I am currently analyzing emails with NetWitness, one indicator I typically see used in spear phishing incidents is the use of logging in with a different IP than the sending mail server. I am noticing this behavior mostly with yahoo. Is there a way in NetWitness to create a search to pull up all network related sessions in this way? I am not seeing this as a searchable piece of meta data. I created a regex to try to search with no luck.