//visualise emails tagged as malware inbound
| where TimeGenerated > ago(30d) and ThreatTypes has_any ("Malware") and EmailDirection =~ "Inbound"
| summarize emails=count() by bin(TimeGenerated, 1d), SenderFromAddress
| render columnchart kind=stacked
//internal to internal, or outbound email with a malware detection
| where TimeGenerated > ago(30d) and ThreatTypes has_any ("Malware") and EmailDirection !~ "Inbound" and SenderFromAddress !~ "[email protected]" and AttachmentCount > 0
| summarize emails=count() by bin(TimeGenerated, 1d), SenderFromAddress
| render columnchart kind=stacked