Assuming to others this will likely be common knowledge... figured best place to ask.
I have various email rules for a report in place but one item I would like to do is search email body for key words, not just within the subject or by source/destination.
I am aware how to do this within investigation window, but trying to build a use case report and reduce the false positives... which might be tricky since a lot of people use the default "confidential email footer" that most companies force.
to do this, would I need to enable the search parser in the services menu on the decoders and create new keyword searches that way? or create a new parser(s) all together? I am assuming there is a best practice for performance method in doing this as in reading docs, the search parser can possibly impact performance... but maybe this is unavoidable for what I am looking to do in email body search anyway.
tips/suggestions are welcome.