Skip to content

Email Schema🔗

Note

Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Data Lake Search shows only searchable fields.

Normalized Field Type Parser Field Description
resource_id string resourceId$ Full resource string identifying the record
tenant_id string tenantId$ The ID of the tenant that owns this specific to CTPX ID
sensor_type string sensorType$ Type of device that generated this event. Ex: redcloak
sensor_event_id string sensorEventId$ Event ID of original_data assigned by the sensor
sensor_tenant string sensorTenant$ A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id
sensor_id string sensorId$ An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id
sensor_cpe string sensorCpe$ CPE of the platform producing the alert.
Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:*
original_data string originalData$ Original, unadulterated data prior to any transformation.
event_time_usec uint64 eventTimeUsec$ Event time in microseconds (µs)
ingest_time_usec uint64 ingestTimeUsec$ Ingest time in microseconds (µs).
event_time_fidelity TimeFidelity eventTimeFidelity$ Specifies the original precision of the time used to populate event_time_usec
host_id string hostId$ Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address
sensor_version string sensorVersion$ The agent version as string.
from_email_address repeated string fromEmailAddress$ Source Email Addresses (may be interesting if multiple are specified)
to_email_address repeated string toEmailAddress$ To Email Addresses
cc_email_address repeated string ccEmailAddress$ CC Email Addresses
bcc_email_address repeated string bccEmailAddress$ BCC Email Addresses
reply_to_email_address string replyToEmailAddress$ Email address to reply to
subject string subject$ Subject
message_size uint64 messageSize$ Message size in bytes
status Email.Status status$ Delivery status
direction Email.Direction direction$ Email direction
attachments AttachmentRecord repeated List of attachments and hashes in the email
vendor_spam_score int32 vendorSpamScore$ Spam Score provided by the vendor. Provides level of confidence in if its spam or not.
quarantine_reason string quarantineReason$ Reason for being quarantined. Ex: Virus, Malware, etc
threats ThreatRecord repeated All recorded threats detected
sender_ip string senderIp$ IP that sent the email
vendor_alert_url string vendorAlertUrl$ vendor_alert_url - documentation provided by the vendor about the overall alert
message_id string messageId$ Vendor-assigned ID of the email message. Note this may not be unique because several email events can be generated for a single email.
click_time_usec uint64 clickTimeUsec$ Time the user clicked on the URL.
event_type string eventType$ The event type provided by the email security source. Ex: 'Click Permitted'
event_metadata KeyValuePairsIndexed eventMetadata$ event_metadata can be provided by the data source to add context

Fields under vendor_alert_details on the Email record:

Normalized Field Type Parser Field Description
vendor_alert_details.is_custom_alert NullableBoolean vendorAlertDetails$.isCustomAlert$ True when the detection reflects customer or tenant logic: wholly custom rules or indicators, or vendor-supplied templates, content packs, or building blocks that the tenant instantiated or materially configured (for example policies, named rule instances, thresholds, or scope).
False when the alert is produced solely by vendor-default, uniformly deployed detection without meaningful per-tenant logic.
Unknown when provenance cannot be determined from the source.

Note

When is_custom_alert is true:

  • Detection severity is not altered.
  • The detections produced by these events bypass the MDR service queue and are delivered directly to the tenant as custom detections for self-service, because they fall outside the Taegis MDR service scope.

AttachmentRecord🔗

Normalized Field Type Parser Field Description
file_name string fileName$ Filename of the attachment
file_hash FileHash fileHash$ File hashes associated with the attachment
file_size uint64 fileSize$ Size of the attachment
declared_content_type string declaredContentType$ the content type according to the email
detected_content_type string detectedContentType$ the content type as determined by analysis (interesting when different from declared type)
sandbox_status string sandboxStatus$ status of the attachment, e.g. "THREAT"

ThreatRecord🔗

Record of threat that was detected in email attachment

Normalized Field Type Parser Field Description
fileinfo AttachmentRecord fileinfo$ General file information
classification string classification$ Threat specific
name string name$ Threat Name
vendor_threat_url string vendorThreatUrl$ URL provided by the vendor in the event that provides more information.
type string type$ Threat Type
additional_threat_data KeyValuePairsIndexed additionalThreatData$ Additional metadata of the threat Data in key-value pairs

Email.Direction🔗

Name Number Description
UNKNOWN 0 unused but required for proto3
INBOUND 1 Inbound Email
OUTBOUND 2 Outbound Email
INTERNAL 3 Internal email that does not cross the boundary on to the public internet

Email.Status🔗

Types of delivery statuses

Name Number Description
UNKNOWN_STATUS 0 unused but required for proto3
DELIVERED 1 Delivered/Accepted
QUARANTINED 2 Quarantined/Held
BLOCKED 3 Blocked outright