Why do Internal emails appear when I apply the external scope

Document ID : KB000121291
Last Modified Date : 16/11/2018
Show Technical Document Details
Introduction:
The CA Data protection iConsole has the ability to limit the result set of events by applying a "scope" to emails.  Three options are available, "Internal and External", "Internal Only" and "External"

iConsole Email Properties Scope 
Question:
When running an iConsole Search with a scope of "External" why do mails from internal users still appear in the result set?
Environment:
CA Data Protection 14.x\15.x
Answer:
The iConsole Search Filters ares used to probe the underlying data base to produce a result set. Specifically when data is capture through policy the event is augmented with Event Attributes representing the nature of the event and how it was capture.. A complete list of the Event Attributes can be found in the link below: 

https://docops.ca.com/ca-data-protection/15-2/en/developing/database-schema-and-views/database-tables/wgn3event 

In the case of of "External" events these are defined by "/SPe". The event has external scope - ie, exclusively sent to, or received from locations NOT matching the policy definition of 'Internal Email' (email events) or 'Intranet Sites' (web events). 

The reason that this information is important is because the attributes are contextualized at the time of capture. If the "Internal Address" pattern changes, You can have a situation where events with the same email address can appear as External or Internal depending upon when the changes were introduced (ie when the mail was captured).