From 141c9741db23c86e3f4b22dafeef7fcb3276eb5d Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Sat, 21 Dec 2024 23:46:59 -0600 Subject: [PATCH 1/8] Create org_inbound_spf_pass.yml --- insights/authentication/org_inbound_spf_pass.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 insights/authentication/org_inbound_spf_pass.yml diff --git a/insights/authentication/org_inbound_spf_pass.yml b/insights/authentication/org_inbound_spf_pass.yml new file mode 100644 index 00000000000..52ab36dc503 --- /dev/null +++ b/insights/authentication/org_inbound_spf_pass.yml @@ -0,0 +1,9 @@ +name: "Inbound Org Domain with SPF Pass" +type: "query" +source: | + type.inbound + and sender.email.domain.domain in $org_domains + and headers.auth_summary.spf.pass +severity: "informational" +tags: + - "Sender authentication" From 8f698f707c0c7f0896224e62ed427bd481801a45 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Sat, 21 Dec 2024 23:51:36 -0600 Subject: [PATCH 2/8] Create org_inbound_dmarc_pass.yml --- insights/authentication/org_inbound_dmarc_pass.yml | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 insights/authentication/org_inbound_dmarc_pass.yml diff --git a/insights/authentication/org_inbound_dmarc_pass.yml b/insights/authentication/org_inbound_dmarc_pass.yml new file mode 100644 index 00000000000..b2668b37cfc --- /dev/null +++ b/insights/authentication/org_inbound_dmarc_pass.yml @@ -0,0 +1,9 @@ +name: "Inbound Org Domain with DMARC Pass" +type: "query" +source: | + type.inbound + and sender.email.domain.domain in $org_domains + and headers.auth_summary.dmarc.pass +severity: "informational" +tags: + - "Sender authentication" From 56a9bd74f5b6aa7ad181917039ad5179957ff889 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Sun, 22 Dec 2024 00:29:17 -0600 Subject: [PATCH 3/8] Create org_inbound_dkim_pass.yml --- insights/authentication/org_inbound_dkim_pass.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 insights/authentication/org_inbound_dkim_pass.yml diff --git a/insights/authentication/org_inbound_dkim_pass.yml b/insights/authentication/org_inbound_dkim_pass.yml new file mode 100644 index 00000000000..d487b983952 --- /dev/null +++ b/insights/authentication/org_inbound_dkim_pass.yml @@ -0,0 +1,10 @@ +name: "Inbound Org Domain with DKIM Pass" +type: "query" +source: | + type.inbound + and sender.email.domain.domain in $org_domains + and headers.auth_summary.spf.pass + and not 'fail' in~ distinct(map(headers.hops, .authentication_results.dkim)) +severity: "informational" +tags: + - "Sender authentication" From 28125770536328bf6569f2985165341f00428b25 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Sun, 22 Dec 2024 00:30:16 -0600 Subject: [PATCH 4/8] Update org_inbound_dkim_pass.yml --- insights/authentication/org_inbound_dkim_pass.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/insights/authentication/org_inbound_dkim_pass.yml b/insights/authentication/org_inbound_dkim_pass.yml index d487b983952..25fc0e4517e 100644 --- a/insights/authentication/org_inbound_dkim_pass.yml +++ b/insights/authentication/org_inbound_dkim_pass.yml @@ -3,7 +3,6 @@ type: "query" source: | type.inbound and sender.email.domain.domain in $org_domains - and headers.auth_summary.spf.pass and not 'fail' in~ distinct(map(headers.hops, .authentication_results.dkim)) severity: "informational" tags: From c0bf88a45767857a6ac6f30d7f9f8d6394413ad0 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Sun, 22 Dec 2024 00:31:26 -0600 Subject: [PATCH 5/8] Create org_inbound_auth_pass.yml --- insights/authentication/org_inbound_auth_pass.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 insights/authentication/org_inbound_auth_pass.yml diff --git a/insights/authentication/org_inbound_auth_pass.yml b/insights/authentication/org_inbound_auth_pass.yml new file mode 100644 index 00000000000..f061a222151 --- /dev/null +++ b/insights/authentication/org_inbound_auth_pass.yml @@ -0,0 +1,11 @@ +name: "Authenticated Inbound Message from Org Domain" +type: "query" +source: | + type.inbound + and sender.email.domain.domain in $org_domains + and headers.auth_summary.spf.pass + and headers.auth_summary.dmarc.pass + and not 'fail' in~ distinct(map(headers.hops, .authentication_results.dkim)) +severity: "informational" +tags: + - "Sender authentication" From 667491704fc0a94607643a0389198301a545f396 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Thu, 26 Dec 2024 08:44:00 -0600 Subject: [PATCH 6/8] Delete insights/authentication/org_inbound_dkim_pass.yml --- insights/authentication/org_inbound_dkim_pass.yml | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 insights/authentication/org_inbound_dkim_pass.yml diff --git a/insights/authentication/org_inbound_dkim_pass.yml b/insights/authentication/org_inbound_dkim_pass.yml deleted file mode 100644 index 25fc0e4517e..00000000000 --- a/insights/authentication/org_inbound_dkim_pass.yml +++ /dev/null @@ -1,9 +0,0 @@ -name: "Inbound Org Domain with DKIM Pass" -type: "query" -source: | - type.inbound - and sender.email.domain.domain in $org_domains - and not 'fail' in~ distinct(map(headers.hops, .authentication_results.dkim)) -severity: "informational" -tags: - - "Sender authentication" From e6a53b9d3742426a3a2b834586fe24045cedfa59 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Thu, 26 Dec 2024 08:44:16 -0600 Subject: [PATCH 7/8] Delete insights/authentication/org_inbound_dmarc_pass.yml --- insights/authentication/org_inbound_dmarc_pass.yml | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 insights/authentication/org_inbound_dmarc_pass.yml diff --git a/insights/authentication/org_inbound_dmarc_pass.yml b/insights/authentication/org_inbound_dmarc_pass.yml deleted file mode 100644 index b2668b37cfc..00000000000 --- a/insights/authentication/org_inbound_dmarc_pass.yml +++ /dev/null @@ -1,9 +0,0 @@ -name: "Inbound Org Domain with DMARC Pass" -type: "query" -source: | - type.inbound - and sender.email.domain.domain in $org_domains - and headers.auth_summary.dmarc.pass -severity: "informational" -tags: - - "Sender authentication" From d4454561cefadb22b20c5d51f124c9cdd2ea3a89 Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Thu, 26 Dec 2024 08:44:27 -0600 Subject: [PATCH 8/8] Delete insights/authentication/org_inbound_spf_pass.yml --- insights/authentication/org_inbound_spf_pass.yml | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 insights/authentication/org_inbound_spf_pass.yml diff --git a/insights/authentication/org_inbound_spf_pass.yml b/insights/authentication/org_inbound_spf_pass.yml deleted file mode 100644 index 52ab36dc503..00000000000 --- a/insights/authentication/org_inbound_spf_pass.yml +++ /dev/null @@ -1,9 +0,0 @@ -name: "Inbound Org Domain with SPF Pass" -type: "query" -source: | - type.inbound - and sender.email.domain.domain in $org_domains - and headers.auth_summary.spf.pass -severity: "informational" -tags: - - "Sender authentication"