Email Fields

edit

Event details relating to an email transaction.

This field set focuses on the email message header, body, and attachments. Network protocols that send and receive email messages such as SMTP are outside the scope of the email.* fields.

Email Field Details

edit
Field Description Level

email.attachments

A list of objects describing the attachment files sent along with an email message.

type: nested

Note: this field should contain an array of values.

extended

email.attachments.file.extension

Attachment file extension, excluding the leading dot.

type: keyword

example: txt

extended

email.attachments.file.mime_type

The MIME media type of the attachment.

This value will typically be extracted from the Content-Type MIME header field.

type: keyword

example: text/plain

extended

email.attachments.file.name

Name of the attachment file including the file extension.

type: keyword

example: attachment.txt

extended

email.attachments.file.size

Attachment file size in bytes.

type: long

example: 64329

extended

email.bcc.address

The email address of BCC recipient

type: keyword

Note: this field should contain an array of values.

example: bcc.user1@example.com

extended

email.cc.address

The email address of CC recipient

type: keyword

Note: this field should contain an array of values.

example: cc.user1@example.com

extended

email.content_type

Information about how the message is to be displayed.

Typically a MIME type.

type: keyword

example: text/plain

extended

email.delivery_timestamp

The date and time when the email message was received by the service or client.

type: date

example: 2020-11-10T22:12:34.8196921Z

extended

email.direction

The direction of the message based on the sending and receiving domains.

type: keyword

example: inbound

extended

email.from.address

The email address of the sender, typically from the RFC 5322 From: header field.

type: keyword

Note: this field should contain an array of values.

example: sender@example.com

extended

email.local_id

Unique identifier given to the email by the source that created the event.

Identifier is not persistent across hops.

type: keyword

example: c26dbea0-80d5-463b-b93c-4e8b708219ce

extended

email.message_id

Identifier from the RFC 5322 Message-ID: email header that refers to a particular email message.

type: wildcard

example: 81ce15$8r2j59@mail01.example.com

extended

email.origination_timestamp

The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user.

type: date

example: 2020-11-10T22:12:34.8196921Z

extended

email.reply_to.address

The address that replies should be delivered to based on the value in the RFC 5322 Reply-To: header.

type: keyword

Note: this field should contain an array of values.

example: reply.here@example.com

extended

email.sender.address

Per RFC 5322, specifies the address responsible for the actual transmission of the message.

type: keyword

extended

email.subject

A brief summary of the topic of the message.

type: keyword

Multi-fields:

  • email.subject.text (type: match_only_text)

example: Please see this important message.

extended

email.to.address

The email address of recipient

type: keyword

Note: this field should contain an array of values.

example: user1@example.com

extended

email.x_mailer

The name of the application that was used to draft and send the original email message.

type: keyword

example: Spambot v2.5

extended

Field Reuse

edit
Field sets that can be nested under Email
edit
Location Field Set Description

email.attachments.file.hash.*

hash

Hashes, usually file hashes.