amorfo77/parsedmarc
1
0
Fork 0
mirror of https://github.com/domainaware/parsedmarc.git synced 2026-03-29 18:02:45 +00:00
Code Issues Projects Releases Wiki Activity
Files
23f2cb99c32123a78d61a005de2ea3b59e97fc9a
parsedmarc/splunk/dmarc_failure_dashboard.xml
copilot-swe-agent[bot] a625115cbf Rename "forensic" to "failure" in docs and dashboard configs 
Update documentation files (output.md, usage.md, kibana.md, splunk.md,
elasticsearch.md, index.md, example.ini) and dashboard configurations
(Grafana JSON, Kibana ndjson, Splunk XML) to use "failure" terminology
instead of "forensic", consistent with the codebase rename.

- CLI args: --forensic-* → --failure-*
- Config keys: save_forensic → save_failure, forensic_topic → failure_topic, etc.
- Index names: dmarc_forensic → dmarc_failure
- Splunk dashboard: renamed file from dmarc_forensic_dashboard.xml to dmarc_failure_dashboard.xml
- Backward-compat note preserved: "formerly known as forensic reports"

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-21 17:05:31 -04:00

100 lines
3.6 KiB
XML
Raw Blame History

<form theme="dark" version="1.1">
<label>Failure DMARC Data</label>
<search id="base_search">
<query>
index="email" sourcetype="dmarc:failure" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$
| table *
</query>
<earliest>$time_range.earliest$</earliest>
<latest>$time_range.latest$</latest>
</search>
<fieldset submitButton="false" autoRun="true">
<input type="text" token="header_from" searchWhenChanged="true">
<label>Message header from</label>
<default>*</default>
</input>
<input type="text" token="header_to" searchWhenChanged="true">
<label>Message header to</label>
<default>*</default>
</input>
<input type="text" token="header_subject" searchWhenChanged="true">
<label>Message header subject</label>
<default>*</default>
</input>
<input type="text" token="source_ip_address" searchWhenChanged="true">
<label>Source IP address</label>
<default>*</default>
</input>
<input type="text" token="source_reverse_dns" searchWhenChanged="true">
<label>Source reverse DNS</label>
<default>*</default>
</input>
<input type="text" token="source_country" searchWhenChanged="true">
<label>Source country ISO code</label>
<default>*</default>
</input>
<input type="time" token="time_range" searchWhenChanged="true">
<label>Time range</label>
<default>
<earliest>-90d@d</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>Failure samples</title>
<table>
<search base="base_search">
<query>| table arrival_date_utc authentication_results parsed_sample.headers.From,parsed_sample.headers.To,parsed_sample.headers.Subject | sort -arrival_date_utc</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<option name="totalsRow">false</option>
<format type="number" field="count">
<option name="precision">0</option>
</format>
</table>
</panel>
</row>
<row>
<panel>
<title>Failure samples by country</title>
<map>
<search base="base_search">
<query>| iplocation source.ip_address| stats count by Country | geom geo_countries featureIdField="Country"</query>
</search>
<option name="drilldown">none</option>
<option name="height">519</option>
<option name="mapping.type">choropleth</option>
</map>
</panel>
</row>
<row>
<panel>
<title>Failure samples by IP address</title>
<table>
<search base="base_search">
<query>| iplocation source.ip_address | stats count by source.ip_address,source.reverse_dns | sort -count</query>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="number" field="count">
<option name="precision">0</option>
</format>
</table>
</panel>
<panel>
<title>Failure samples by country ISO code</title>
<table>
<search base="base_search">
<query>| stats count by source.country | sort - count</query>
</search>
<option name="drilldown">none</option>
<format type="number" field="count">
<option name="precision">0</option>
</format>
</table>
</panel>
</row>
</form>
Reference in New Issue View Git Blame Copy Permalink