index="email" sourcetype="dmarc:forensic" parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$ | table * $time_range.earliest$ $time_range.latest$
* * * * * * -90d@d now
Forensic samples | table arrival_date_utc authentication_results parsed_sample.headers.From,parsed_sample.headers.To,parsed_sample.headers.Subject | sort -arrival_date_utc
Forensic samples by country | iplocation source.ip_address| stats count by Country | geom geo_countries featureIdField="Country" Forensic samples by IP address | iplocation source.ip_address | stats count by source.ip_address,source.reverse_dns | sort -count
Forensic samples by country ISO code | stats count by source.country | sort - count