* * * * * * -90d@d now
Forensic samples index="email" sourcetype="dmarc:forensic" | spath "parsed_sample.from.address" | search "parsed_sample.from.address"=$header_from$ | spath "parsed_sample.to{}.address" | search "parsed_sample.to{}.address"=$header_to$ | spath "parsed_sample.subject" | search "parsed_sample.subject"=$header_subject$ | spath "source.ip_address" | search "source.ip_address"=$source_ip_address$ | spath "source.reverse_dns" | search "source.reverse_dns"=$source_reverse_dns$| spath "source.country" | search "source.country"=$source_country$ | fillnull value="none" | stats count by arrival_date_utc, parsed_sample.from.address, parsed_sample.to{}.address, parsed_sample.subject | sort -arrival_date_utc $time_range.earliest$ $time_range.latest$
Forensic samples by country index="email" sourcetype="dmarc:forensic" | spath "parsed_sample.from.address" | search "parsed_sample.from.address"=$header_from$ | spath "parsed_sample.to{}.address" | search "parsed_sample.to{}.address"=$header_to$ | spath "parsed_sample.subject" | search "parsed_sample.subject"=$header_subject$ | spath "source.ip_address" | search "source.ip_address"=$source_ip_address$ | spath "source.reverse_dns" | search "source.reverse_dns"=$source_reverse_dns$| spath "source.country" | search "source.country"=$source_country$ | iplocation source.ip_address | stats count by Country | geom geo_countries featureIdField="Country" $time_range.earliest$ $time_range.latest$ Forensic samples by IP address index="email" sourcetype="dmarc:forensic" sourcetype="dmarc:forensic" | spath "parsed_sample.from.address" | search "parsed_sample.from.address"=$header_from$ | spath "parsed_sample.to{}.address" | search "parsed_sample.to{}.address"=$header_to$ | spath "parsed_sample.subject" | search "parsed_sample.subject"=$header_subject$ | spath "source.ip_address" | search "source.ip_address"=$source_ip_address$ | spath "source.reverse_dns" | search "source.reverse_dns"=$source_reverse_dns$| spath "source.country" | search "source.country"=$source_country$ | fillnull value="none" | iplocation source.ip_address | stats count by source.ip_address,source.reverse_dns,Country | sort -count $time_range.earliest$ $time_range.latest$
Forensic samples by country ISO code index="email" sourcetype="dmarc:forensic" | spath "parsed_sample.from.address" | search "parsed_sample.from.address"=$header_from$ | spath "parsed_sample.to{}.address" | search "parsed_sample.to{}.address"=$header_to$ | spath "parsed_sample.subject" | search "parsed_sample.subject"=$header_subject$ | spath "source.ip_address" | search "source.ip_address"=$source_ip_address$ | spath "source.reverse_dns" | search "source.reverse_dns"=$source_reverse_dns$| spath "source.country" | search "source.country"=$source_country$ | stats count by source.country | sort - count $time_range.earliest$ $time_range.latest$