When performing a search within the Application Group for Email, users typically have several metadata fields available to filter traffic. In the current version of Security Analytics, utilizing the email_sender field as a standalone filter may fail to retrieve the expected messages, even when the data exists within the capture.

Security Analytics version 8.3.1

If a search using email_address does not yield the expected results, use the alternative metadata fields or a combination of filters to broaden the capture retrieval.

To ensure you successfully retrieve the desired email records, please search using one of the following fields:

• email_sender: This is a general field that often captures both source and destination addresses.

• email_recipient: Use this to find messages based on the "To" or "CC" fields.

• subject: Use this to find messages based on the email header's subject line.