The Email object describes the email metadata such as sender, recipients, and direction.
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Cc | cc | Email Address | The email header Cc values, as defined by RFC 5322. | ||
| Data Classification | data_classification | Data Classification | The Data Classification object includes information about data classification levels and data category types. | ||
| Delivered To | delivered_to | Email Address | The Delivered-To email header field. | ||
| Direction | direction | String |
The direction of the email, as defined by the direction_id value.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| Direction ID | direction_id | Integer |
The direction of the email relative to the scanning host or organization.Email scanned at an internet gateway might be characterized as inbound to the organization from the Internet, outbound from the organization to the Internet, or internal within the organization. Email scanned at a workstation might be characterized as inbound to, or outbound from the workstation.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0
|
||
| From | from | Email Address | The email header From values, as defined by RFC 5322. | ||
| Message UID | message_uid | String | The email header Message-Id value, as defined by RFC 5322. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Raw Header | raw_header | String | The email authentication header. | ||
| Recipient Users | recipient_users | User | The users receiving the email | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Reply To | reply_to | Email Address | The email header Reply-To values, as defined by RFC 5322. | ||
| Sender Users | sender_users | User | The user who sent the email | ||
| Size | size | Long | The size in bytes of the email, including attachments. | ||
| SMTP From | smtp_from | Email Address | The value of the SMTP MAIL FROM command. | ||
| SMTP Hello | smtp_hello | String |
The value of the SMTP HELO or EHLO command.
Deprecated since 1.1.0: Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0 |
||
| SMTP To | smtp_to | Email Address | The value of the SMTP envelope RCPT TO command. | ||
| Subject | subject | String | The email header Subject value, as defined by RFC 5322. | ||
| To | to | Email Address | The email header To values, as defined by RFC 5322. | ||
| Email UID | uid | String | The email unique identifier. | ||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||
| X-Originating-IP | x_originating_ip | IP Address | The X-Originating-IP header identifying the emails originating IP address(es). |
References
Referenced By
Context
JSON
{
"caption": "Email",
"description": "The Email object describes the email metadata such as sender, recipients, and direction.",
"name": "email",
"extends": [
null,
"email"
],
"observable": 22,
"profiles": [
"data_classification"
],
"attributes": {
"$include": [
"profiles/data_classification.json"
],
"cc": {
"requirement": "optional",
"caption": "Cc",
"description": "The email header Cc values, as defined by RFC 5322.",
"is_array": true,
"type": "email_t"
},
"delivered_to": {
"requirement": "optional",
"caption": "Delivered To",
"description": "The <strong>Delivered-To</strong> email header field.",
"type": "email_t"
},
"from": {
"requirement": "required",
"caption": "From",
"description": "The email header From values, as defined by RFC 5322.",
"type": "email_t"
},
"message_uid": {
"requirement": "recommended",
"caption": "Message UID",
"description": "The email header Message-Id value, as defined by RFC 5322.",
"type": "string_t"
},
"raw_header": {
"requirement": "optional",
"caption": "Raw Header",
"description": "The email authentication header.",
"type": "string_t"
},
"reply_to": {
"requirement": "recommended",
"caption": "Reply To",
"description": "The email header Reply-To values, as defined by RFC 5322.",
"type": "email_t"
},
"size": {
"description": "The size in bytes of the email, including attachments.",
"requirement": "recommended",
"caption": "Size",
"type": "long_t"
},
"smtp_from": {
"requirement": "recommended",
"caption": "SMTP From",
"description": "The value of the SMTP MAIL FROM command.",
"type": "email_t"
},
"smtp_to": {
"requirement": "recommended",
"caption": "SMTP To",
"description": "The value of the SMTP envelope RCPT TO command.",
"is_array": true,
"type": "email_t"
},
"subject": {
"caption": "Subject",
"description": "The email header Subject value, as defined by RFC 5322.",
"type": "string_t",
"requirement": "required"
},
"to": {
"requirement": "required",
"caption": "To",
"description": "The email header To values, as defined by RFC 5322.",
"is_array": true,
"type": "email_t"
},
"x_originating_ip": {
"requirement": "optional",
"caption": "X-Originating-IP",
"description": "The X-Originating-IP header identifying the emails originating IP address(es).",
"is_array": true,
"type": "ip_t"
},
"uid": {
"caption": "Email UID",
"description": "The email unique identifier.",
"requirement": "recommended",
"type": "string_t"
},
"data_classification": {
"group": "context",
"requirement": "recommended",
"caption": "Data Classification",
"description": "The Data Classification object includes information about data classification levels and data category types.",
"type": "data_classification"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
},
"direction": {
"description": "The direction of the email, as defined by the <code>direction_id</code> value.",
"requirement": "optional",
"caption": "Direction",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"direction_id": {
"description": "The direction of the email relative to the scanning host or organization.</p>Email scanned at an internet gateway might be characterized as inbound to the organization from the Internet, outbound from the organization to the Internet, or internal within the organization. Email scanned at a workstation might be characterized as inbound to, or outbound from the workstation.",
"enum": {
"-1": {
"caption": "Other"
},
"0": {
"caption": "Unknown",
"description": "The email direction is unknown."
},
"1": {
"caption": "Inbound",
"description": "Email Inbound, from the Internet or outside network destined for an entity inside network."
},
"2": {
"caption": "Outbound",
"description": "Email Outbound, from inside the network destined for an entity outside network."
},
"3": {
"caption": "Internal",
"description": "Email Internal, from inside the network destined for an entity inside network."
},
"99": {
"caption": "Other",
"description": "The direction is not mapped. See the <code>direction</code> attribute, which contains a data source specific value."
}
},
"requirement": "required",
"caption": "Direction ID",
"sibling": "direction",
"type": "integer_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"smtp_hello": {
"requirement": "recommended",
"caption": "SMTP Hello",
"description": "The value of the SMTP HELO or EHLO command.",
"type": "string_t",
"@deprecated": {
"since": "1.1.0",
"message": "Deprecated in upgrade from ocsf-0.31.1 to qdm-1.1.0"
}
},
"recipient_users": {
"requirement": "optional",
"caption": "Recipient Users",
"description": "The users receiving the email",
"is_array": true,
"type": "user"
},
"sender_users": {
"requirement": "optional",
"caption": "Sender Users",
"description": "The user who sent the email",
"type": "user"
}
}
}