Stephanie/Kishorilla,
The policy has no issue with getting the right incidents. It does not capture an incident if it is only sent to our company domain.
Its in the reporting that i need to filter out pg.com as a top recipient domain, but if i attempt to exclude pg.com as a domain, it removes any incident that contained pg.com even if it contained an external domain.
I.e.
1 incident has pg.com, gmail.com as domains
1 incident has gmail.com
The count would be 2 incidents under gmail.com, and 1 incident with pg.com as domain. If i try to filter out pg.com, only the incident with gmail.com will show up in the report.
Did that make sense?