-7d@h</earliest>
|
||||
<latest>now</latest>
|
||||
</search>
|
||||
@@ -180,7 +172,7 @@
|
||||
<title>Message disposition over time</title>
|
||||
<chart>
|
||||
<search>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ dkim_results{}.selector=$dkim_selector$ dkim_results{}.domain=$dkim_domain$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | chart sum(message_count) by _time,disposition</query>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | chart sum(message_count) by _time,disposition</query>
|
||||
<earliest>$time_range.earliest$</earliest>
|
||||
<latest>$time_range.latest$</latest>
|
||||
</search>
|
||||
@@ -196,7 +188,7 @@
|
||||
<title>Message volume by source country</title>
|
||||
<map>
|
||||
<search>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ dkim_results{}.selector=$dkim_selector$ dkim_results{}.domain=$dkim_domain$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | iplocation source_ip_address | stats count by Country | geom geo_countries featureIdField="Country"</query>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | iplocation source_ip_address | stats count by Country | geom geo_countries featureIdField="Country"</query>
|
||||
<earliest>$time_range.earliest$</earliest>
|
||||
<latest>$time_range.latest$</latest>
|
||||
</search>
|
||||
@@ -211,7 +203,7 @@
|
||||
<title>Source countries</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ dkim_results{}.selector=$dkim_selector$ dkim_results{}.domain=$dkim_domain$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | stats sum(message_count) by source_country | sort -sum(message_count)</query>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | stats sum(message_count) by source_country | sort -sum(message_count)</query>
|
||||
<earliest>$time_range.earliest$</earliest>
|
||||
<latest>$time_range.latest$</latest>
|
||||
</search>
|
||||
@@ -229,7 +221,7 @@
|
||||
<title>Message sources by IP address</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ dkim_results{}.selector=$dkim_selector$ dkim_results{}.domain=$dkim_domain$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | stats sum(message_count) by source_ip_address,source_reverse_dns,source_base_domain,source_country | sort -sum(message_count)</query>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | stats sum(message_count) by source_ip_address,source_reverse_dns,source_base_domain,source_country | sort -sum(message_count)</query>
|
||||
<earliest>$time_range.earliest$</earliest>
|
||||
<latest>$time_range.latest$</latest>
|
||||
</search>
|
||||
@@ -245,7 +237,7 @@
|
||||
<title>SPF alignment details</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ dkim_results{}.selector=$dkim_selector$ dkim_results{}.domain=$dkim_domain$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | fillnull value="none" | stats sum(message_count) by header_from,envelope_from,spf_results{}.result,spf_aligned,source_base_domain | sort -sum(message_count)</query>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | fillnull value="none" | stats sum(message_count) by header_from,envelope_from,spf_results{}.result,spf_aligned,source_base_domain | sort -sum(message_count)</query>
|
||||
<earliest>$time_range.earliest$</earliest>
|
||||
<latest>$time_range.latest$</latest>
|
||||
</search>
|
||||
@@ -261,7 +253,7 @@
|
||||
<title>DKIM alignment details</title>
|
||||
<table>
|
||||
<search>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ dkim_results{}.selector=$dkim_selector$ dkim_results{}.domain=$dkim_domain$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | fillnull value="none" | stats sum(message_count) by header_from,dkim_results{}.selector,dkim_results{}.domain,dkim_results{}.result,dkim_aligned,source_base_domain | sort -sum(message_count)</query>
|
||||
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=$org_name$ source_reverse_dns=$source_reverse_dns$ header_from=$header_from$ envelope_from=$envelope_from$ disposition=$disposition$ source_ip_address=$source_ip_address$ source_country=$source_country$ | fillnull value="none" | stats sum(message_count) by header_from,dkim_results{}.selector,dkim_results{}.domain,dkim_results{}.result,dkim_aligned,source_base_domain | sort -sum(message_count)</query>
|
||||
<earliest>$time_range.earliest$</earliest>
|
||||
<latest>$time_range.latest$</latest>
|
||||
</search>
|
||||
|
||||
Reference in New Issue
Block a user