Email events are at the mail server level.

Actions

|Action|Description| |—|—| |block|The event corresponding to an email being blocked by the email server.| |delete|The event corresponding to an email being deleted.| |deliver|The event corresponding to an email being sent to an end recipient.| |quarantine|The event corresponding to an email being quarantined for security reasons.| |redirect|The event corresponding to an email being redirected.|

Fields

|Field|Description|Example| |—|—|—| action_reason|The rationale given for blocking, redirecting, or quarantining an email.|Malformed Message attachment_mime_type|The MIME type of the attachment.|.docx attachment_name|Filename of any email attachment that may exist.|cuddly-cats.pdf attachment_size|Filesize of the attachment.|567 Kb date|SMTP date header, which is actually a date time group.|Thu Jul 18 09:30:00 PDT 2019 dest_address|Recipient email address, taken from the SMTP “Recipient” field.|adam@example.com dest_ip|The destination IP address for the email.|221.174.222.111 dest_port|The destination port for the email.|993 from|Displayed sender name from the Message Information header; can be easily forged.|eve@trusted-advisors.com message_body|Content of the email, not including subject.|Hello World message_links|URLs extracted from the email body.|https://www.cnn.com message_type|Content protocol of the message body|html return_address|Email address to which replies should be sent, also known as Return-Path or Reply-To; may differ from the src_address.|eve_secondary@example.com server_relay|The Received portion of the SMTP header, which provides the chain of hosts that the email passed through during delivery; each link usually contains an IP address, domain, and datetime group.| smtp_uid|Distint ID used to distinguish emails.|MN2PR09MB4876CCE7F183A83E6BA1C4C1CBF50@PP34399.prod.outlook.com src_address|Email address of the sender, taken from the “Sender” SMTP field.|eve@example.com src_domain|The domain portion of the src_address.|example.com src_ip|Originating IP address.|172.183.195.200 src_port|Originating port.|1248 subject|Subject line of the email.|Lo0k Younger Whl1e L0slng We19ht!! to|the content of the To field in the email header; does not necessarily match up with real recipients.|adam@example.com

Coverage Map

action_reason attachment_mime_type attachment_name attachment_size date dest_address dest_ip dest_port from message_body message_links message_type return_address server_relay smtp_uid src_address src_domain src_ip src_port subject to
block
delete
deliver
quarantine
redirect