Network Monitor recognize SMTP messages but NOT a partner address
I have created a Policy that is correctly triggered by Network Monitor on SMTP messages. I need to modify the Policy so it is not triggered when the recipient is an email address of a partner organization. The problem is I still want an incident if there are multiple recipients and any of them are NOT the partner organization.
If I use an exclusion for the partner organization, then no incident is generated even if there are multiple recipients where an incident should be generated.
How can I create an inclusion characteristic of some sort that says
- If the confidential material is included
- AND any of the recipients are NOT "partner.com"
Thanks in advance.