Email Schema
| Normalized Field |
Type |
Parser Field |
Description |
| resource_id |
string |
resourceId$ |
Full resource string identifying the record |
| tenant_id |
string |
tenantId$ |
The ID of the tenant that owns this specific to CTPX ID |
| sensor_type |
string |
sensorType$ |
Type of device that generated this event. Ex: redcloak, iSensor |
| sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
| sensor_tenant |
string |
sensorTenant$ |
A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id |
string |
sensorId$ |
An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP |
| sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
| original_data |
string |
originalData$ |
Original, unadulterated data prior to any transformation. |
| event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (µs) |
| ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (µs). |
| event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
| host_id |
string |
hostId$ |
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| sensor_version |
string |
sensorVersion$ |
The agent version as string. |
| from_email_address |
repeated string |
fromEmailAddress$ |
Source Email Addresses (may be interesting if multiple are specified) |
| to_email_address |
repeated string |
toEmailAddress$ |
To Email Addresses |
| cc_email_address |
repeated string |
ccEmailAddress$ |
CC Email Addresses |
| bcc_email_address |
repeated string |
bccEmailAddress$ |
BCC Email Addresses |
| reply_to_email_address |
string |
replyToEmailAddress$ |
Email address to reply to |
| subject |
string |
subject$ |
Subject |
| message_size |
uint64 |
messageSize$ |
Message size in bytes |
| status |
Email.Status |
status$ |
Delivery status |
| direction |
Email.Direction |
direction$ |
Email direction |
| attachments |
AttachmentRecord |
repeated |
List of attachments and hashes in the email |
| vendor_spam_score |
int32 |
vendorSpamScore$ |
Spam Score provided by the vendor. Provides level of confidence in if its spam or not. |
| quarantine_reason |
string |
quarantineReason$ |
Reason for being quarantined. Ex: Virus, Malware, etc |
| threats |
ThreatRecord |
repeated |
All recorded threats detected |
| sender_ip |
string |
senderIp$ |
IP that sent the email |
| vendor_alert_url |
string |
vendorAlertUrl$ |
vendor_alert_url - documentation provided by the vendor about the overall alert |
| message_id |
string |
messageId$ |
Vendor-assigned ID of the email message. Note this may not be unique because several email events can be generated for a single email. |
| click_time_usec |
uint64 |
clickTimeUsec$ |
Time the user clicked on the URL. |
| event_type |
string |
eventType$ |
The event type provided by the email security source. Ex: 'Click Permitted' |
| event_metadata |
KeyValuePairsIndexed |
eventMetadata$ |
event_metadata can be provided by the data source to add context |
AttachmentRecord
| Normalized Field |
Type |
Parser Field |
Description |
| file_name |
string |
fileName$ |
Filename of the attachment |
| file_hash |
FileHash |
fileHash$ |
File hashes associated with the attachment |
| file_size |
uint64 |
fileSize$ |
Size of the attachment |
| declared_content_type |
string |
declaredContentType$ |
the content type according to the email |
| detected_content_type |
string |
detectedContentType$ |
the content type as determined by analysis (interesting when different from declared type) |
| sandbox_status |
string |
sandboxStatus$ |
status of the attachment, e.g. "THREAT" |
ThreatRecord
Record of threat that was detected in email attachment
| Normalized Field |
Type |
Parser Field |
Description |
| fileinfo |
AttachmentRecord |
fileinfo$ |
General file information |
| classification |
string |
classification$ |
Threat specific |
| name |
string |
name$ |
Threat Name |
| vendor_threat_url |
string |
vendorThreatUrl$ |
URL provided by the vendor in the event that provides more information. |
| type |
string |
type$ |
Threat Type |
| additional_threat_data |
KeyValuePairsIndexed |
additionalThreatData$ |
Additional metadata of the threat Data in key-value pairs |
Email.Direction
| Name |
Number |
Description |
| UNKNOWN |
0 |
unused but required for proto3 |
| INBOUND |
1 |
Inbound Email |
| OUTBOUND |
2 |
Outbound Email |
| INTERNAL |
3 |
Internal email that does not cross the boundary on to the public internet |
Email.Status
Types of delivery statuses
| Name |
Number |
Description |
| UNKNOWN_STATUS |
0 |
unused but required for proto3 |
| DELIVERED |
1 |
Delivered/Accepted |
| QUARANTINED |
2 |
Quarantined/Held |
| BLOCKED |
3 |
Blocked outright |
