Normalized Field |
Type |
Parser Field |
Description |
resource_id |
string |
resourceId$ |
Full resource string identifying the record |
tenant_id |
string |
tenantId$ |
The ID of the tenant that owns this specific to CTPX ID |
sensor_type |
string |
sensorType$ |
Type of device that generated this event. Ex: redcloak |
sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
sensor_tenant |
string |
sensorTenant$ |
A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
sensor_id |
string |
sensorId$ |
An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
original_data |
string |
originalData$ |
Original, unadulterated data prior to any transformation. |
event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (µs) |
ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (µs). |
event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
host_id |
string |
hostId$ |
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
sensor_version |
string |
sensorVersion$ |
The agent version as string. |
from_email_address |
repeated string |
fromEmailAddress$ |
Source Email Addresses (may be interesting if multiple are specified) |
to_email_address |
repeated string |
toEmailAddress$ |
To Email Addresses |
cc_email_address |
repeated string |
ccEmailAddress$ |
CC Email Addresses |
bcc_email_address |
repeated string |
bccEmailAddress$ |
BCC Email Addresses |
reply_to_email_address |
string |
replyToEmailAddress$ |
Email address to reply to |
subject |
string |
subject$ |
Subject |
message_size |
uint64 |
messageSize$ |
Message size in bytes |
status |
Email.Status |
status$ |
Delivery status |
direction |
Email.Direction |
direction$ |
Email direction |
attachments |
AttachmentRecord |
repeated |
List of attachments and hashes in the email |
vendor_spam_score |
int32 |
vendorSpamScore$ |
Spam Score provided by the vendor. Provides level of confidence in if its spam or not. |
quarantine_reason |
string |
quarantineReason$ |
Reason for being quarantined. Ex: Virus, Malware, etc |
threats |
ThreatRecord |
repeated |
All recorded threats detected |
sender_ip |
string |
senderIp$ |
IP that sent the email |
vendor_alert_url |
string |
vendorAlertUrl$ |
vendor_alert_url - documentation provided by the vendor about the overall alert |
message_id |
string |
messageId$ |
Vendor-assigned ID of the email message. Note this may not be unique because several email events can be generated for a single email. |
click_time_usec |
uint64 |
clickTimeUsec$ |
Time the user clicked on the URL. |
event_type |
string |
eventType$ |
The event type provided by the email security source. Ex: 'Click Permitted' |
event_metadata |
KeyValuePairsIndexed |
eventMetadata$ |
event_metadata can be provided by the data source to add context |
AttachmentRecord
Normalized Field |
Type |
Parser Field |
Description |
file_name |
string |
fileName$ |
Filename of the attachment |
file_hash |
FileHash |
fileHash$ |
File hashes associated with the attachment |
file_size |
uint64 |
fileSize$ |
Size of the attachment |
declared_content_type |
string |
declaredContentType$ |
the content type according to the email |
detected_content_type |
string |
detectedContentType$ |
the content type as determined by analysis (interesting when different from declared type) |
sandbox_status |
string |
sandboxStatus$ |
status of the attachment, e.g. "THREAT" |
ThreatRecord
Record of threat that was detected in email attachment
Normalized Field |
Type |
Parser Field |
Description |
fileinfo |
AttachmentRecord |
fileinfo$ |
General file information |
classification |
string |
classification$ |
Threat specific |
name |
string |
name$ |
Threat Name |
vendor_threat_url |
string |
vendorThreatUrl$ |
URL provided by the vendor in the event that provides more information. |
type |
string |
type$ |
Threat Type |
additional_threat_data |
KeyValuePairsIndexed |
additionalThreatData$ |
Additional metadata of the threat Data in key-value pairs |
Email.Direction
Name |
Number |
Description |
UNKNOWN |
0 |
unused but required for proto3 |
INBOUND |
1 |
Inbound Email |
OUTBOUND |
2 |
Outbound Email |
INTERNAL |
3 |
Internal email that does not cross the boundary on to the public internet |
Email.Status
Types of delivery statuses
Name |
Number |
Description |
UNKNOWN_STATUS |
0 |
unused but required for proto3 |
DELIVERED |
1 |
Delivered/Accepted |
QUARANTINED |
2 |
Quarantined/Held |
BLOCKED |
3 |
Blocked outright |