Email Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Advanced Search shows only searchable fields.
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| sensor_version | string | sensorVersion$ | The agent version as string. |
| from_email_address | repeated string | fromEmailAddress$ | Source Email Addresses (may be interesting if multiple are specified) |
| to_email_address | repeated string | toEmailAddress$ | To Email Addresses |
| cc_email_address | repeated string | ccEmailAddress$ | CC Email Addresses |
| bcc_email_address | repeated string | bccEmailAddress$ | BCC Email Addresses |
| reply_to_email_address | string | replyToEmailAddress$ | Email address to reply to |
| subject | string | subject$ | Subject |
| message_size | uint64 | messageSize$ | Message size in bytes |
| status | Email.Status | status$ | Delivery status |
| direction | Email.Direction | direction$ | Email direction |
| attachments | AttachmentRecord | repeated | List of attachments and hashes in the email |
| vendor_spam_score | int32 | vendorSpamScore$ | Spam Score provided by the vendor. Provides level of confidence in if its spam or not. |
| quarantine_reason | string | quarantineReason$ | Reason for being quarantined. Ex: Virus, Malware, etc |
| threats | ThreatRecord | repeated | All recorded threats detected |
| sender_ip | string | senderIp$ | IP that sent the email |
| vendor_alert_url | string | vendorAlertUrl$ | vendor_alert_url - documentation provided by the vendor about the overall alert |
| message_id | string | messageId$ | Vendor-assigned ID of the email message. Note this may not be unique because several email events can be generated for a single email. |
| click_time_usec | uint64 | clickTimeUsec$ | Time the user clicked on the URL. |
| event_type | string | eventType$ | The event type provided by the email security source. Ex: 'Click Permitted' |
| event_metadata | KeyValuePairsIndexed | eventMetadata$ | event_metadata can be provided by the data source to add context |
AttachmentRecord🔗
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| file_name | string | fileName$ | Filename of the attachment |
| file_hash | FileHash | fileHash$ | File hashes associated with the attachment |
| file_size | uint64 | fileSize$ | Size of the attachment |
| declared_content_type | string | declaredContentType$ | the content type according to the email |
| detected_content_type | string | detectedContentType$ | the content type as determined by analysis (interesting when different from declared type) |
| sandbox_status | string | sandboxStatus$ | status of the attachment, e.g. "THREAT" |
ThreatRecord🔗
Record of threat that was detected in email attachment
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| fileinfo | AttachmentRecord | fileinfo$ | General file information |
| classification | string | classification$ | Threat specific |
| name | string | name$ | Threat Name |
| vendor_threat_url | string | vendorThreatUrl$ | URL provided by the vendor in the event that provides more information. |
| type | string | type$ | Threat Type |
| additional_threat_data | KeyValuePairsIndexed | additionalThreatData$ | Additional metadata of the threat Data in key-value pairs |
Email.Direction🔗
| Name | Number | Description |
|---|---|---|
| UNKNOWN | 0 | unused but required for proto3 |
| INBOUND | 1 | Inbound Email |
| OUTBOUND | 2 | Outbound Email |
| INTERNAL | 3 | Internal email that does not cross the boundary on to the public internet |
Email.Status🔗
Types of delivery statuses
| Name | Number | Description |
|---|---|---|
| UNKNOWN_STATUS | 0 | unused but required for proto3 |
| DELIVERED | 1 | Delivered/Accepted |
| QUARANTINED | 2 | Quarantined/Held |
| BLOCKED | 3 | Blocked outright |