Email fields
Elastic Stack Serverless
Event details relating to an email transaction.
This field set focuses on the email message header, body, and attachments. Network protocols that send and receive email messages such as SMTP are outside the scope of the email.* fields.
| Field | Description | Level |
|---|---|---|
| email.attachments | A list of objects describing the attachment files sent along with an email message. type: nested Note: this field should contain an array of values. |
extended |
| email.attachments.file.extension | Attachment file extension, excluding the leading dot. type: keyword example: txt |
extended |
| email.attachments.file.mime_type | The MIME media type of the attachment. This value will typically be extracted from the Content-Type MIME header field.type: keyword example: text/plain |
extended |
| email.attachments.file.name | Name of the attachment file including the file extension. type: keyword example: attachment.txt |
extended |
| email.attachments.file.size | Attachment file size in bytes. type: long example: 64329 |
extended |
| email.bcc.address | The email address of BCC recipient type: keyword Note: this field should contain an array of values. example: bcc.user1@example.com |
extended |
| email.cc.address | The email address of CC recipient type: keyword Note: this field should contain an array of values. example: cc.user1@example.com |
extended |
| email.content_type | Information about how the message is to be displayed. Typically a MIME type. type: keyword example: text/plain |
extended |
| email.delivery_timestamp | The date and time when the email message was received by the service or client. type: date example: 2020-11-10T22:12:34.8196921Z |
extended |
| email.direction | The direction of the message based on the sending and receiving domains. type: keyword example: inbound |
extended |
| email.from.address | The email address of the sender, typically from the RFC 5322 From: header field.type: keyword Note: this field should contain an array of values. example: sender@example.com |
extended |
| email.local_id | Unique identifier given to the email by the source that created the event. Identifier is not persistent across hops. type: keyword example: c26dbea0-80d5-463b-b93c-4e8b708219ce |
extended |
| email.message_id | Identifier from the RFC 5322 Message-ID: email header that refers to a particular email message.type: wildcard example: 81ce15$8r2j59@mail01.example.com |
extended |
| email.origination_timestamp | The date and time the email message was composed. Many email clients will fill in this value automatically when the message is sent by a user. type: date example: 2020-11-10T22:12:34.8196921Z |
extended |
| email.reply_to.address | The address that replies should be delivered to based on the value in the RFC 5322 Reply-To: header.type: keyword Note: this field should contain an array of values. example: reply.here@example.com |
extended |
| email.sender.address | Per RFC 5322, specifies the address responsible for the actual transmission of the message. type: keyword |
extended |
| email.subject | A brief summary of the topic of the message. type: keyword Multi-fields: * email.subject.text (type: match_only_text) example: Please see this important message. |
extended |
| email.to.address | The email address of recipient type: keyword Note: this field should contain an array of values. example: user1@example.com |
extended |
| email.x_mailer | The name of the application that was used to draft and send the original email message. type: keyword example: Spambot v2.5 |
extended |
| Location | Field Set | Description |
|---|---|---|
email.attachments.file.hash.* |
hash | Hashes, usually file hashes. |