From 3f1fd5bcbeb2d554cd858b2372bbfe47d988783e Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Mon, 11 Dec 2023 12:59:17 -0800
Subject: [PATCH] New insight: high_trust_auth_fail.yml

---
 insights/sender/high_trust_auth_fail.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 insights/sender/high_trust_auth_fail.yml

diff --git a/insights/sender/high_trust_auth_fail.yml b/insights/sender/high_trust_auth_fail.yml
new file mode 100644
index 00000000000..f1991695e54
--- /dev/null
+++ b/insights/sender/high_trust_auth_fail.yml
@@ -0,0 +1,24 @@
+name: "High trust sender domain failed authentication"
+type: "query"
+source: |
+  filter([sender.email.email],
+       sender.email.domain.root_domain in $high_trust_sender_root_domains
+       and (
+         (
+           any(distinct(headers.hops, .authentication_results.dmarc is not null),
+               strings.ilike(.authentication_results.dmarc, "*fail")
+           )
+         )
+         or (
+           any(distinct(headers.hops, .authentication_results.spf is not null),
+               strings.ilike(.authentication_results.spf, "*fail")
+           )
+         )
+         or (
+           any(distinct(headers.hops, .authentication_results.dkim is not null),
+               strings.ilike(.authentication_results.dkim, "*fail")
+           )
+         )
+       )
+  )
+severity: "high"