Search Filters

1 Summary
- 1.1 General
- 1.2 Headers
- 1.3 Media
- 1.4 Analysis
- 1.5 Metadata
2 Related Articles

Summary

INKY’s custom dashboards allow you to quickly find the messages you’re looking for by utilizing over 40+ unique search filters. Search filters in the custom dashboards section can be applied to the entire dashboard or just one specific widget. You can find the dashboard filter menu by clicking the filter button on the top left of your custom dashboard, and the message set filter menu on the top left of each individual visualization.

When a filter is selected, all available results will populate on the left side of the window. Any results that have been selected will populate on the right side of the window.

Keep in mind that any results shown are dependent on filters that have previously been applied on the visualization and/or dashboard. For example, if a date range filter is already present, the succeeding filter menu will only display results that exist in the selected date range.

The total number of messages that a result will display is shown in parentheses

Search filters that have more than a handful of possible results (i.e the “From Domain” pictured above) will present a search field to quickly locate what you are looking for.

In the example pictured below, all results shown on the left side of the window display messages with “business” in the subject line. You have the option to select one or multiple results, or simply choose OK to display all matches of “business” in your widget(s).

General

Filter	Description

Filter	Description
User Email	Lists only internal email addresses.
From Display Name	Display name that appears next to the FROM address. Example:
From Domain	Domain of where the message originates from. Example: @example.org
From Email	Full email address of where the message originates from. Example: test@example.com
Internal/External	Toggle between internal/external mail.
MAIL FROM (SMTP)	This address is commonly referred to as to envelope sender address, Return-Path, and bounce address. The MAIL FROM and FROM addresses are typically the same, but can be different.
Organizational Unit	Defines which OU the recipient of the message is in. Note: For most customers, there will only be an attribute here if silent mode was enabled at any point.
Date	Date and time filters can be selected based on a specified timeframe relative to the current time, or starting and ending at a specific date and time.
Source	Indicates how the message was ingested into INKY. Most messages fall under “gateway”.
Team ID	INKY team ID. This filter is only used for customers who manage multiple accounts.

Headers

Filter	Description

Filter	Description
Bcc	Lists all email addresses found within the BCC: field of the message.
Cc	Lists all email addresses found within the CC: field of the message.
From	FROM field that is extracted from the message headers.
Reply To	Extracted directly from the message headers. This field can be empty, different, or the same as the FROM address. If the Reply-To and FROM addresses are different, when the recipient attempts to reply to the message the TO field will automatically populate with the Reply To address.
To	TO: address of a message. This is taken directly from the message headers.
Message ID	Unique identifier that is found in the message headers of every message that has been sent or received. Example: <CAOEOx2M1rVsv3XN2CkPsWOJzHv5qFkHBr4EtjZcwzwWBnU-zSA@mail.gmail.com>
Message ID Domain	Domain of the message ID. Example: @mail.gmail.com
Any Recipient	All internal recipients that have received inbound mail through INKY.
Subject	Subject line of the message. Searches do not need to be exact when using this filter. Example: When searching for “The”, any message with “The” in the subject line will appear in the results

Media

Filter	Description

Filter	Description
Attachment Hash	MD5 hash of any attachments in a message. Example: aef434cca4d27af79e17e3380da6fd88287000510fe52b7b11797e5b61c4f89b
Attachments	RFC content type of an attachment. Example: image/png Message headers would show: `Content-Type: image/png;`
Has Attachments	Displays only messages that contain attachments.
Images	URL’s of images that are remotely hosted. Example: https://services.google.com/fh/files/emails/gw_header-logo.png
Links	Displays the domain of the original URL of a link rewritten by INKY. Example: https://docs.microsoft.com would display as “microsoft.com”

Analysis

Filter	Description

Filter	Description
Delivery Target	The destination where messages are delivered based on a header tag. Example: Inbox, Junk, User-Q, Admin-Q Note: The delivery target will always be “Inbox” if delivery settings are not configured on your account. Please see the following KB for more information.
Threat Categories	Specific categories of caution and phishing. Example: Spoofed Internal Sender, Phishing Content, Brand Impersonation, etc.
Result Category	The type of banner a message received. Example: Neutral Caution - (Non Spam) (Spam) (High Confidence Spam) Danger - (Phish or Malware) (High Conf. Phish or Malware)
Sensitive Content	Indicates if the message matched a sensitive content policy. Example: Money, Password, COVID-19
Threat Level	There are three message threat levels: Neutral, Caution, Danger.

Metadata

Filter:	Description

Filter:	Description
Authentication Results	Displays the result of DKIM/SPF/DMARC directly from the message headers. Example: spf=pass (sender IP is 40.107.237.138) smtp.mailfrom=inky.com;
Banner Present	Toggle between True/False.
Connecting IP	The IP address identifying the last mail hop prior to connecting to your mail server.
Google Phish	Toggle between True/False. True indicates the message was detected as PHISHING by Google.
Google Spam	Toggle between True/False. True indicates the message was detected as SPAM by Google.
HELO String	FQDN (Fully Qualified Domain Name) response of the remote server that is attempting to begin an SMTP session with your mail server prior to reaching INKY.
Link Clicks	If Link Rewriting is enabled on your account this filter will list all messages where a user has clicked a link.
Microsoft SCL	SCL (Spam Confidence Level) score that is assigned to a message prior to being received by INKY. More information regarding SCL scores can be found here.
Phish Test Provider	Indicates if the message is a phishing simulation with the header tag “X-PHISHTEST”. Phishing awareness services like KnowBe4 and Wombat can be automatically identified by INKY. Note: Only phishing tests will be identified with this value. Training messages or general communications from these services will not be identified by this header tag.
Report Label	If a user has reported a message using the “Report This Email”link in the banner of the message, this attribute will populate. Example: Labels include Safe, Spam, Phishing
Reported By	The email address of any user who has submitted an email report.
Reports	Has Reports Messages that have been reported to INKY via the “Report This Email” link.
Sending IP	IP Address of the sending mail server prior to being received by the recipient mail server.
Tags	Displays any custom tags that have been assigned to messages in the custom dashboards.