TA-dmarc.aob_meta

{"basic_builder": {"appname": "TA-dmarc", "friendly_name": "TA-dmarc add-on for Splunk", "version": "4.1.0", "author": "Jorrit Folmer", "description": "TA-dmarc add-on for Splunk", "theme": "#26b4e0", "large_icon": "iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAANu0lEQVR4Xu2beXRc1X3HP/e90WzSaBmNNFptyXKMbdnY8oLrOjbGsk0aCCklTVgaSgkOLdTU5dCGQEpDcxJDCjgQt00JS6E0ThqSniS4jTcs28F4wbuNiWxL3rTMjDSyRhpp1vd67nsjaSxs4Jz5k3fP0Zknvd/dvvf7+/5+vztHgrcu6FjtqggIC6CPZocF0Md4jwWQBVBuAmsxyGKQxaDcELAYlBt+lgZZDLIYlBsCFoNyw8/SIItBFoNyQ8BiUG74WRpkMchiUG4IWAzKDT9LgywGWQzKDQGLQbnhZ2nQJ2WQADyA/JRftcpP2eRzPPNzpbGcgCPzYhBIX2VCBSjIjDsEJK9gJ23kGuQYcqwrtTzAPW6NI3ZyrcNXGVvajOxNPpcATmH+La5DOGvM7K+aDQaNdrzKl9ByoCphTt6VZSM3pGX9bhPm5q40jB1IjLwQYPQdh4AEO5axcWXmyzYZ7fMRX5YXC/AK6NEhMg4UOZbchw04LyeXi5djKVCjCmPtcn/ZQI66mJrpnNShW78cQ1IapHXIU6i1CeS3+SODeIFCYW5M9rMJQWrcxkfAkQuXtr06DIxbvGmjUyYEIWN+gUOY7M0+/XygTEBYAnDZOjOGKd1E3q4gwbqUtZYJAs7LDaY1JjkVFjlVnIrg0HCa94Y1sAlqbIKLWdsX3rcu6GFN52anyosLfBTYFVQl42DCBDkaT3O6L84rZwZ4pT9FtV0xGHAhrvHL6YWsrPeQ1nRef7+P1eeGmehQOJeZRJ5YZ1LnsTI7j8z2kqcqvHqij4fODY3a1Qq4kND452onD84uJRRN8uU9PexN6RQLYWxyxOb71S7un1liHLxdlasYo6Wm6/QNpzgSHObhU4O0pnWKFbN/jYCLCY1VxXk8cE0h08tc2G2yP6TSGidDMdad7OfVSIqavDGQRNnGC3oopXOrW+XN5ip0Xac1NIQiQZKMUBW87jxKXDY0TeeZAyG+0RGjyalyKJri7blebqiTygHHA1Fm7u6lxqHQmWHvRAFnYxo75xazeGKhYffasTD3nBpkslPhtG7SvjOucfKzPqaWSYWRNr3ccypKg1PhjA71AtrjGv9S5+aBJh9dkZixToeqIIFRVIUCRx4NJQ5cdpX3g0M07unFpgokc9oSGutqXayZW2aMf7Q7Sms4TlrXafS5mOF3k0xrPLo7yHPh5ChIwrfxgt6T0vm8S+XXzZV0RBJM3Nxl0G3EPxGC9RNcPDinjERK486WLn4hfSqhsWV2McsnFdIfS2FXBV/c3s2WuIZPEYZmRQ0AdI4urSDfoeK0KbxyNMzXTg8aNI/o0JPWuT1fZUNzFbvORphW5iSe0ql5O0CZQzH0xAA6rrFugps1c338pvUSt+wLg1s1XSrj89e4FbYuKqemyMFT+4J8sytuaMx9Hhs/XlphjPvI7gDrAwlQM56S1ljfkG/sLzyUZH5LgDbNlAMToLTOTU6VXy+vpHsgSfWOAJ+xmVoiXVqS+OJgmp/P9PClaV62t0dYduSS8WLr7GKa6wuNv91QX8i/H+7hL9uGqHcqRqSStH6qyskj83wc6BziupqCUYCkjVxiW0y6qodbp5awZlc3X6h20zypkNU7u1jfl6I6TyCjlwToBxPc/M1cH9vaIyw/0s8Cl0JEM9foVWB3NM3rUwr46gwvvzwZ5rYPBg2ADsz3MqeqgOcPhFjTPkRTgY1+TTcwUhF8MJTiwMJS5lTl863dAb4bTFBjVzIApXRukgxaXknXQJKalgAFqskAqeyVAro0ncV5gm3Lq4jEUjS2BAjE9VEGfX9/kAev9XK+P8H0XSEmuuS0cHY4zcE/9FHtyWNj2wB/cW0pLx3tZdXpKFNcCq3y9NMaoeZKnDaB5/86+fsyO08vquCd8wN8dn+YBpdqgH0+C6BNZyJ87lAfuCSDslR1OM3muSWsaCjiJ8d7ueuDQf6o0Mb/LKskltKo3tZFFIEU+2hGwI1nHVbaBR5F8Iu43LUw1j/qYje5TRcbAagwA5BkkYwwUs6G0xodS/1Ueuzctb2LDb1JtswtMVxs9c5u7qzL5w9qC1i0qYN3JfUQVAqdszdWsbltgLbBFA/N8fHSkV5WnYky261yOJbmCb+DJxf62dYWYfnhS2AXdF/vx+u20by1k10JnSk2QWtsjEHbzw6w7NglVjpVYppuRCOP0Lmt0sUdjV7iqTR37wjw35EUj5Y7WLvIz4lAlBm7e6lyKARkMMuKcFJFB0bCvipG05AxgMYxaDxAMhmMpHTal5RTV2Ln6y1d/Dg0BtDDvwtQqMK3F/r5t0M9PHBOpoPwbI2Th+eVc/u2Tpp9DlbNKh0FaI5b5WA0xb4FpcyvKeDe7Z28Gkkj04qfTfPw5ele3jjey1dbozS5VSMcr69z82CTzxDm7AQxkdIR6DjzVIPhzx3q5clQwvC9fyrP4x8WVrCvI8qCfb3UOhQjlGelZcazTB9kMisDzGh6MSLSH8cgyaKBlMa56/1MKHZwX0snL2cB9OSeIN8OxEjcXENrz7BxUjIKHlroo67YQclvLvJGYxF3NZaYALVFjVxlngK/W1FFcDBJ3TtBluapnE5pfD5f5V+XVNA1kKC6JcjkPMHpmMYLE92snuOjM5LgXH8CGamdqjCikBCCDcd7ufNMFBlYpuQJWuMa/+h3GAd3oDPKvL1jUTY7UZUEkBm1XDMjac5lLjaOQZ4sDZIZrtQj2Tm8rAK3XeWWt7vYHEmxeU4JKyYV8tT+EN88E+XQ9WXM9Lto2tTJB5rO4I3V7Dw/wIp3w2xoKub26RmA2k0FeLnezb2zfGY+okkWjLWRfOw7ewI8EUwYWrOu1oxiG0/1c/P+TBRL6fyt387aheVGTvv43hDPh5NMtQs+SOr8uUflP26ooi08TMPOEOV2xUhWJUASE5kkyzy4SYVKVfC/CQ2HEAaLPuRiRhRrCRgZpRHFjAxbcDSh8VCJjeeXVHK6d5jPvBMynHjzrOIxgNqjPDspn4fnlfH0vqARAR9fUG5Go+4E/9VYyJ3ZDFKgbXE59V4HW9oGRmtACVJS0/E6VRbUFHCwc5C5MqQL+EGNGcW2tkVYceQSs1yqodHHoinW1blYM6/cSDm+uKObHUkdnxD0aDqBG/yUuvP43NZOtsY16lVBe8bHZipwLKbxozo39zeV8rMTfdzeOmgkslfWoG3dY3mQXK1Us7TGkUU+rq3I58XDPdwvNUYbA+h7+0I83jFMo1Ph4IoqjgVMDaotsuOX42nwn1M8/FljiRnmfz/AmgoH6xZXcDI4xPRtAZkaj2XG8ngdgv6VVeTbVe5u6eInfUleqM83XGxLW4SVhy8ZuZTc6GQFTg2n2T3fy8JaD/svDnLd/jCzXSqHh9K8Oc3DbdNK2NrWz4r3+sBtw6+YdVmHLD8EdCwtp6rQwXf3BvhWV5wJ48O8DIUyzb97TwivKiVPYBe6sYivNHiY4c839OWad0JMsSu0Dmv8dlYxNzYU8p29QZ7ojhtusO86L3Mq89HReetUP7e+P2As4LXJBdw9w2sCdLyfTQu8rGwo4keHevirc0PMc6r06aabyRLjveE0W2cV0TypiDdP9vGnh/v54dQC/rrJx+YzEW48csnItyRA5QKCaZ1ldoVfLa2gwKGydm+Qxzpi1DgVhnSd95f48Xvs/Pb0Jb5xatDwCtlucausnVXC9HI3+y8OcN3+PiocCiGJ20ip8aV8lZ83V2UpwIcfTwSG+NqhMHuTOo02wYmhNC1zvVxf5+Hp/SEe7ZRKJVhbYefRBX5jgHu2d/JaVJM+w0+nevjKtBJePRrm3vZB0l+oNdxq8eYO3k3qFCrCqMBl8wsIJHVWl9h4YUkl0USago0X+WFdvgHQjnMDLH3PzJFkKSJbg4AzcY0X692smu1jKJHmT1q62SSvETSdOwpUnp1XSmWhw6gde6JJQ9jLC2QaCse6o/zxwTBtmqBIQL/cTf5bF/SorrPQJniszmlEhMuaUOhLwp6eOM+FE4bCl8mrAXmHktb5Xnkei8rsvHwuxuvRtPF+moBnJjmJJHXuOBvDrwoCKZ2/89q4pcrBG+djRl31+GQXv4+k+fqFOMWqCc5IZDHLSLkvnZ/WOSl3Kjx5eog6h8p9E53sCiZ4LJikzCarf9NW9pEuI28FNkx0UpOv8quLMZ65lDYjmnQlBV6qdTHf76bUbTPY2j2YYHvHEI90xkBVKJU3Dpn5jeuO0buaRPrKlzlyGJvAazOzy5HO8tKpT4YNObFDIT9TfxmbjJlgOe0KMaAI6JeoSlo7FCMMGzY2QVGeYpzW+CbnkhtOxmUtIedQzU/5e56g2KZcdp0h+0sVkz8JaSPV26GMVvRmRSBfZsYbCefSTiaa8iYD84pk7OIw878akmS1inkKH2q6GeaD+thN4MgA0hWKhDBKEXnHI5sEfIJihs6zWQlZKVCqCIIy/AP1ipl7nP+ICzC5HlmoSmK3axglQoUi6Nd1IxvOvtwaWbcEVVbwsk9Au/ziTCaCUq8kTrJQllNLd5JNJoiJcZv/VN9JSyCNlOJKpMh2sY94/6l/9alm0Cc5fQugj0HJAsgC6JM40tVtLAZZDLIYlBsCFoNyw8/SIItBFoNyQ8BiUG74WRpkMchiUG4IWAzKDT9LgywGWQzKDQGLQbnhZ2mQxSCLQbkhYDEoN/wsDfoY/P4fE3F/QVm+VogAAAAASUVORK5CYII=", "small_icon": "iVBORw0KGgoAAAANSUhEUgAAACQAAAAkCAYAAADhAJiYAAAEYklEQVRYR+2XXWwUVRiGnzOzv+3+tHTbBSmCtlAKqZJQRCqyIpTEGCIxEWIgmmCIMSQGxegFYrxRr9BIQBIhGGOMoJEYSiJRKoVgsBRLSQ3IXygt0BZmu7vdn063M3vMzG4jeuF6ZbzYk8zFfOc737zn/d7znozgyIDkfzRECVCRbpQYKibXEkMlhooxUGy+pKESQ8UYKDZva0iV4Lgn0y1gtPDuLFy9E+LPhL/HFMAhwRCQu2edFZ8cLgEZwCwEAoAhJUKCogiShbhwtPXLNVPczK9wYX3UMCW9ms7PKYNxCa/WljFq5Ph8SEdXBB4pWVvtIaAK9g2OIRXBDAesqy1nV1+KNAJVSjaGPYR8Thugtae7yQkO3NEZE4IyKYn4nayZ7sUtBAduZjiZnGBUCERZW7/c2xjErQo6NB2XQ+G1Oj87LyXYc0vn/LIaKj0K89qHiAuBKye5sjzMrbTJik6NrALvPuDjxVk+3uqN8W00i2JKji6qolsb49fkBKqq8PxMHxcTWbZeTrK11suGWX4+uBC3wb7XVMn2C3G+jmbzgD5tDNKdNvjiZgYpYY5LcGhJNTOODfF7JExi3GTHtSSnEhM84nfwTkOArISVnVHGgMuRGt7/Lc5L9X47Zo2jzVV80pfix3jWpijid7B9boBlpzWutE5jyclhErk8ew+VqTzsd7JrcOyvgPYMZJgARE5yt3UakfZBDrXU8M3VUebXeFh9PsZXTRXcHhnnienlPN0VpSXo5I3ZAVo6NfqXh1l7RuOanqOtuYrbpiShmyhSsnKqlw8vJeiKZTnwaDUNx4dJqcIGZMnA0ltmsmWTDE0CkjnJiLWLY4McfqyGTWc1vlwcYk7HMD1La3izJ8a2eUEWdmocXlCJ061yPWnwZMjNCU1ny8UEPzWH6ImN05M2eH22n4M30nx8M0O9S7Fr1rUPkS4AsgTuQBKjoCEbUMpg70AaFYgEnOxoqqD+xB2uRsK8fDbKK/V+TN1AUwTtgzrb5gZ4pitKz4qpbOkeQYj8afloQSVzrY0sDLG7L8XJeJaAgI5ImOfOaJxLGvRGwqzv0jin53BIyeqQm80zy2ntGsm3bF9jkLqAk76kgU+F5io367tH6Iln6Xw8zKbuKFNcCgeXhll1fJCgQ+HthiCfDaRprXbzQm8coQiEKfl+URX7b6TZeH85u6+naItlMZFsCnvZXO+n5dQdlk5xsbOpkv0DabyKYENtGc92RTmXMbGP/WKPwoOevGsYUvBL0mA4J+0j+5RPpTOTIy5htU/hu6TJfaqg0aMwlpMMG5LLBhiW9oB5TkFIxf7QtfEcfSa2Li0rWBdwcDptMpKTTHUorAq5bQ39cFen3wBdWDWODEgv4J00Ppk3ML1gVEEgRd7wKoCY3W+w1lgmZz3j9xigpwDMyrFqWGCsYZW31luGa60pB1vINglgn9Z8Xuk36J9vsxJD/+q2L5b0X86XWlaM7RJDJYaKMVBsvqShYgz9AcQtEYAH6fmmAAAAAElFTkSuQmCC", "visible": false, "tab_version": "4.1.1", "tab_build_no": "0", "build_no": 12}, "data_input_builder": {"datainputs": [{"index": "default", "sourcetype": "dmarc:json:dir", "interval": "30", "use_external_validation": true, "streaming_mode_xml": true, "sample_count": 0, "customized_options": [{"name": "dmarc_directory", "value": "/tmp"}, {"name": "quiet_time", "value": "10"}, {"name": "resolve_ip", "value": true}, {"name": "validate_xml", "value": true}, {"name": "output_format", "value": "json"}], "parameters": [{"type": "text", "label": "Directory", "value": "/tmp", "default_value": "", "name": "dmarc_directory", "required": true, "help_string": "Directory containing DMARC aggregate reports", "format_type": "text", "placeholder": ""}, {"type": "text", "label": "Quiet time", "value": "10", "default_value": "10", "name": "quiet_time", "required": true, "help_string": "Ignore files that have a modification time of less than n seconds ago.", "format_type": "text", "placeholder": ""}, {"type": "checkbox", "label": "Resolve IP", "value": true, "default_value": true, "name": "resolve_ip", "required": false, "help_string": "Resolve the source_ip field in the DMARC XML aggregate report", "format_type": "checkbox"}, {"type": "checkbox", "label": "Validate XML", "value": true, "default_value": true, "name": "validate_xml", "required": false, "help_string": "Validate the aggregate report XML against the DMARC XSD. Results are included in the field vendor_rua_xsd_validation.", "format_type": "checkbox"}, {"type": "dropdownlist", "label": "Output format", "value": "json", "possible_values": [{"label": "JSON", "value": "json"}, {"label": "KV (legacy)", "value": "kv"}], "default_value": "json", "name": "output_format", "required": true, "help_string": "", "format_type": "dropdownlist", "placeholder": ""}], "description": "Ingest DMARC aggregate reports from a given directory", "data_inputs_options": [{"description": "Directory containing DMARC aggregate reports", "title": "Directory", "type": "customized_var", "required_on_create": true, "default_value": "", "name": "dmarc_directory", "required_on_edit": false, "placeholder": "", "format_type": "text"}, {"description": "Ignore files that have a modification time of less than n seconds ago.", "title": "Quiet time", "type": "customized_var", "required_on_create": true, "default_value": "10", "name": "quiet_time", "required_on_edit": false, "placeholder": "", "format_type": "text"}, {"description": "Resolve the source_ip field in the DMARC XML aggregate report", "title": "Resolve IP", "type": "customized_var", "required_on_create": false, "default_value": true, "name": "resolve_ip", "required_on_edit": false, "format_type": "checkbox"}, {"description": "Validate the aggregate report XML against the DMARC XSD. Results are included in the field vendor_rua_xsd_validation.", "title": "Validate XML", "type": "customized_var", "required_on_create": false, "default_value": true, "name": "validate_xml", "required_on_edit": false, "format_type": "checkbox"}, {"description": "", "title": "Output format", "type": "customized_var", "required_on_create": true, "possible_values": [{"label": "JSON", "value": "json"}, {"label": "KV (legacy)", "value": "kv"}], "default_value": "json", "name": "output_format", "required_on_edit": false, "placeholder": "", "format_type": "dropdownlist"}], "uuid": "aba4e078c57642a189072913a368322c", "type": "customized", "code": "# encoding = utf-8\n\nfrom dmarc.dir2splunk import Dir2Splunk\n\n\n# IMPORTANT\n# Edit only the validate_input and collect_events functions.\n# Do not edit any other part in this file.\n# This file is generated only once when creating the modular input. \n\n\ndef validate_input(helper, definition):\n    \"\"\"Implement your own validation logic to validate the input stanza configurations\"\"\"\n\n    opt_dmarc_directory = definition.parameters.get('dmarc_directory', None)\n    opt_quiet_time      = definition.parameters.get('quiet_time', None)\n    opt_resolve_ip      = definition.parameters.get('resolve_ip', None)\n    opt_validate_xml    = definition.parameters.get('validate_xml', None)\n    opt_output_format   = definition.parameters.get('output_format', 'json')\n\n    try:\n        int(opt_quiet_time)   \n    except Exception:\n        raise ValueError(\"Error: quiet_time not an integer\")\n\n    d2s = Dir2Splunk(None, helper, opt_dmarc_directory, opt_quiet_time, opt_resolve_ip, opt_validate_xml, opt_output_format, False)\n    d2s.check_dir()\n\n\ndef collect_events(helper, ew):\n    \"\"\"Implement your data collection logic here\"\"\"\n\n    opt_dmarc_directory = helper.get_arg('dmarc_directory')\n    opt_quiet_time      = int(helper.get_arg('quiet_time'))\n    opt_resolve_ip      = helper.get_arg('resolve_ip')\n    opt_validate_xml    = helper.get_arg('validate_xml')\n    opt_output_format   = helper.get_arg('output_format')\n\n    loglevel   = helper.get_log_level()\n    helper.set_log_level(loglevel)\n\n    d2s = Dir2Splunk(ew, helper, opt_dmarc_directory, opt_quiet_time, opt_resolve_ip, opt_validate_xml, opt_output_format, True)\n    if d2s.check_dir():\n        d2s.process_incoming()\n\n", "name": "dmarc_directory", "title": "DMARC directory", "reload_input": false}, {"index": "default", "sourcetype": "dmarc:json:pop3", "interval": "3600", "use_external_validation": true, "streaming_mode_xml": true, "sample_count": 0, "type": "customized", "customized_options": [{"name": "global_account", "value": ""}, {"name": "pop3_server", "value": ""}, {"name": "resolve_ip", "value": true}, {"name": "validate_xml", "value": true}, {"name": "validate_dkim", "value": false}, {"name": "output_format", "value": "json"}], "parameters": [{"name": "global_account", "label": "Global Account", "help_string": "", "required": true, "possible_values": [], "format_type": "global_account", "default_value": "", "placeholder": "", "type": "global_account", "value": ""}, {"name": "pop3_server", "label": "POP3 server", "help_string": "Connect to the specified POP3 server with TLS (port 995)", "required": false, "format_type": "text", "default_value": "", "placeholder": "", "type": "text", "value": ""}, {"name": "resolve_ip", "label": "Resolve IP", "help_string": "Resolve the source_ip field in the DMARC aggregate reports.", "required": false, "format_type": "checkbox", "default_value": true, "type": "checkbox", "value": true}, {"name": "validate_xml", "label": "Validate XML", "help_string": "Validate the aggregate reports against the DMARC XSD. Results are included in the field vendor_rua_xsd_validation.", "required": false, "format_type": "checkbox", "default_value": true, "type": "checkbox", "value": true}, {"name": "validate_dkim", "label": "Validate DKIM", "help_string": "(Beta) Validate the DKIM signatures in the mail headers. Results are currently only available in DEBUG log.", "required": false, "format_type": "checkbox", "default_value": false, "type": "checkbox", "value": false}, {"name": "output_format", "label": "Output format", "help_string": "", "required": false, "possible_values": [{"label": "JSON", "value": "json"}, {"label": "KV (legacy)", "value": "kv"}], "format_type": "dropdownlist", "default_value": "json", "placeholder": "", "type": "dropdownlist", "value": "json"}], "description": "Ingest DMARC aggregate reports from a POP3 mailbox", "data_inputs_options": [{"type": "customized_var", "name": "global_account", "title": "Global Account", "description": "", "required_on_edit": false, "required_on_create": true, "possible_values": [], "format_type": "global_account", "default_value": "", "placeholder": ""}, {"type": "customized_var", "name": "pop3_server", "title": "POP3 server", "description": "Connect to the specified POP3 server with TLS (port 995)", "required_on_edit": false, "required_on_create": false, "format_type": "text", "default_value": "", "placeholder": ""}, {"type": "customized_var", "name": "resolve_ip", "title": "Resolve IP", "description": "Resolve the source_ip field in the DMARC aggregate reports.", "required_on_edit": false, "required_on_create": false, "format_type": "checkbox", "default_value": true}, {"type": "customized_var", "name": "validate_xml", "title": "Validate XML", "description": "Validate the aggregate reports against the DMARC XSD. Results are included in the field vendor_rua_xsd_validation.", "required_on_edit": false, "required_on_create": false, "format_type": "checkbox", "default_value": true}, {"type": "customized_var", "name": "validate_dkim", "title": "Validate DKIM", "description": "(Beta) Validate the DKIM signatures in the mail headers. Results are currently only available in DEBUG log.", "required_on_edit": false, "required_on_create": false, "format_type": "checkbox", "default_value": false}, {"type": "customized_var", "name": "output_format", "title": "Output format", "description": "", "required_on_edit": false, "required_on_create": false, "possible_values": [{"label": "JSON", "value": "json"}, {"label": "KV (legacy)", "value": "kv"}], "format_type": "dropdownlist", "default_value": "json", "placeholder": ""}], "uuid": "782aa3fafe9c4a1285290ac77c9d1155", "code": "# encoding = utf-8\n\nfrom dmarc.pop2dir import Pop2Dir\nfrom dmarc.dir2splunk import Dir2Splunk\nfrom dmarc.helper import create_tmp_dir\nfrom dmarc.helper import remove_tmp_dir\n\n\n# IMPORTANT\n# Edit only the validate_input and collect_events functions.\n# Do not edit any other part in this file.\n# This file is generated only once when creating the modular input.\n\ndef validate_input(helper, definition):\n    \"\"\"Implement your own validation logic to validate the input stanza configurations\"\"\"\n\n    opt_pop3_server    = definition.parameters.get(\"pop3_server\", None)\n    opt_use_ssl        = True\n    opt_global_account = definition.parameters.get('global_account', None)\n    opt_validate_dkim  = definition.parameters.get('validate_dkim', None)\n\n    try:\n        tmp_dir = create_tmp_dir(helper)\n        p2d = Pop2Dir(helper, opt_pop3_server, tmp_dir, opt_use_ssl, opt_global_account, opt_validate_dkim)\n        p2d.get_pop3_connectivity()\n    finally:\n        remove_tmp_dir(helper, tmp_dir)\n\ndef collect_events(helper, ew):\n    \"\"\"Implement your data collection logic here \"\"\"\n\n    opt_pop3_server    = helper.get_arg(\"pop3_server\")\n    opt_use_ssl        = True\n    opt_global_account = helper.get_arg('global_account')\n    opt_resolve_ip     = helper.get_arg('resolve_ip')\n    opt_validate_xml   = helper.get_arg('validate_xml')\n    opt_validate_dkim  = helper.get_arg('validate_dkim')\n    opt_output_format  = helper.get_arg('output_format')\n\n    loglevel   = helper.get_log_level()\n    helper.set_log_level(loglevel)\n\n    tmp_dir = create_tmp_dir(helper)\n    p2d = Pop2Dir(helper, opt_pop3_server, tmp_dir, opt_use_ssl, opt_global_account, opt_validate_dkim)\n    try:\n        filelist = p2d.process_incoming()\n        if len(filelist)>0:\n            d2s = Dir2Splunk(ew, helper, tmp_dir, 0, opt_resolve_ip, opt_validate_xml, opt_output_format, False)\n            if d2s.check_dir():\n                d2s.process_incoming()\n    finally:\n        remove_tmp_dir(helper, tmp_dir)\n\n# PSEUDOCODE for refactor:\n#\n# mailbox = DMARCMailbox(imap, ssl, account)\n# for uid, message in mailbox.get_dmarc_messages()\n#     mail = DMARCMail(message)\n#     dkimvrfy = mail.dkim_verify()\n#     for file in mail.get_dmarc_attachments()\n#         rua = DMARCfile(file)\n#         res_xmlvalidation = rua.get_xml_validation()\n#         res_feedback = rua.get_rua_feedback()\n#         event = DMARCEvent(res_feedback, res_xmlvalidation, dkimvrfy)\n#         event.save_event()\n#     mailbox.save_checkpoint(uid)\n", "name": "dmarc_pop3", "title": "DMARC pop3"}, {"index": "default", "sourcetype": "dmarc:json:imap", "interval": "3600", "use_external_validation": true, "streaming_mode_xml": true, "sample_count": 0, "type": "customized", "customized_options": [{"name": "global_account", "value": ""}, {"name": "imap_server", "value": ""}, {"name": "resolve_ip", "value": true}, {"name": "validate_xml", "value": true}, {"name": "validate_dkim", "value": false}, {"name": "imap_mailbox", "value": "INBOX"}, {"name": "output_format", "value": "json"}, {"name": "batch_size", "value": "100"}], "uuid": "50844e1a57fd495a9a73ea984f87571b", "parameters": [{"name": "global_account", "label": "Global Account", "help_string": "Use the account configured in the setup tab", "required": true, "possible_values": [], "format_type": "global_account", "default_value": "", "placeholder": "", "type": "global_account", "value": ""}, {"name": "imap_server", "label": "IMAP server", "help_string": "Connect to the specified IMAP server with TLS (port 993)", "required": true, "format_type": "text", "default_value": "", "placeholder": "", "type": "text", "value": ""}, {"name": "resolve_ip", "label": "Resolve IP", "help_string": "Resolve the source_ip field in the DMARC aggregate reports.", "required": false, "format_type": "checkbox", "default_value": true, "type": "checkbox", "value": true}, {"name": "validate_xml", "label": "Validate XML", "help_string": "Validate the aggregate reports against the DMARC XSD. Results are included in the field vendor_rua_xsd_validation.", "required": false, "format_type": "checkbox", "default_value": true, "type": "checkbox", "value": true}, {"name": "validate_dkim", "label": "Validate DKIM", "help_string": "(Beta) Validate the DKIM signatures in the mail headers. Results are currently only available in DEBUG log.", "required": false, "format_type": "checkbox", "default_value": false, "type": "checkbox", "value": false}, {"name": "imap_mailbox", "label": "IMAP mailbox", "help_string": "Select the IMAP mailbox to poll. Default: INBOX", "required": true, "format_type": "text", "default_value": "INBOX", "placeholder": "", "type": "text", "value": "INBOX"}, {"name": "output_format", "label": "Output format", "help_string": "", "required": true, "possible_values": [{"label": "JSON", "value": "json"}, {"label": "KV (legacy)", "value": "kv"}], "format_type": "dropdownlist", "default_value": "json", "placeholder": "", "type": "dropdownlist", "value": "json"}, {"name": "batch_size", "label": "Batch size", "help_string": "Max number of messages to fetch per batch to prevent connection timeouts and resets", "required": false, "format_type": "text", "default_value": "100", "placeholder": "", "type": "text", "value": "100"}], "description": "Ingest DMARC aggregate reports from an IMAP mailbox", "data_inputs_options": [{"type": "customized_var", "name": "global_account", "title": "Global Account", "description": "Use the account configured in the setup tab", "required_on_edit": false, "required_on_create": true, "possible_values": [], "format_type": "global_account", "default_value": "", "placeholder": ""}, {"type": "customized_var", "name": "imap_server", "title": "IMAP server", "description": "Connect to the specified IMAP server with TLS (port 993)", "required_on_edit": false, "required_on_create": true, "format_type": "text", "default_value": "", "placeholder": ""}, {"type": "customized_var", "name": "resolve_ip", "title": "Resolve IP", "description": "Resolve the source_ip field in the DMARC aggregate reports.", "required_on_edit": false, "required_on_create": false, "format_type": "checkbox", "default_value": true}, {"type": "customized_var", "name": "validate_xml", "title": "Validate XML", "description": "Validate the aggregate reports against the DMARC XSD. Results are included in the field vendor_rua_xsd_validation.", "required_on_edit": false, "required_on_create": false, "format_type": "checkbox", "default_value": true}, {"type": "customized_var", "name": "validate_dkim", "title": "Validate DKIM", "description": "(Beta) Validate the DKIM signatures in the mail headers. Results are currently only available in DEBUG log.", "required_on_edit": false, "required_on_create": false, "format_type": "checkbox", "default_value": false}, {"type": "customized_var", "name": "imap_mailbox", "title": "IMAP mailbox", "description": "Select the IMAP mailbox to poll. Default: INBOX", "required_on_edit": false, "required_on_create": true, "format_type": "text", "default_value": "INBOX", "placeholder": ""}, {"type": "customized_var", "name": "output_format", "title": "Output format", "description": "", "required_on_edit": false, "required_on_create": true, "possible_values": [{"label": "JSON", "value": "json"}, {"label": "KV (legacy)", "value": "kv"}], "format_type": "dropdownlist", "default_value": "json", "placeholder": ""}, {"type": "customized_var", "name": "batch_size", "title": "Batch size", "description": "Max number of messages to fetch per batch to prevent connection timeouts and resets", "required_on_edit": false, "required_on_create": false, "format_type": "text", "default_value": "100", "placeholder": ""}], "title": "DMARC imap", "code": "# encoding = utf-8\n\nfrom dmarc.imap2dir import Imap2Dir\nfrom dmarc.dir2splunk import Dir2Splunk\nfrom dmarc.helper import create_tmp_dir\nfrom dmarc.helper import remove_tmp_dir\n\n\n'''\n    IMPORTANT\n    Edit only the validate_input and collect_events functions.\n    Do not edit any other part in this file.\n    This file is generated only once when creating the modular input.\n'''\n'''\n# For advanced users, if you want to create single instance mod input, uncomment this method.\ndef use_single_instance_mode():\n    return True\n'''\n\ndef validate_input(helper, definition):\n    opt_imap_server    = definition.parameters.get(\"imap_server\", None)\n    opt_imap_mailbox   = definition.parameters.get(\"imap_mailbox\", None)\n    opt_use_ssl        = True\n    opt_global_account = definition.parameters.get('global_account', None)\n    opt_validate_dkim  = definition.parameters.get('validate_dkim', None)\n    opt_batch_size     = int(definition.parameters.get('batch_size', None))\n\n    try:\n        tmp_dir = create_tmp_dir(helper)\n        i2d = Imap2Dir(helper, opt_imap_server, tmp_dir, opt_use_ssl, opt_global_account, opt_imap_mailbox, opt_validate_dkim, opt_batch_size)\n        i2d.get_imap_connectivity()\n    finally:\n        remove_tmp_dir(helper, tmp_dir)\n\ndef collect_events(helper, ew):\n    opt_imap_server    = helper.get_arg(\"imap_server\")\n    opt_imap_mailbox   = helper.get_arg(\"imap_mailbox\")\n    opt_use_ssl        = True\n    opt_global_account = helper.get_arg('global_account')\n    opt_resolve_ip     = helper.get_arg('resolve_ip')\n    opt_validate_xml   = helper.get_arg('validate_xml')\n    opt_validate_dkim  = helper.get_arg('validate_dkim')\n    opt_output_format  = helper.get_arg('output_format')\n    opt_batch_size     = int(helper.get_arg('batch_size'))\n\n    loglevel   = helper.get_log_level()\n    helper.set_log_level(loglevel)\n\n    tmp_dir = create_tmp_dir(helper)\n    i2d = Imap2Dir(helper, opt_imap_server, tmp_dir, opt_use_ssl, opt_global_account, opt_imap_mailbox, opt_validate_dkim, opt_batch_size)\n    try:\n        filelist = i2d.process_incoming()\n        if len(filelist)>0:\n            d2s = Dir2Splunk(ew, helper, tmp_dir, 0, opt_resolve_ip, opt_validate_xml, opt_output_format, False)\n            if d2s.check_dir():\n                d2s.process_incoming()\n    finally:\n        remove_tmp_dir(helper, tmp_dir)\n\n# PSEUDOCODE for refactor:\n#\n# mailbox = DMARCMailbox(imap, ssl, account)\n# for uid, message in mailbox.get_dmarc_messages()\n#     mail = DMARCMail(message)\n#     dkimvrfy = mail.dkim_verify()\n#     for file in mail.get_dmarc_attachments()\n#         rua = DMARCfile(file)\n#         res_xmlvalidation = rua.get_xml_validation()\n#         res_feedback = rua.get_rua_feedback()\n#         event = DMARCEvent(res_feedback, res_xmlvalidation, dkimvrfy)\n#         event.save_event()\n#     mailbox.save_checkpoint(uid)", "name": "dmarc_imap"}, {"index": "default", "sourcetype": "dmarc:json:imap:oauth2", "interval": "3600", "use_external_validation": true, "streaming_mode_xml": true, "name": "dmarc_imap_oauth2", "title": "DMARC imap (oauth2)", "description": "Ingest DMARC aggregate reports from an IMAP mailbox using OAuth2", "type": "customized", "parameters": [{"name": "global_account", "label": "Global Account", "help_string": "", "required": true, "possible_values": [], "format_type": "global_account", "default_value": "", "placeholder": "", "type": "global_account", "value": ""}, {"name": "imap_server", "label": "IMAP server", "help_string": "Connect to the specified IMAP server with TLS (port 993)", "required": true, "format_type": "text", "default_value": "outlook.office365.com", "placeholder": "", "type": "text", "value": "outlook.office365.com"}, {"name": "imap_username", "label": "IMAP username", "help_string": "The username as identified by their mail address, e.g. test@contoso.onmicrosoft.com", "required": true, "format_type": "text", "default_value": "", "placeholder": "", "type": "text", "value": ""}, {"name": "oauth2_authority", "label": "OAuth2 authority", "help_string": "For O365 this should be https://login.microsoftonline.com/<tenant_id>", "required": true, "format_type": "text", "default_value": "", "placeholder": "", "type": "text", "value": ""}, {"name": "oauth2_scope", "label": "OAuth2 scope", "help_string": "For O365 this should be https://outlook.office365.com/.default", "required": true, "format_type": "text", "default_value": "https://outlook.office365.com/.default", "placeholder": "", "type": "text", "value": "https://outlook.office365.com/.default"}, {"name": "resolve_ip", "label": "Resolve IP", "help_string": "Resolve the source_ip field in the DMARC aggregate reports.", "required": false, "format_type": "checkbox", "default_value": true, "type": "checkbox", "value": true}, {"name": "validate_xml", "label": "Validate XML", "help_string": "Validate the aggregate reports against the DMARC XSD. Results are included in the field vendor_rua_xsd_validation.", "required": false, "format_type": "checkbox", "default_value": true, "type": "checkbox", "value": true}, {"name": "validate_dkim", "label": "Validate DKIM", "help_string": "(Beta) Validate the DKIM signatures in the mail headers. Results are currently only available in DEBUG log.", "required": false, "format_type": "checkbox", "default_value": false, "type": "checkbox", "value": false}, {"name": "imap_mailbox", "label": "IMAP mailbox", "help_string": "Select the IMAP mailbox to poll. Default: INBOX", "required": true, "format_type": "text", "default_value": "INBOX", "placeholder": "", "type": "text", "value": "INBOX"}, {"name": "output_format", "label": "Output format", "help_string": "", "required": true, "possible_values": [{"value": "json", "label": "JSON"}, {"value": "kv", "label": "KV (legacy)"}], "format_type": "dropdownlist", "default_value": "json", "placeholder": "", "type": "dropdownlist", "value": "json"}, {"name": "batch_size", "label": "Batch size", "help_string": "Max number of messages to fetch per batch to prevent connection timeouts and resets", "required": false, "format_type": "text", "default_value": "100", "placeholder": "", "type": "text", "value": "100"}], "data_inputs_options": [{"type": "customized_var", "name": "global_account", "title": "Global Account", "description": "", "required_on_edit": false, "required_on_create": true, "possible_values": [], "format_type": "global_account", "default_value": "", "placeholder": ""}, {"type": "customized_var", "name": "imap_server", "title": "IMAP server", "description": "Connect to the specified IMAP server with TLS (port 993)", "required_on_edit": false, "required_on_create": true, "format_type": "text", "default_value": "outlook.office365.com", "placeholder": ""}, {"type": "customized_var", "name": "imap_username", "title": "IMAP username", "description": "The username as identified by their mail address, e.g. test@contoso.onmicrosoft.com", "required_on_edit": false, "required_on_create": true, "format_type": "text", "default_value": "", "placeholder": ""}, {"type": "customized_var", "name": "oauth2_authority", "title": "OAuth2 authority", "description": "For O365 this should be https://login.microsoftonline.com/<tenant_id>", "required_on_edit": false, "required_on_create": true, "format_type": "text", "default_value": "", "placeholder": ""}, {"type": "customized_var", "name": "oauth2_scope", "title": "OAuth2 scope", "description": "For O365 this should be https://outlook.office365.com/.default", "required_on_edit": false, "required_on_create": true, "format_type": "text", "default_value": "https://outlook.office365.com/.default", "placeholder": ""}, {"type": "customized_var", "name": "resolve_ip", "title": "Resolve IP", "description": "Resolve the source_ip field in the DMARC aggregate reports.", "required_on_edit": false, "required_on_create": false, "format_type": "checkbox", "default_value": true}, {"type": "customized_var", "name": "validate_xml", "title": "Validate XML", "description": "Validate the aggregate reports against the DMARC XSD. Results are included in the field vendor_rua_xsd_validation.", "required_on_edit": false, "required_on_create": false, "format_type": "checkbox", "default_value": true}, {"type": "customized_var", "name": "validate_dkim", "title": "Validate DKIM", "description": "(Beta) Validate the DKIM signatures in the mail headers. Results are currently only available in DEBUG log.", "required_on_edit": false, "required_on_create": false, "format_type": "checkbox", "default_value": false}, {"type": "customized_var", "name": "imap_mailbox", "title": "IMAP mailbox", "description": "Select the IMAP mailbox to poll. Default: INBOX", "required_on_edit": false, "required_on_create": true, "format_type": "text", "default_value": "INBOX", "placeholder": ""}, {"type": "customized_var", "name": "output_format", "title": "Output format", "description": "", "required_on_edit": false, "required_on_create": true, "possible_values": [{"value": "json", "label": "JSON"}, {"value": "kv", "label": "KV (legacy)"}], "format_type": "dropdownlist", "default_value": "json", "placeholder": ""}, {"type": "customized_var", "name": "batch_size", "title": "Batch size", "description": "Max number of messages to fetch per batch to prevent connection timeouts and resets", "required_on_edit": false, "required_on_create": false, "format_type": "text", "default_value": "100", "placeholder": ""}], "code": "# encoding = utf-8\n\nfrom dmarc.imap2dir import Imap2Dir\nfrom dmarc.dir2splunk import Dir2Splunk\nfrom dmarc.helper import create_tmp_dir\nfrom dmarc.helper import remove_tmp_dir\n\n\n'''\n    IMPORTANT\n    Edit only the validate_input and collect_events functions.\n    Do not edit any other part in this file.\n    This file is generated only once when creating the modular input.\n'''\n'''\n# For advanced users, if you want to create single instance mod input, uncomment this method.\ndef use_single_instance_mode():\n    return True\n'''\n\ndef validate_input(helper, definition):\n    #def __init__(\n    #        self,\n    #        helper,\n    #        opt_imap_server,\n    #        tmp_dir,\n    #        opt_use_ssl,\n    #        opt_global_account,\n    #        opt_imap_username\n    #        opt_oauth2_authority,\n    #        opt_oauth2_scope,\n    #        opt_imap_mailbox,\n    #        opt_validate_dkim,\n    #        opt_batch_size):\n            \n    opt_imap_server    = definition.parameters.get(\"imap_server\", None)\n    opt_use_ssl        = True\n    opt_global_account = definition.parameters.get('global_account', None)\n    opt_imap_username  = definition.parameters.get('imap_username', None)\n    opt_oauth2_authority = definition.parameters.get('oauth2_authority', None)\n    opt_oauth2_scope   = definition.parameters.get('oauth2_scope', None)\n    opt_imap_mailbox   = definition.parameters.get(\"imap_mailbox\", None)\n    opt_validate_dkim  = definition.parameters.get('validate_dkim', None)\n    opt_batch_size     = int(definition.parameters.get('batch_size', None))\n\n    try:\n        tmp_dir = create_tmp_dir(helper)\n        i2d = Imap2Dir(helper, \n                        opt_imap_server,\n                        tmp_dir,\n                        opt_use_ssl,\n                        opt_global_account,\n                        opt_imap_username,\n                        opt_oauth2_authority,\n                        opt_oauth2_scope,\n                        opt_imap_mailbox,\n                        opt_validate_dkim,\n                        opt_batch_size)\n        i2d.get_imap_connectivity()\n    finally:\n        remove_tmp_dir(helper, tmp_dir)\n\ndef collect_events(helper, ew):\n    opt_imap_server    = helper.get_arg(\"imap_server\")\n    opt_use_ssl        = True\n    opt_global_account = helper.get_arg('global_account')\n    opt_imap_username  = helper.get_arg('imap_username')\n    opt_oauth2_authority = helper.get_arg('oauth2_authority')\n    opt_oauth2_scope   = helper.get_arg('oauth2_scope')\n    opt_imap_mailbox   = helper.get_arg(\"imap_mailbox\")\n    opt_resolve_ip     = helper.get_arg('resolve_ip')\n    opt_validate_xml   = helper.get_arg('validate_xml')\n    opt_validate_dkim  = helper.get_arg('validate_dkim')\n    opt_output_format  = helper.get_arg('output_format')\n    opt_batch_size     = int(helper.get_arg('batch_size'))\n\n    loglevel   = helper.get_log_level()\n    helper.set_log_level(loglevel)\n\n    tmp_dir = create_tmp_dir(helper)\n    i2d = Imap2Dir(helper, \n                    opt_imap_server,\n                    tmp_dir,\n                    opt_use_ssl,\n                    opt_global_account,\n                    opt_imap_username,\n                    opt_oauth2_authority,\n                    opt_oauth2_scope,\n                    opt_imap_mailbox,\n                    opt_validate_dkim,\n                    opt_batch_size)\n    try:\n        filelist = i2d.process_incoming()\n        if len(filelist)>0:\n            d2s = Dir2Splunk(ew, helper, tmp_dir, 0, opt_resolve_ip, opt_validate_xml, opt_output_format, False)\n            if d2s.check_dir():\n                d2s.process_incoming()\n    finally:\n        remove_tmp_dir(helper, tmp_dir)\n\n# PSEUDOCODE for refactor:\n#\n# mailbox = DMARCMailbox(imap, ssl, account)\n# for uid, message in mailbox.get_dmarc_messages()\n#     mail = DMARCMail(message)\n#     dkimvrfy = mail.dkim_verify()\n#     for file in mail.get_dmarc_attachments()\n#         rua = DMARCfile(file)\n#         res_xmlvalidation = rua.get_xml_validation()\n#         res_feedback = rua.get_rua_feedback()\n#         event = DMARCEvent(res_feedback, res_xmlvalidation, dkimvrfy)\n#         event.save_event()\n#     mailbox.save_checkpoint(uid)", "customized_options": [{"name": "global_account", "value": ""}, {"name": "imap_server", "value": "outlook.office365.com"}, {"name": "imap_username", "value": ""}, {"name": "oauth2_authority", "value": ""}, {"name": "oauth2_scope", "value": "https://outlook.office365.com/.default"}, {"name": "resolve_ip", "value": true}, {"name": "validate_xml", "value": true}, {"name": "validate_dkim", "value": false}, {"name": "imap_mailbox", "value": "INBOX"}, {"name": "output_format", "value": "json"}, {"name": "batch_size", "value": "100"}], "uuid": "4cfc0d6bd56047ffaae8f7b8c718e0c6", "sample_count": 0}]}, "field_extraction_builder": {"dmarc:kv": {"data_format": "unstructured_data"}, "dmarc:json": {"data_format": "json"}, "dmarc:json:pop3": {"data_format": "json"}}, "global_settings_builder": {"global_settings": {"log_settings": {"log_level": "DEBUG"}, "credential_settings": []}}, "sourcetype_builder": {"dmarc:json:imap:oauth2": {"metadata": {"event_count": 0, "data_input_name": "dmarc_imap_oauth2", "extractions_count": 0, "cims_count": 0}}}, "validation": {"validators": ["app_cert_validation"], "progress": 1.0, "validation_id": "v_1537697239_89", "status": "job_finished"}}