amorfo77/parsedmarc
1
0
Fork 0
mirror of https://github.com/domainaware/parsedmarc.git synced 2026-02-17 07:03:58 +00:00
Code Issues Projects Releases Wiki Activity

Add Splunk dashboard source XML

Browse Source
This commit is contained in:
Sean Whalen
2018-09-27 23:49:32 -04:00
parent 18255103ed
commit db2625fff9
3 changed files with 370 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

272
splunk/dmarc_aggregate_dashboard.xml Normal file
View File

@@ -0,0 +1,272 @@
<form>
<label>Aggregate DMARC data</label>
<description>A summary of aggregate DMARC report data</description>
<fieldset submitButton="false" autoRun="true">
<input type="dropdown" token="spf_aligned" searchWhenChanged="true">
<label>SPF alignment</label>
<choice value="*">any</choice>
<choice value="true">true</choice>
<choice value="false">false</choice>
<default>*</default>
</input>
<input type="dropdown" token="dkim_aligned" searchWhenChanged="true">
<label>DKIM alignment</label>
<choice value="*">any</choice>
<choice value="true">true</choice>
<choice value="false">false</choice>
<default>*</default>
</input>
<input type="dropdown" token="passed_dmarc" searchWhenChanged="true">
<label>Passed DMARC</label>
<choice value="*">any</choice>
<choice value="true">true</choice>
<choice value="false">false</choice>
<default>*</default>
</input>
<input type="text" token="org_name" searchWhenChanged="true">
<label>Reporting organization</label>
<default>*</default>
</input>
<input type="text" token="source_reverse_dns" searchWhenChanged="true">
<label>Source reverse DNS</label>
<default>*</default>
</input>
<input type="text" token="header_from" searchWhenChanged="true">
<label>Message header from</label>
<default>*</default>
</input>
<input type="text" token="envelope_from" searchWhenChanged="true">
<label>Envelope from</label>
<default>*</default>
</input>
<input type="text" token="dkim_selector" searchWhenChanged="true">
<label>DKIM selector</label>
<default>*</default>
</input>
<input type="text" token="dkim_domain" searchWhenChanged="true">
<label>DKIM domain</label>
<default>*</default>
</input>
<input type="dropdown" token="disposition" searchWhenChanged="true">
<label>Message disposition</label>
<choice value="*">any</choice>
<choice value="none">none</choice>
<choice value="quarantine">quarantine</choice>
<choice value="reject">reject</choice>
<default>*</default>
</input>
<input type="text" token="source_ip_address" searchWhenChanged="true">
<label>Source IP address</label>
<default>*</default>
</input>
<input type="text" token="source_country" searchWhenChanged="true">
<label>Source country ISO code</label>
<default>*</default>
</input>
<input type="time" token="time_range" searchWhenChanged="true">
<label>Time range</label>
<default>
<earliest>-7d@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>SPF alignment</title>
<chart>
<search>
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | chart sum(message_count) by spf_aligned</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
<panel>
<title>DKIM alignment</title>
<chart>
<search>
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | chart sum(message_count) by dkim_aligned</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
<option name="height">250</option>
</chart>
</panel>
<panel>
<title>Passed DMARC</title>
<chart>
<search>
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | chart sum(message_count) by passed_dmarc</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="charting.chart">pie</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Reporting organizations</title>
<table>
<search>
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | chart sum(message_count) by org_name | sort -sum(message_count)</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="drilldown">none</option>
<format type="number" field="sum(message_count)">
<option name="precision">0</option>
</format>
</table>
</panel>
<panel>
<title>Message sources by reverse DNS</title>
<table>
<search>
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | fillnull value="none" | chart sum(message_count) by source_base_domain | sort -sum(message_count)</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="drilldown">none</option>
<format type="number" field="sum(message_count)">
<option name="precision">0</option>
</format>
</table>
</panel>
<panel>
<title>Message volume by header from</title>
<table>
<search>
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | chart sum(message_count) by header_from | sort -sum(message_count)</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="drilldown">none</option>
<format type="number" field="sum(message_count)">
<option name="precision">0</option>
</format>
</table>
</panel>
</row>
<row>
<panel>
<title>DMARC passage over time</title>
<chart>
<search>
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | chart sum(message_count) by _time,passed_dmarc</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.text">Messages</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="charting.legend.placement">right</option>
<option name="height">280</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Message disposition over time</title>
<chart>
<search>
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | chart sum(message_count) by _time,disposition</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="charting.axisTitleX.text">Time</option>
<option name="charting.axisTitleY.text">Messages</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
</chart>
</panel>
</row>
<row>
<panel>
<title>Message volume by source country</title>
<map>
<search>
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | iplocation source_ip_address | stats count by Country | geom geo_countries featureIdField="Country"</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="height">566</option>
<option name="mapping.type">choropleth</option>
</map>
</panel>
</row>
<row>
<panel>
<title>Source countries</title>
<table>
<search>
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | stats sum(message_count) by source_country | sort -sum(message_count)</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="count">20</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<format type="number" field="sum(message_count)">
<option name="precision">0</option>
</format>
</table>
</panel>
</row>
<row>
<panel>
<title>Message sources by IP address</title>
<table>
<search>
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | stats sum(message_count) by source_ip_address,source_reverse_dns,source_base_domain,source_country | sort -sum(message_count)</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="drilldown">none</option>
<format type="number" field="sum(message_count)">
<option name="precision">0</option>
</format>
</table>
</panel>
</row>
<row>
<panel>
<title>SPF alignment details</title>
<table>
<search>
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | fillnull value="none" | stats sum(message_count) by header_from,envelope_from,spf_results{}.result,spf_aligned,source_base_domain | sort -sum(message_count)</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="drilldown">none</option>
<format type="number" field="sum(message_count)">
<option name="precision">0</option>
</format>
</table>
</panel>
</row>
<row>
<panel>
<title>DKIM alignment details</title>
<table>
<search>
<query>index="email" sourcetype="dmarc:aggregate" spf_aligned=$spf_aligned$ dkim_aligned=$dkim_aligned$ passed_dmarc=$passed_dmarc$ org_name=*$org_name$* source_reverse_dns=*$source_reverse_dns$* header_from=*$header_from$* envelope_from=*$envelope_from$* dkim_results{}.selector=*$dkim_selector$* dkim_results{}.domain=*$dkim_domain$* disposition=$disposition$ source_ip_address=*$source_ip_address$* source_country=$source_country$ | fillnull value="none" | stats sum(message_count) by header_from,dkim_results{}.selector,dkim_results{}.domain,dkim_results{}.result,dkim_aligned,source_base_domain | sort -sum(message_count)</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>

98
splunk/dmarc_forensic_dashboard.xml Normal file
View File

@@ -0,0 +1,98 @@
<form>
<label>Forensic DMARC Data</label>
<fieldset submitButton="false" autoRun="true">
<input type="text" token="header_from" searchWhenChanged="true">
<label>Message header from</label>
<default>*</default>
</input>
<input type="text" token="header_to" searchWhenChanged="true">
<label>Message header to</label>
<default>*</default>
</input>
<input type="text" token="header_subject" searchWhenChanged="true">
<label>Message header subject</label>
<default>*</default>
</input>
<input type="text" token="source_ip_address" searchWhenChanged="true">
<label>Source IP address</label>
<default>*</default>
</input>
<input type="text" token="source_reverse_dns" searchWhenChanged="true">
<label>Source reverse DNS</label>
<default>*</default>
</input>
<input type="text" token="source_country" searchWhenChanged="true">
<label>Source country ISO code</label>
<default>*</default>
</input>
<input type="time" token="time_range" searchWhenChanged="true">
<label>Time range</label>
<default>
<earliest>-90d@d</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Forensic samples</title>
<table>
<search>
<query>index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=*$header_from$* parsed_sample.headers.To=*$header_to$* parsed_sample.headers.Subject=*$header_subject$* source.ip_address=*$source_ip_address$* source.reverse_dns=*$source_reverse_dns$* source.country=$source_country$ | fillnull value="none" | stats count by _time,parsed_sample.headers.From,parsed_sample.headers.To,parsed_sample.headers.Reply-To,parsed_sample.headers.Subject | sort -_time</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="totalsRow">false</option>
<format type="number" field="count">
<option name="precision">0</option>
</format>
</table>
</panel>
</row>
<row>
<panel>
<title>Forensic samples by country</title>
<map>
<search>
<query>index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=*$header_from$* parsed_sample.headers.To=*$header_to$* parsed_sample.headers.Subject=*$header_subject$* source.ip_address=*$source_ip_address$* source.reverse_dns=*$source_reverse_dns$* source.country=$source_country$ | iplocation source.ip_address | stats count by Country | geom geo_countries featureIdField="Country"</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="drilldown">none</option>
<option name="height">519</option>
<option name="mapping.type">choropleth</option>
</map>
</panel>
</row>
<row>
<panel>
<title>Forensic samples by IP address</title>
<table>
<search>
<query>index="email" sourcetype="dmarc:forensic" sourcetype="dmarc:forensic" parsed_sample.headers.From=*$header_from$* parsed_sample.headers.To=*$header_to$* parsed_sample.headers.Subject=*$header_subject$* source.ip_address=*$source_ip_address$* source.reverse_dns=*$source_reverse_dns$* source.country=$source_country$ | fillnull value="none" | iplocation source.ip_address | stats count by source.ip_address,source.reverse_dns,Country | sort -count</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="drilldown">none</option>
<format type="number" field="count">
<option name="precision">0</option>
</format>
</table>
</panel>
<panel>
<title>Forensic samples by country ISO code</title>
<table>
<search>
<query>index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=*$header_from$* parsed_sample.headers.To=*$header_to$* parsed_sample.headers.Subject=*$header_subject$* source.ip_address=*$source_ip_address$* source.reverse_dns=*$source_reverse_dns$* source.country=$source_country$ | stats count by source.country | sort - count</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<option name="drilldown">none</option>
<format type="number" field="count">
<option name="precision">0</option>
</format>
</table>
</panel>
</row>
</form>