2014-10-20 12:36 PM
Assuming to others this will likely be common knowledge... figured best place to ask.
I have various email rules for a report in place but one item I would like to do is search email body for key words, not just within the subject or by source/destination.
I am aware how to do this within investigation window, but trying to build a use case report and reduce the false positives... which might be tricky since a lot of people use the default "confidential email footer" that most companies force.
to do this, would I need to enable the search parser in the services menu on the decoders and create new keyword searches that way? or create a new parser(s) all together? I am assuming there is a best practice for performance method in doing this as in reading docs, the search parser can possibly impact performance... but maybe this is unavoidable for what I am looking to do in email body search anyway.
tips/suggestions are welcome.
thanks
2014-10-20 03:07 PM
It depends on what version you are using. If you are using 9.8 or have the Investigator thick client, you can just run a text/regex search from your current drill point by typing in the search box on the right side of the breadcrumb bar.
In SA 10.4, you can do it from the Event viewer.