search

patschi / parsedmarc-dockerized

Dockerized self-initializing parsedmarc docker stack for lazy people
GNU General Public License v3.0
76 stars 21 forks source link

Forensic samples dashboard not populated #12

Closed hugalafutro closed 1 year ago

hugalafutro commented 1 year ago

Hi, the main dashboard works splendidly, however the Forensic samples one is empty with following errors: image same for source_country.keyword & source_ip_address.keyword

Any idea if these need to be updated to different values, or is it parsedmarc config that needs to be amended?

Thanks for any insights!

GIYItalk commented 1 year ago

Hi, the main dashboard works splendidly, however the Forensic samples one is empty with following errors: image same for source_country.keyword & source_ip_address.keyword

Any idea if these need to be updated to different values, or is it parsedmarc config that needs to be amended?

Thanks for any insights!

hi, have you solved this problem?

hugalafutro commented 1 year ago

Sadly no, I know nothing about elastic so this is literally just me waiting till someone comes along and fixes it for me.

GIYItalk commented 1 year ago

Sadly no, I know nothing about elastic so this is literally just me waiting till someone comes along and fixes it for me.

You can try to edit this dashboard Then delete this parameter. This parameter may not exist, no data so error

hugalafutro commented 1 year ago

But that's the problem - the data is not generated I think. I'll admit here I do not really understand the whole underlaying technology that much, I just like nicely visualized data; so I might be completely off, but when I look into my dmarc mailbox inbox there are only ever Aggregate DMARC emails in there after they are processed by parsedmarc, never anything in the Forensic folder. So I think the solution is not to edit the dashboard, but to find out why the forensic data is not generated.

But since I don't understand the components I am not sure whether it is one or any of these (and even if I did I still wouldn't know what to do haha, but it'd be a starting point):

I mean I don't even know how the forensic dashboard is supposed to look like or what it's good for, but I liked the look of the main dashboard and was wondering what the other one is like.

hugalafutro commented 1 year ago

@GIYItalk The dashboard is correct, there just isn't any forensic data as it is apparently privacy sensitive, found this @ https://domainaware.github.io/parsedmarc/#dmarc-forensic-samples

If your legitimate outgoing email fails DMARC, it is possible that email may appear later in a forensic report. Forensic reports contain the original headers of an email that failed a DMARC check, and sometimes may also include the full message body, depending on the policy of the reporting organization. Most reporting organizations do not send forensic reports of any kind for privacy reasons. While aggregate DMARC reports are sent at least daily, it is normal to receive very few forensic reports.

so I'm closing this as there is nothing wrong with the dashboard - it can't display data that doesn't exist.