I'm tring to get Netwitness to scan an attachment, in an email, for a specfic value and fire a custom alert. For example, I would like to scan a document file attached to an email, containing the word "test".
I've tried variations of the following to no success;
service = '25' && attachment ends 'doc' && content contains test
service = '25' && content contains test
content contains test
For the testing of these rules I created a .doc file with the word test inside and sent it across the monitored wire to my web mail. I found the email under meta tagged as service 25 though it did not fire the custome rule alert.
I think the rule is searching the email content for test instead of the attachment.