Describes an email transaction.
Fields
Field Summary
| Field | Type | Level | Description |
|---|---|---|---|
email.attachments | nested | Extended | List of objects describing the attachments. |
email.attachments.file.extension | keyword | Extended | Attachment file extension. |
email.attachments.file.hash.cdhash | keyword | Extended | The Code Directory (CD) hash of an executable. |
email.attachments.file.hash.md5 | keyword | Extended | MD5 hash. |
email.attachments.file.hash.sha1 | keyword | Extended | SHA1 hash. |
email.attachments.file.hash.sha256 | keyword | Extended | SHA256 hash. |
email.attachments.file.hash.sha384 | keyword | Extended | SHA384 hash. |
email.attachments.file.hash.sha512 | keyword | Extended | SHA512 hash. |
email.attachments.file.hash.ssdeep | keyword | Extended | SSDEEP hash. |
email.attachments.file.hash.tlsh | keyword | Extended | TLSH hash. |
email.attachments.file.mime_type | keyword | Extended | MIME type of the attachment file. |
email.attachments.file.name | keyword | Extended | Name of the attachment file. |
email.attachments.file.size | long | Extended | Attachment file size. |
email.bcc.address | keyword | Extended | Email address of BCC recipient |
email.cc.address | keyword | Extended | Email address of CC recipient |
email.content_type | keyword | Extended | MIME type of the email message. |
email.delivery_timestamp | date | Extended | Date and time when message was delivered. |
email.direction | keyword | Extended | Direction of the message. |
email.from.address | keyword | Extended | The sender's email address. |
email.local_id | keyword | Extended | Unique identifier given by the source. |
email.message_id | wildcard | Extended | Value from the Message-ID header. |
email.origination_timestamp | date | Extended | Date and time the email was composed. |
email.reply_to.address | keyword | Extended | Address replies should be delivered to. |
email.sender.address | keyword | Extended | Address of the message sender. |
email.subject | keyword | Extended | The subject of the email message. |
email.subject.text | match_only_text | Extended | The subject of the email message. |
email.to.address | keyword | Extended | Email address of recipient |
email.x_mailer | keyword | Extended | Application that drafted email. |
Field Details
email.attachments
Type: nested
Level: Extended
Description: List of objects describing the attachments.
Normalization: array
Indexed: true
email.attachments.file.extension
Type: keyword
Level: Extended
Description: Attachment file extension.
Example: txt
Indexed: true
email.attachments.file.hash.cdhash
Type: keyword
Level: Extended
Description: The Code Directory (CD) hash of an executable.
Example: 3783b4052fd474dbe30676b45c329e7a6d44acd9
Indexed: true
email.attachments.file.hash.md5
Type: keyword
Level: Extended
Description: MD5 hash.
Indexed: true
email.attachments.file.hash.sha1
Type: keyword
Level: Extended
Description: SHA1 hash.
Indexed: true
email.attachments.file.hash.sha256
Type: keyword
Level: Extended
Description: SHA256 hash.
Indexed: true
email.attachments.file.hash.sha384
Type: keyword
Level: Extended
Description: SHA384 hash.
Indexed: true
email.attachments.file.hash.sha512
Type: keyword
Level: Extended
Description: SHA512 hash.
Indexed: true
email.attachments.file.hash.ssdeep
Type: keyword
Level: Extended
Description: SSDEEP hash.
Indexed: true
email.attachments.file.hash.tlsh
Type: keyword
Level: Extended
Description: TLSH hash.
Indexed: true
email.attachments.file.mime_type
Type: keyword
Level: Extended
Description: MIME type of the attachment file.
Example: text/plain
Indexed: true
email.attachments.file.name
Type: keyword
Level: Extended
Description: Name of the attachment file.
Example: attachment.txt
Indexed: true
email.attachments.file.size
Type: long
Level: Extended
Description: Attachment file size.
Example: 64329
Indexed: true
email.bcc.address
Type: keyword
Level: Extended
Description: Email address of BCC recipient
Example: [email protected]
Normalization: array
Indexed: true
email.cc.address
Type: keyword
Level: Extended
Description: Email address of CC recipient
Example: [email protected]
Normalization: array
Indexed: true
email.content_type
Type: keyword
Level: Extended
Description: MIME type of the email message.
Example: text/plain
Indexed: true
email.delivery_timestamp
Type: date
Level: Extended
Description: Date and time when message was delivered.
Example: 2020-11-10T22:12:34.8196921Z
Indexed: true
email.direction
Type: keyword
Level: Extended
Description: Direction of the message.
Example: inbound
Indexed: true
email.from.address
Type: keyword
Level: Extended
Description: The sender's email address.
Example: [email protected]
Normalization: array
Indexed: true
email.local_id
Type: keyword
Level: Extended
Description: Unique identifier given by the source.
Example: c26dbea0-80d5-463b-b93c-4e8b708219ce
Indexed: true
email.message_id
Type: wildcard
Level: Extended
Description: Value from the Message-ID header.
Example: [email protected]
Indexed: true
email.origination_timestamp
Type: date
Level: Extended
Description: Date and time the email was composed.
Example: 2020-11-10T22:12:34.8196921Z
Indexed: true
email.reply_to.address
Type: keyword
Level: Extended
Description: Address replies should be delivered to.
Example: [email protected]
Normalization: array
Indexed: true
email.sender.address
Type: keyword
Level: Extended
Description: Address of the message sender.
Indexed: true
email.subject
Type: keyword
Level: Extended
Description: The subject of the email message.
Example: Please see this important message.
Indexed: true
email.subject.text
Type: match_only_text
Level: Extended
Description: The subject of the email message.
Example: Please see this important message.
Indexed: true
email.to.address
Type: keyword
Level: Extended
Description: Email address of recipient
Example: [email protected]
Normalization: array
Indexed: true
email.x_mailer
Type: keyword
Level: Extended
Description: Application that drafted email.
Example: Spambot v2.5
Indexed: true