Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Email Schema

Normalized Field Type Parser Field Description
resource_id string resourceId$ Full resource string identifying the record
tenant_id string tenantId$ The ID of the tenant that owns this specific to CTPX ID
sensor_type string sensorType$ Type of device that generated this event. Ex: redcloak, iSensor
sensor_event_id string sensorEventId$ Event ID of original_data assigned by the sensor
sensor_tenant string sensorTenant$ A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id
sensor_id string sensorId$ An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP
sensor_cpe string sensorCpe$ CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak::::::::
original_data string originalData$ Original, unadulterated data prior to any transformation.
event_time_usec uint64 eventTimeUsec$ Event time in microseconds (µs)
ingest_time_usec uint64 ingestTimeUsec$ Ingest time in microseconds (µs).
event_time_fidelity TimeFidelity eventTimeFidelity$ Specifies the original precision of the time used to populate event_time_usec
host_id string hostId$ Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address
sensor_version string sensorVersion$ The agent version as string.
from_email_address repeated string fromEmailAddress$ Source Email Addresses (may be interesting if multiple are specified)
to_email_address repeated string toEmailAddress$ To Email Addresses
cc_email_address repeated string ccEmailAddress$ CC Email Addresses
bcc_email_address repeated string bccEmailAddress$ BCC Email Addresses
reply_to_email_address string replyToEmailAddress$ Email address to reply to
subject string subject$ Subject
message_size uint64 messageSize$ Message size in bytes
status Email.Status status$ Delivery status
direction Email.Direction direction$ Email direction
attachments AttachmentRecord repeated List of attachments and hashes in the email
vendor_spam_score int32 vendorSpamScore$ Spam Score provided by the vendor. Provides level of confidence in if its spam or not.
quarantine_reason string quarantineReason$ Reason for being quarantined. Ex: Virus, Malware, etc
threats ThreatRecord repeated All recorded threats detected
sender_ip string senderIp$ IP that sent the email
vendor_alert_url string vendorAlertUrl$ vendor_alert_url - documentation provided by the vendor about the overall alert
message_id string messageId$ Vendor-assigned ID of the email message. Note this may not be unique because several email events can be generated for a single email.
click_time_usec uint64 clickTimeUsec$ Time the user clicked on the URL.
event_type string eventType$ The event type provided by the email security source. Ex: 'Click Permitted'
event_metadata KeyValuePairsIndexed eventMetadata$ event_metadata can be provided by the data source to add context


Normalized Field Type Parser Field Description
file_name string fileName$ Filename of the attachment
file_hash FileHash fileHash$ File hashes associated with the attachment
file_size uint64 fileSize$ Size of the attachment
declared_content_type string declaredContentType$ the content type according to the email
detected_content_type string detectedContentType$ the content type as determined by analysis (interesting when different from declared type)
sandbox_status string sandboxStatus$ status of the attachment, e.g. "THREAT"


Record of threat that was detected in email attachment

Normalized Field Type Parser Field Description
fileinfo AttachmentRecord fileinfo$ General file information
classification string classification$ Threat specific
name string name$ Threat Name
vendor_threat_url string vendorThreatUrl$ URL provided by the vendor in the event that provides more information.
type string type$ Threat Type
additional_threat_data KeyValuePairsIndexed additionalThreatData$ Additional metadata of the threat Data in key-value pairs


Name Number Description
UNKNOWN 0 unused but required for proto3
INBOUND 1 Inbound Email
OUTBOUND 2 Outbound Email
INTERNAL 3 Internal email that does not cross the boundary on to the public internet


Types of delivery statuses

Name Number Description
UNKNOWN_STATUS 0 unused but required for proto3
DELIVERED 1 Delivered/Accepted
QUARANTINED 2 Quarantined/Held
BLOCKED 3 Blocked outright


On this page: