parsedmarc/splunk/dmarc_failure_dashboard.xml

<form theme="dark" version="1.1">
  <label>Failure DMARC Data</label>
  <search id="base_search">
    <query>
      index="email" (sourcetype="dmarc:failure" OR sourcetype="dmarc:forensic") parsed_sample.headers.From=$header_from$ parsed_sample.headers.To=$header_to$ parsed_sample.headers.Subject=$header_subject$ source.ip_address=$source_ip_address$ source.reverse_dns=$source_reverse_dns$ source.country=$source_country$
      | table *
    </query>
    <earliest>$time_range.earliest$</earliest>
    <latest>$time_range.latest$</latest>
  </search>
  <fieldset submitButton="false" autoRun="true">
    <input type="text" token="header_from" searchWhenChanged="true">
      <label>Message header from</label>
      <default>*</default>
    </input>
    <input type="text" token="header_to" searchWhenChanged="true">
      <label>Message header to</label>
      <default>*</default>
    </input>
    <input type="text" token="header_subject" searchWhenChanged="true">
      <label>Message header subject</label>
      <default>*</default>
    </input>
    <input type="text" token="source_ip_address" searchWhenChanged="true">
      <label>Source IP address</label>
      <default>*</default>
    </input>
    <input type="text" token="source_reverse_dns" searchWhenChanged="true">
      <label>Source reverse DNS</label>
      <default>*</default>
    </input>
    <input type="text" token="source_country" searchWhenChanged="true">
      <label>Source country ISO code</label>
      <default>*</default>
    </input>
    <input type="time" token="time_range" searchWhenChanged="true">
      <label>Time range</label>
      <default>
        <earliest>-90d@d</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Failure samples</title>
      <table>
        <search base="base_search">
          <query>| table arrival_date_utc authentication_results parsed_sample.headers.From,parsed_sample.headers.To,parsed_sample.headers.Subject | sort -arrival_date_utc</query>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <option name="totalsRow">false</option>
        <format type="number" field="count">
          <option name="precision">0</option>
        </format>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Failure samples by country</title>
      <map>
        <search base="base_search">
          <query>| iplocation source.ip_address| stats count by Country | geom geo_countries featureIdField="Country"</query>
        </search>
        <option name="drilldown">none</option>
        <option name="height">519</option>
        <option name="mapping.type">choropleth</option>
      </map>
    </panel>
  </row>
  <row>
    <panel>
      <title>Failure samples by IP address</title>
      <table>
        <search base="base_search">
          <query>| iplocation source.ip_address | stats count by source.ip_address,source.reverse_dns | sort -count</query>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
        <format type="number" field="count">
          <option name="precision">0</option>
        </format>
      </table>
    </panel>
    <panel>
      <title>Failure samples by country ISO code</title>
      <table>
        <search base="base_search">
          <query>| stats count by source.country | sort - count</query>
        </search>
        <option name="drilldown">none</option>
        <format type="number" field="count">
          <option name="precision">0</option>
        </format>
      </table>
    </panel>
  </row>
</form>