If you also use the SA-dmarc found on my Github, please note that if you use version 3.5.1 or higher of the TA-dmarc you need to use version 3.6.1 or higher of the SA-dmarc app
Splunk of for the processing and ingestion of DMARC RUA reports. The app can download email attachments from a mail server via POP3/POP3s/IMAP/IMAPs/o365, you can choose the mailbox folder where the mails are stored. If no connection to the mail server is possible you can manually place the attachments in a directory within the app and they will also be processed.
The app needs to be installed on a Splunk Heavy Forwarder or Search Head with access to the email enviroment.
The app contains a setup page to do all the setup. Setup options:
The app contains a couple of scripts to download and process the DMARC RUA reports, in addition, the Splunk Python SDK is also present to connect to the Spunk instance.
This is the main script. This script calls the other 2 scripts to download the reports from the mail server and to convert the XML. After the processing the mail is deleted from the mailbox and the attachments and XML files are deleted from the Splunk server. The script has 4 stages:
Script to download attachments from a mailbox and store it localy on disk. The script is made to download DMARC RUA reports so is specifically looks for mails with a subject that contains: "Report Domain". The script can handle POP3, POP3 SSL, IMAP and IMAP SSL. It will connect to the mail server and search for emails with a subject that contains "Report Domain", it will download the attachment if that attachment is a .gz, .zip or .gzip file. After the mail has been processed it will be deleted from the mailbox.
Almost the same as mail-client.py
but then for the download of mails from Microsoft o365.
Script to process the XML files that where in the attachment. The script will output the content in either key=value or JSON, it can also do DNS lookups for the source IP's that are in the RUA reports. The benefit of doing the DNS lookups is that you have the PTR of the source IP at the time of the arrival of the report, which is also the time the mail was send (give or take a couple of hours). An other benefit is that this will make the dashboards of the SA-dmarc faster because you don't have the resolve the PTR's at dashboard load time.
Script to handle the setup page.
All the custom python scripts have extensive commentary and explanation about what is done, so if you want to know more about what they do and why, have a look at the scripts themselves.
All the above scripts have the ability to log (extensively) you can control the log level via the setup page or directly in the ta-dmarc.conf file. All logs (except for the setup log) are written to the logs/dmarc_splunk directory