Some suggestions for enrichment of the ASN information in the Trustworthy Email Reports dmarc_failures.csv using WhoIs lookups
We would like to see additional data added that would enrich the usage of the ASN information and reduce manual enrichment and analysis efforts by SOC personnel.
Motivation and context
The ASN information is valuable but requires additional manual work to make it more useful.
This would be useful because...the ASN information is extremely helpful in aggregating the network information, identifying the owner of the source for DMARC failures, and developing historical trends. This additional information helps us pursue DMARC failures that are indicative of campaign activity.
Implementation notes
We would like to see the following.
Error checking for the ASN value that would identify and adjust when the ASN lookup in the BGP routing tables have empty return values. This has happened to us because a Microsoft owned network ASN was not propagated in BGP routing tables. When a blank ASN value is detected, we suggest an additional check using a tool like WhoIs to identify the applicable ASN for the source IP address.
Enrich Report using other information from WhoIs. This would help reduce manual enrichment by applying columns for Organization owner names and country of origin for the ASNs. This information helps us identify when entities of interest are triggering DMARC failures. Our security teams are very interested in DMARC failures that are sourced from atypical entities like foreign countries. While they are failures, they also represent a higher likelihood of malicious Email campaigns that could provide valuable OPSEC information.
Acceptance criteria
How do we know when this work is done?
When we see additional columns added to the dmarc_failures.csv that we can use in PIVOT tables and other tools to help identify trends and anomalies.
Some suggestions for enrichment of the ASN information in the Trustworthy Email Reports dmarc_failures.csv using WhoIs lookups
We would like to see additional data added that would enrich the usage of the ASN information and reduce manual enrichment and analysis efforts by SOC personnel.
Motivation and context
The ASN information is valuable but requires additional manual work to make it more useful.
This would be useful because...the ASN information is extremely helpful in aggregating the network information, identifying the owner of the source for DMARC failures, and developing historical trends. This additional information helps us pursue DMARC failures that are indicative of campaign activity.
Implementation notes
We would like to see the following.
Error checking for the ASN value that would identify and adjust when the ASN lookup in the BGP routing tables have empty return values. This has happened to us because a Microsoft owned network ASN was not propagated in BGP routing tables. When a blank ASN value is detected, we suggest an additional check using a tool like WhoIs to identify the applicable ASN for the source IP address.
Enrich Report using other information from WhoIs. This would help reduce manual enrichment by applying columns for Organization owner names and country of origin for the ASNs. This information helps us identify when entities of interest are triggering DMARC failures. Our security teams are very interested in DMARC failures that are sourced from atypical entities like foreign countries. While they are failures, they also represent a higher likelihood of malicious Email campaigns that could provide valuable OPSEC information.
Acceptance criteria
How do we know when this work is done? When we see additional columns added to the dmarc_failures.csv that we can use in PIVOT tables and other tools to help identify trends and anomalies.