From 9775772f89f2d18c130911844ae3318bd8b1dcff Mon Sep 17 00:00:00 2001 From: MakoWish <26614684+MakoWish@users.noreply.github.com> Date: Thu, 24 Oct 2024 10:15:02 -0600 Subject: [PATCH 1/3] Add domain to email.to and email.from. --- schemas/email.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/schemas/email.yml b/schemas/email.yml index 9c8b6ff39..e3ea0eeb5 100644 --- a/schemas/email.yml +++ b/schemas/email.yml @@ -126,6 +126,16 @@ normalize: - array + - name: from.domain + level: extended + type: keyword + short: The sender's email domain. + description: > + The domain of the email sender. + example: "example.com" + normalize: + - array + - name: local_id level: extended type: keyword @@ -193,6 +203,16 @@ normalize: - array + - name: to.domain + level: extended + type: keyword + short: The recipient's email domain. + description: > + The domain of the email recipient. + example: "example.com" + normalize: + - array + - name: x_mailer level: extended type: keyword From 27399ae8ae5ddb28ae57cc1de01bf8cd4474bff8 Mon Sep 17 00:00:00 2001 From: MakoWish <26614684+MakoWish@users.noreply.github.com> Date: Thu, 24 Oct 2024 10:17:59 -0600 Subject: [PATCH 2/3] Updated CHANGELOG.next.md. --- CHANGELOG.next.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 70a4a3e0a..ca429bbb4 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -22,6 +22,7 @@ Thanks, you're awesome :-) --> * Advanced `process.io` and `process.tty` fields to GA. #2317 * Added `threat.indicator.id`. #2324 * Added `process.group` to generated schemas. #2335 +* Added `email.from.domain` and `email.to.domain`. #2392 #### Improvements From 3c493d2e4816acfb383cd9938b47cb4400bc84c7 Mon Sep 17 00:00:00 2001 From: MakoWish <26614684+MakoWish@users.noreply.github.com> Date: Thu, 24 Oct 2024 10:26:06 -0600 Subject: [PATCH 3/3] Add domain to email fields --- CHANGELOG.next.md | 2 +- schemas/email.yml | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index ca429bbb4..96214972c 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -22,7 +22,7 @@ Thanks, you're awesome :-) --> * Advanced `process.io` and `process.tty` fields to GA. #2317 * Added `threat.indicator.id`. #2324 * Added `process.group` to generated schemas. #2335 -* Added `email.from.domain` and `email.to.domain`. #2392 +* Added `*.domain` fields to ECS `email`. #2392 #### Improvements diff --git a/schemas/email.yml b/schemas/email.yml index e3ea0eeb5..7ace89a8f 100644 --- a/schemas/email.yml +++ b/schemas/email.yml @@ -80,6 +80,16 @@ normalize: - array + - name: bcc.domain + level: extended + type: keyword + short: Email domain of BCC recipients. + description: > + The domain of the BCC recipients. + example: "example.com" + normalize: + - array + - name: cc.address level: extended type: keyword @@ -90,6 +100,16 @@ normalize: - array + - name: cc.domain + level: extended + type: keyword + short: Email domain of CC recipients. + description: > + The domain of the CC recipients. + example: "example.com" + normalize: + - array + - name: content_type level: extended type: keyword @@ -174,6 +194,16 @@ normalize: - array + - name: reply_to.domain + level: extended + type: keyword + short: Email domain of Reply To address. + description: > + The domain of the Reply To address. + example: "example.com" + normalize: + - array + - name: sender.address level: extended type: keyword @@ -182,6 +212,16 @@ Per RFC 5322, specifies the address responsible for the actual transmission of the message. + - name: sender.domain + level: extended + type: keyword + short: Email domain of sender address. + description: > + The domain of the sender address. + example: "example.com" + normalize: + - array + - name: subject level: extended type: keyword