forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
email.yml
202 lines (179 loc) · 6.14 KB
/
email.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: email
title: Email
group: 2
short: Describes an email transaction.
description: >
Event details relating to an email transaction.
This field set focuses on the email message header, body, and attachments. Network protocols that send and receive
email messages such as SMTP are outside the scope of the `email.*` fields.
type: group
fields:
- name: attachments
level: extended
type: nested
short: List of objects describing the attachments.
description: >
A list of objects describing the attachment files sent along with an email message.
normalize:
- array
- name: attachments.file.extension
level: extended
type: keyword
short: Attachment file extension.
description: >
Attachment file extension, excluding the leading dot.
example: "txt"
- name: attachments.file.mime_type
level: extended
type: keyword
short: MIME type of the attachment file.
description: >
The MIME media type of the attachment.
This value will typically be extracted from the `Content-Type` MIME header field.
example: "text/plain"
- name: attachments.file.name
level: extended
type: keyword
short: Name of the attachment file.
description: >
Name of the attachment file including the file extension.
example: "attachment.txt"
- name: attachments.file.size
level: extended
type: long
short: Attachment file size.
description: >
Attachment file size in bytes.
example: 64329
- name: bcc.address
level: extended
type: keyword
short: Email address of BCC recipient
description: >
The email address of BCC recipient
example: "[email protected]"
normalize:
- array
- name: cc.address
level: extended
type: keyword
short: Email address of CC recipient
description: >
The email address of CC recipient
example: "[email protected]"
normalize:
- array
- name: content_type
level: extended
type: keyword
short: MIME type of the email message.
description: >
Information about how the message is to be displayed.
Typically a MIME type.
example: "text/plain"
- name: delivery_timestamp
level: extended
type: date
short: Date and time when message was delivered.
description: >
The date and time when the email message was received by the service or client.
example: "2020-11-10T22:12:34.8196921Z"
- name: direction
level: extended
type: keyword
short: Direction of the message.
description: >
The direction of the message based on the sending and receiving domains.
example: inbound
- name: from.address
level: extended
type: keyword
short: The sender's email address.
description: >
The email address of the sender, typically from the RFC 5322 `From:` header field.
example: "[email protected]"
normalize:
- array
- name: local_id
level: extended
type: keyword
short: Unique identifier given by the source.
description: >
Unique identifier given to the email by the source that created the event.
Identifier is not persistent across hops.
example: "c26dbea0-80d5-463b-b93c-4e8b708219ce"
- name: message_id
level: extended
type: wildcard
short: Value from the Message-ID header.
description: >
Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email
message.
example: "[email protected]"
- name: origination_timestamp
level: extended
type: date
short: Date and time the email was composed.
description: >
The date and time the email message was composed. Many email clients will fill in this value
automatically when the message is sent by a user.
example: "2020-11-10T22:12:34.8196921Z"
- name: reply_to.address
level: extended
type: keyword
short: Address replies should be delivered to.
description: >
The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header.
example: "[email protected]"
normalize:
- array
- name: sender.address
level: extended
type: keyword
short: Address of the message sender.
description: >
Per RFC 5322, specifies the address responsible for the actual transmission of
the message.
- name: subject
level: extended
type: keyword
short: The subject of the email message.
description: >
A brief summary of the topic of the message.
example: "Please see this important message."
multi_fields:
- type: match_only_text
name: text
- name: to.address
level: extended
type: keyword
short: Email address of recipient
description: >
The email address of recipient
example: "[email protected]"
normalize:
- array
- name: x_mailer
level: extended
type: keyword
short: Application that drafted email.
description: >
The name of the application that was used to draft and send the original email message.
example: "Spambot v2.5"