New insight: high_trust_auth_fail.yml (#1117)

sublime-security · Dec 20, 2023 · dd72665 · dd72665
1 parent f3de4a3
commit dd72665
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/insights/sender/high_trust_auth_fail.yml b/insights/sender/high_trust_auth_fail.yml
@@ -0,0 +1,24 @@
+name: "High trust sender domain failed authentication"
+type: "query"
+source: |
+  filter([sender.email.email],
+       sender.email.domain.root_domain in $high_trust_sender_root_domains
+       and (
+         (
+           any(distinct(headers.hops, .authentication_results.dmarc is not null),
+               strings.ilike(.authentication_results.dmarc, "*fail")
+           )
+         )
+         or (
+           any(distinct(headers.hops, .authentication_results.spf is not null),
+               strings.ilike(.authentication_results.spf, "*fail")
+           )
+         )
+         or (
+           any(distinct(headers.hops, .authentication_results.dkim is not null),
+               strings.ilike(.authentication_results.dkim, "*fail")
+           )
+         )
+       )
+  )
+severity: "high"