Email Delivery Activity
Email Delivery Activity is a searchable entity at the top of Query's UI.
email_delivery_activity (10104030)
Email Delivery events report the delivery status of emails.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Activity ID | activity_id | Integer |
The normalized identifier of the activity that triggered the event.
|
||
| Activity | activity_name | String | The event activity name, as defined by the activity_id. | ||
| Actor | actor | Actor | The actor object describes details about the user/role/process that was the source of the activity. | ||
| API Details | api | API | Describes details about a typical API (Application Programming Interface) call. | ||
| Attacks | attacks | MITRE ATT&CK® | An array of attacks associated with an event. | ||
| Attempt | attempt | Integer |
The delivery attempt.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| SMTP Banner | banner | String |
The initial SMTP connection response that a messaging server receives after it connects to a email server.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Category | category_name | String |
The event category name, as defined by category_uid value.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Category ID | category_uid | Integer |
The category unique identifier of the event.
|
||
| Class | class_name | String |
The event class name, as defined by class_uid value.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Class ID | class_uid | Integer |
The unique identifier of a class. A class describes the attributes available in an event.
|
||
| Cloud | cloud | Cloud | Describes details about the Cloud enviroment where the event was originally created or logged. | ||
| Confidence | confidence | Integer |
The confidence of the reported event severity as a percentage: 0%-100%.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Connection Identifier | connection_uid | String |
The network connection identifier.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Count | count | Integer | 1 | The number of times that events in the same logical group occurred during the event Start Time to End Time period. | |
| Data | data | JSON |
Additional data that is associated with the event.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Device | device | Device | An addressable device, computer system or host. | ||
| Disposition | disposition | String | The event disposition name, as defined by the disposition_id. | ||
| Disposition ID | disposition_id | Integer |
When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product.
|
||
| DKIM Signature | dkim_signature | String |
The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Duration | duration | Integer |
The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.
|
||
|
The email object.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
|||||
| Email Authentication | email_auth | Email Authentication |
The SPF, DKIM and DMARC attributes of an email.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Email UID | email_uid | String |
The unique identifier of the email, used to correlate related email alert and activity events.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| End Time | end_time | Timestamp | The end time of a time period, or the time of the most recent event included in the aggregate event. | ||
| Enrichments | enrichments | Enrichment |
The additional information from an external data source, which is associated with the event. For example add location information for the IP address in the DNS answers:[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]
|
||
| File | file | File | The email file attachment. | ||
| Malware | malware | Malware | The list of malware identified by a finding. | ||
| Message | message | String | The description of the event, as defined by the event source. | ||
| Metadata | metadata | Metadata | The metadata associated with the event. | ||
| Observables | observables | Observable | The observables associated with the event. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Sender Host Name | receiver_hostname | Hostname |
The host name of the receiving email server.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Sender IP Address | receiver_ip | IP Address |
The IP address of the receiving email server, in either IPv4 or IPv6 format.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Record ID | record_id | String | Unique idenifier for the event | ||
| Sender Host Name | sender_hostname | Hostname |
The host name of the sending email server.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Sender IP Address | sender_ip | IP Address |
The IP address of the sending email server, in either IPv4 or IPv6 format.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Severity | severity | String | The event severity, as defined by the event source. | ||
| Severity ID | severity_id | Integer |
The normalized identifier of the event severity.The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.
|
||
| Start Time | start_time | Timestamp | The start time of a time period, or the time of the least recent event included in the aggregate event. | ||
| Status | status | String | The event status, as reported by the event source. | ||
| Status Code | status_code | String |
The event status code, as reported by the event source. For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18. |
||
| Status Details | status_detail | String | The status details contains additional information about the event outcome. | ||
| Status ID | status_id | Integer |
The normalized identifier of the event status.
|
||
| Event Time | time | Timestamp | The normalized event occurrence time. | ||
| Timezone Offset | timezone_offset | Integer |
The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.
|
||
| Type Name | type_name | String | The event type name, as defined by the type_uid. | ||
| Type ID | type_uid | Long |
The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.
|
||
| Unmapped Data | unmapped | Object | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||
| URL | url | Uniform Resource Locator | The URL included in the email content. |
References
Referenced By
Context
JSON
{
"description": "Email Delivery events report the delivery status of emails.",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
},
"caption": "Email Delivery Activity",
"name": "email_delivery_activity",
"category": "network",
"uid": 30,
"extends": "base_event",
"attributes": {
"file": {
"description": "The email file attachment.",
"group": "primary",
"requirement": "required",
"caption": "File",
"type": "file"
},
"url": {
"description": "The URL included in the email content.",
"group": "primary",
"requirement": "required",
"caption": "URL",
"type": "url"
},
"status_detail": {
"group": "primary",
"caption": "Status Details",
"description": "The status details contains additional information about the event outcome.",
"type": "string_t",
"requirement": "recommended"
},
"activity_id": {
"enum": {
"1": {
"caption": "Delivered"
},
"2": {
"caption": "Failed"
},
"3": {
"caption": "Temporary Failure"
},
"0": {
"caption": "Unknown",
"description": "The event activity is unknown."
},
"99": {
"caption": "Other",
"description": "The event activity is not mapped. See the <code>activity_name</code> attribute, which contains a data source specific value."
}
},
"requirement": "required",
"caption": "Activity ID",
"description": "The normalized identifier of the activity that triggered the event.",
"sibling": "activity_name",
"type": "integer_t"
},
"duration": {
"caption": "Duration",
"description": "The event duration or aggregate time, the amount of time the event covers from <code>start_time</code> to <code>end_time</code> in milliseconds.",
"type": "integer_t",
"requirement": "optional"
},
"attacks": {
"requirement": "optional",
"caption": "Attacks",
"description": "An array of attacks associated with an event.",
"is_array": true,
"type": "attack"
},
"type_name": {
"requirement": "optional",
"caption": "Type Name",
"description": "The event type name, as defined by the type_uid.",
"type": "string_t"
},
"status_id": {
"group": "primary",
"requirement": "recommended",
"caption": "Status ID",
"description": "The normalized identifier of the event status.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The status is unknown."
},
"1": {
"caption": "Success"
},
"2": {
"caption": "Failure"
},
"99": {
"caption": "Other",
"description": "The event status is not mapped. See the <code>status</code> attribute, which contains a data source specific value."
}
},
"sibling": "status",
"type": "integer_t"
},
"confidence": {
"group": "classification",
"requirement": "optional",
"caption": "Confidence",
"description": "The confidence of the reported event severity as a percentage: 0%-100%.",
"type": "integer_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"device": {
"group": "primary",
"requirement": "recommended",
"caption": "Device",
"description": "An addressable device, computer system or host.",
"type": "device"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t",
"requirement": "optional"
},
"timezone_offset": {
"requirement": "recommended",
"caption": "Timezone Offset",
"description": "The number of minutes that the reported event <code>time</code> is ahead or behind UTC, in the range -1,080 to +1,080.",
"type": "integer_t"
},
"observables": {
"group": "primary",
"requirement": "optional",
"caption": "Observables",
"description": "The observables associated with the event.",
"is_array": true,
"type": "observable"
},
"severity_id": {
"group": "classification",
"requirement": "required",
"caption": "Severity ID",
"description": "The normalized identifier of the event severity.</p>The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The event severity is not known."
},
"1": {
"caption": "Informational",
"description": "Informational message. No action required."
},
"2": {
"caption": "Low",
"description": "The user decides if action is needed."
},
"3": {
"caption": "Medium",
"description": "Action is required but the situation is not serious at this time."
},
"4": {
"caption": "High",
"description": "Action is required immediately."
},
"5": {
"caption": "Critical",
"description": "Action is required immediately and the scope is broad."
},
"6": {
"caption": "Fatal",
"description": "An error occurred but it is too late to take remedial action."
},
"99": {
"caption": "Other",
"description": "The event/finding severity is not mapped. See the <code>severity</code> attribute, which contains a data source specific value."
}
},
"sibling": "severity",
"type": "integer_t"
},
"severity": {
"group": "classification",
"requirement": "optional",
"caption": "Severity",
"description": "The event severity, as defined by the event source.",
"type": "string_t"
},
"message": {
"group": "primary",
"requirement": "recommended",
"caption": "Message",
"description": "The description of the event, as defined by the event source.",
"type": "string_t"
},
"end_time": {
"description": "The end time of a time period, or the time of the most recent event included in the aggregate event.",
"caption": "End Time",
"type": "timestamp_t",
"requirement": "optional"
},
"count": {
"caption": "Count",
"default": 1,
"description": "The number of times that events in the same logical group occurred during the event <strong>Start Time</strong> to <strong>End Time</strong> period.",
"type": "integer_t",
"requirement": "optional"
},
"disposition_id": {
"requirement": "required",
"caption": "Disposition ID",
"description": "When security issues, such as malware or policy violations, are detected and possibly corrected, then <code>disposition_id</code> describes the action taken by the security product.",
"enum": {
"0": {
"caption": "Unknown",
"description": "The disposition is unknown."
},
"1": {
"caption": "Blocked"
},
"2": {
"caption": "Allowed"
},
"3": {
"caption": "No Action"
},
"4": {
"caption": "Logged"
},
"5": {
"caption": "Command Script Run"
},
"6": {
"caption": "Corrected"
},
"7": {
"caption": "Partially Corrected"
},
"8": {
"caption": "Uncorrected"
},
"10": {
"description": "Requires reboot to finish the operation.",
"caption": "Delayed"
},
"11": {
"caption": "Detected"
},
"12": {
"caption": "Quarantined"
},
"13": {
"caption": "Restored"
},
"14": {
"description": "No longer suspicious (re-scored).",
"caption": "Exonerated"
},
"15": {
"description": "Marked with extended attributes.",
"caption": "Tagged"
},
"99": {
"caption": "Other",
"description": "The disposition is not mapped. See the <code>disposition</code> attribute, which contains a data source specific value."
}
},
"sibling": "disposition",
"type": "integer_t"
},
"cloud": {
"requirement": "required",
"caption": "Cloud",
"description": "Describes details about the Cloud enviroment where the event was originally created or logged.",
"type": "cloud",
"group": "primary"
},
"enrichments": {
"group": "context",
"caption": "Enrichments",
"description": "The additional information from an external data source, which is associated with the event. For example add location information for the IP address in the DNS answers:</p><code>[{\"name\": \"answers.ip\", \"value\": \"92.24.47.250\", \"type\": \"location\", \"data\": {\"city\": \"Socotra\", \"continent\": \"Asia\", \"coordinates\": [-25.4153, 17.0743], \"country\": \"YE\", \"desc\": \"Yemen\"}}]</code>",
"is_array": true,
"type": "enrichment",
"requirement": "optional"
},
"metadata": {
"group": "context",
"requirement": "required",
"caption": "Metadata",
"description": "The metadata associated with the event.",
"type": "metadata"
},
"data": {
"description": "Additional data that is associated with the event.",
"requirement": "optional",
"caption": "Data",
"type": "json_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"disposition": {
"requirement": "optional",
"caption": "Disposition",
"description": "The event disposition name, as defined by the disposition_id.",
"type": "string_t"
},
"time": {
"requirement": "required",
"caption": "Event Time",
"description": "The normalized event occurrence time.",
"type": "timestamp_t"
},
"record_id": {
"description": "Unique idenifier for the event",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"activity_name": {
"requirement": "optional",
"caption": "Activity",
"description": "The event activity name, as defined by the activity_id.",
"type": "string_t"
},
"unmapped": {
"group": "context",
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "object",
"requirement": "optional",
"is_array": true
},
"actor": {
"group": "primary",
"requirement": "optional",
"caption": "Actor",
"description": "The actor object describes details about the user/role/process that was the source of the activity.",
"type": "actor"
},
"status_code": {
"group": "primary",
"caption": "Status Code",
"description": "The event status code, as reported by the event source.<br /><br />For example, in a Windows Failed Authentication event, this would be the value of 'Failure Code', e.g. 0x18.",
"type": "string_t",
"requirement": "recommended"
},
"start_time": {
"description": "The start time of a time period, or the time of the least recent event included in the aggregate event.",
"caption": "Start Time",
"type": "timestamp_t",
"requirement": "optional"
},
"status": {
"group": "primary",
"requirement": "optional",
"caption": "Status",
"description": "The event status, as reported by the event source.",
"type": "string_t"
},
"malware": {
"requirement": "recommended",
"caption": "Malware",
"description": "The list of malware identified by a finding.",
"is_array": true,
"type": "malware"
},
"category_uid": {
"type": "integer_t",
"enum": {
"4": {
"caption": "Network Activity",
"description": "Network Activity events."
}
},
"requirement": "required",
"caption": "Category ID",
"description": "The category unique identifier of the event.",
"sibling": "category_name"
},
"email_auth": {
"requirement": "recommended",
"group": "primary",
"caption": "Email Authentication",
"description": "The SPF, DKIM and DMARC attributes of an email.",
"type": "email_auth",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"sender_ip": {
"requirement": "optional",
"group": "context",
"caption": "Sender IP Address",
"description": "The IP address of the sending email server, in either IPv4 or IPv6 format.",
"type": "ip_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"receiver_ip": {
"requirement": "optional",
"group": "context",
"caption": "Sender IP Address",
"description": "The IP address of the receiving email server, in either IPv4 or IPv6 format.",
"type": "ip_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"receiver_hostname": {
"requirement": "optional",
"group": "context",
"caption": "Sender Host Name",
"description": "The host name of the receiving email server.",
"type": "hostname_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"dkim_signature": {
"requirement": "recommended",
"group": "context",
"caption": "DKIM Signature",
"description": "The DomainKeys Identified Mail (DKIM) signature used by the sending/receiving system.",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"category_name": {
"requirement": "optional",
"caption": "Category",
"description": "The event category name, as defined by category_uid value.",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"attempt": {
"requirement": "recommended",
"group": "context",
"caption": "Attempt",
"description": "The delivery attempt.",
"type": "integer_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"connection_uid": {
"requirement": "optional",
"group": "context",
"caption": "Connection Identifier",
"description": "The network connection identifier.",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"sender_hostname": {
"requirement": "optional",
"group": "context",
"caption": "Sender Host Name",
"description": "The host name of the sending email server.",
"type": "hostname_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"email_uid": {
"requirement": "recommended",
"group": "primary",
"caption": "Email UID",
"description": "The unique identifier of the email, used to correlate related email alert and activity events.",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"class_name": {
"requirement": "optional",
"caption": "Class",
"description": "The event class name, as defined by class_uid value.",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"banner": {
"requirement": "optional",
"group": "context",
"caption": "SMTP Banner",
"description": "The initial SMTP connection response that a messaging server receives after it connects to a email server.",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"email": {
"requirement": "required",
"group": "primary",
"caption": "Email",
"description": "The email object.",
"type": "email",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"class_uid": {
"enum": {
"10104030": {
"caption": "Email Delivery Activity",
"description": "Email Delivery events report the delivery status of emails."
}
},
"requirement": "required",
"caption": "Class ID",
"description": "The unique identifier of a class. A class describes the attributes available in an event.",
"sibling": "class_name",
"type": "integer_t"
},
"type_uid": {
"requirement": "required",
"caption": "Type ID",
"description": "The event/finding type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: <code>class_uid * 100 + activity_id</code>.",
"sibling": "type_name",
"type": "long_t",
"enum": {
"1010403001": {
"caption": "Email Delivery Activity: Delivered"
},
"1010403002": {
"caption": "Email Delivery Activity: Failed"
},
"1010403003": {
"caption": "Email Delivery Activity: Temporary Failure"
},
"1010403000": {
"caption": "Email Delivery Activity: Unknown"
},
"1010403099": {
"caption": "Email Delivery Activity: Other"
}
}
},
"api": {
"requirement": "optional",
"group": "context",
"caption": "API Details",
"description": "Describes details about a typical API (Application Programming Interface) call.",
"type": "api"
}
},
"profiles": [
"host",
"malware"
],
"associations": {
"device": [
"actor.user"
],
"actor.user": [
"device"
]
},
"extension": "query"
}