IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

Email Fields

edit

Email Fields

edit

Event details relating to an email transaction.

This field set focuses on the email message header, body, and attachments. Network protocols that send and receive email messages such as SMTP are outside the scope of the email.* fields.

Email Field Details

edit

Field	Description	Level
email.attachments	A list of objects describing the attachment files sent along with an email message. type: nested Note: this field should contain an array of values.	extended
email.attachments.file.extension	Attachment file extension, excluding the leading dot. type: keyword example: `txt`	extended
email.attachments.file.mime_type	The MIME media type of the attachment. This value will typically be extracted from the `Content-Type` MIME header field. type: keyword example: `text/plain`	extended
email.attachments.file.name	Name of the attachment file including the file extension. type: keyword example: `attachment.txt`	extended
email.attachments.file.size	Attachment file size in bytes. type: long example: `64329`	extended
email.bcc.address	The email address of BCC recipient type: keyword Note: this field should contain an array of values. example: `bcc.user1@example.com`	extended
email.cc.address	The email address of CC recipient type: keyword Note: this field should contain an array of values. example: `cc.user1@example.com`	extended
email.content_type	Information about how the message is to be displayed. Typically a MIME type. type: keyword example: `text/plain`	extended
email.delivery_timestamp	The date and time when the email message was received by the service or client. type: date example: `2020-11-10T22:12:34.8196921Z`	extended
email.direction	The direction of the message based on the sending and receiving domains. type: keyword example: `inbound`	extended
email.from.address	The email address of the sender, typically from the RFC 5322 `From:` header field. type: keyword Note: this field should contain an array of values. example: `sender@example.com`	extended
email.local_id	Unique identifier given to the email by the source that created the event. Identifier is not persistent across hops. type: keyword example: `c26dbea0-80d5-463b-b93c-4e8b708219ce`	extended
email.message_id	Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email message. type: wildcard example: `81ce15$8r2j59@mail01.example.com`	extended
email.origination_timestamp	The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user. type: date example: `2020-11-10T22:12:34.8196921Z`	extended
email.reply_to.address	The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header. type: keyword Note: this field should contain an array of values. example: `reply.here@example.com`	extended
email.sender.address	Per RFC 5322, specifies the address responsible for the actual transmission of the message. type: keyword	extended
email.subject	A brief summary of the topic of the message. type: keyword Multi-fields: email.subject.text (type: match_only_text) example: `Please see this important message.`	extended
email.to.address	The email address of recipient type: keyword Note: this field should contain an array of values. example: `user1@example.com`	extended
email.x_mailer	The name of the application that was used to draft and send the original email message. type: keyword example: `Spambot v2.5`	extended

Field Reuse

edit

Field sets that can be nested under Email

edit

Location	Field Set	Description
`email.attachments.file.hash.*`	hash	Hashes, usually file hashes.

« ELF Header Fields Error Fields »