Layer: Email
This documentation provides detailed information about all fields available for Email Sensor.
| Field Name | Type | Searchable | General Field | Description | Example | Products |
|---|---|---|---|---|---|---|
| act | dynamic | true | - | The actions taken to mitigate the event |
|
|
| attachment | dynamic | true | - | The information about the email attachment | {"attachmentFileTlsh": "", "attachmentFileName": "testfile.txt","attachmentFileHash": "","attachmentFileSize": "-1"} |
|
| attachmentFileHash | string | true | FileSHA1 | The SHA-1 of the email attachment |
|
|
| attachmentFileHashes | dynamic | true | - | The SHA-1 of the email attachment |
|
|
| attachmentFileHashes | dynamic | true | FileSHA1 | SHA-1 hash of the email attachment |
|
|
| attachmentFileHashs | dynamic | true | - | The SHA-1 hash value of the attachment file |
|
|
| attachmentFileHashSha256s | dynamic | true | FileSHA2 | SHA-256 hash of the email attachment |
|
|
| attachmentFileName | dynamic | true | FileName | The file name of an attachment |
|
|
| attachmentFileName | dynamic | true | FileName | File name of the email attachment |
|
|
| attachmentFileSize | string | true | - | The file size of the email attachment |
|
|
| attachmentFileSizes | dynamic | true | - | The file size of email attachments |
|
Email Sensor |
| attachmentFileTlshes | dynamic | true | - | The TLSH of the email attachment |
|
|
| attachmentFileTlshes | dynamic | true | - | The TLSH hash detected by Trend Micro Anti-Spam Engine | - |
|
| attachmentFileTlshs | dynamic | true | - | The TLSH hash value of the attachment file |
|
|
| attachmentMd5 | dynamic | true | FileMD5 | MD5 hash of the email attachment |
|
|
| attachmentSha1 | dynamic | true | FileSHA1 | SHA-1 hash of the email attachment |
|
|
| attachmentSha256 | dynamic | true | FileSHA2 | SHA-256 hash of the email attachment |
|
|
| attachmentSize | dynamic | true | - | The attachment file size | - |
|
| attachmentSource | dynamic | true | - | The attachment source |
|
|
| attachmentTlsh | dynamic | true | - | The TLSH hash detected by Trend Micro Anti-Spam Engine |
|
|
| attachmentUrls | dynamic | true | - | The URLs and URL sources extracted from the email attachment | - |
|
| correlatedIntelligence | dynamic | true | - | The Correlated Intelligence detection | {"risk_type": "Anomaly","matched_rules": [{"threat_type": "Possibly Unwanted Email","matched_filters": [{"id":"FIL013", "name": "Marketing Email Traits"},{"id":"FIL098", "name": "Infrequent Sender Email Domain"}],"name": "Possibly Unwanted Marketing Email","id": "AN004"}]} |
|
| duser | dynamic | true | EmailRecipient | The email recipient |
|
|
| eventId | string | true | - | The event ID from the logs of each product |
|
|
| eventId | int | true | - | The event ID |
|
|
| eventName | string | true | - | The event type |
|
|
| eventTime | real | true | - | The time the agent detected the event | 1657135700000 |
|
| groupId | string | true | - | The group ID for the management scope filter | 11111111-1111-1111-1111-111111111111 |
|
| highlightedFileHashes | dynamic | true | FileSHA1 | The SHA-1 hashes of the highlighted file |
|
|
| highlightedFileName | dynamic | true | - | The file names of suspicious attachments |
|
|
| mailAttachmentHash | string | true | FileMD5 | Hash value of the email attachment |
|
|
| mailBccAddresses | dynamic | true | EmailRecipient | Mail BCC address in the email header | sample_email@trendmicro.com |
|
| mailbox | string | true | - | The mailbox that is protected by Trend Micro | sample_email@trendmicro.com |
|
| mailbox | string | true | - | Primary email address | sample_email@trendmicro.com |
|
| mailCacheId | string | true | - | The internal email cache ID to identify emails in the same group mails | <sample_email@trendmicro.com> |
|
| mailCcAddresses | dynamic | true | EmailRecipient | Mail CC address in the email header |
|
|
| mailDirection | int | false | - | Email traffic direction |
|
|
| mailDirection | int | true | - | Email traffic direction |
|
|
| mailEurekaRuleIds | dynamic | true | - | The list of rule IDs scanned by Eureka and detected by Trend Micro Anti-Spam Engine |
|
|
| mailFeatureId | dynamic | true | - | The email protocol detected by Trend Micro Anti-Spam Engine | - |
|
| mailFolder | string | true | - | The email folder name |
|
|
| mailFromAddresses | dynamic | true | EmailSender | Mail from address in email header | sample_email@trendmicro.com |
|
| mailHeaderHash | string | true | - | The email header hash detected by Trend Micro Anti-Spam Engine |
|
|
| mailHelo | string | true | - | The HELO command detected by Trend Micro Anti-Spam Engine | HELO inpost.tmes.trendmicro.com |
|
| mailMetaText | string | true | - | The postman meta text detected by Trend Micro Anti-Spam Engine |
|
|
| mailMetaTraceId | string | true | - | The trace ID generated by Trend Micro Feedback Engine |
|
|
| mailMsgDirection | int | false | - | The direction of the email message | 1 |
|
| mailMsgId | string | true | EmailMessageID | Email ID | <sample-id@trendmicro.com> |
|
| mailMsgSubject | string | true | EmailSubject | The email subject |
|
|
| mailMsgSubject | string | true | EmailSubject | Email subject |
|
|
| mailReplyToAddresses | dynamic | true | - | The Reply To address detected by Trend Micro Anti-Spam Engine | sample_email@trendmicro.com |
|
| mailReturnPath | dynamic | false | - | The hidden email header that indicates where bounced messages are sent | sample_email@trendmicro.com |
|
| mailRuleId | dynamic | true | - | The rule ID of the matched rule detected by Trend Micro Anti-Spam Engine |
|
|
| mailScore | string | true | - | The score assigned to the email by Trend Micro Anti-Spam Engine | - |
|
| mailSenderIp | string | true | - | Email sender IP address | 10.10.10.10 |
|
| mailSmtpFromAddresses | dynamic | true | - | The sender email address | sample_email@trendmicro.com |
|
| mailSmtpOriginalRecipients | dynamic | true | - | Original email recipients in the SMTP envelope | sample_email@trendmicro.com |
|
| mailSmtpRecipients | dynamic | true | - | Email recipients in the SMTP envelope after scanning | sample_email@trendmicro.com |
|
| mailSmtpTls | string | true | - | The SMTP TLS version number |
|
|
| mailSourceDomain | string | true | - | Email domain of the sender | example.com |
|
| mailTagHash | string | true | - | The email tag hash detected by Trend Micro Anti-Spam Engine |
|
|
| mailTagHashRawSignature | string | true | - | The raw signature hash of the email |
|
|
| mailTextHash | string | true | - | The email text hash detected by Trend Micro Anti-Spam Engine |
|
|
| mailThreatType | string | true | - | The type of email detected by Trend Micro Anti-Spam Engine |
|
|
| mailToAddresses | dynamic | true | EmailRecipient | Mail To address in the email header | sample_email@trendmicro.com |
|
| mailUrlHash | string | true | - | The email URL hash detected by Trend Micro Anti-Spam Engine |
|
|
| mailUrlsOriginalLink | dynamic | true | - | The original URL extracted from the email content |
|
|
| mailUrlsRealLink | dynamic | true | URL | URL extracted from the email content |
|
|
| mailUrlsVisibleLink | dynamic | true | URL | URL extracted from the email content |
|
|
| mailUserAgent | string | true | - | The user agent |
|
|
| mailWantedHeaderName | dynamic | true | - | The WantedHeader key name detected by Trend Micro Anti-Spam Engine |
|
|
| mailWantedHeaderValue | dynamic | true | - | The WantedHeader key value detected by Trend Micro Anti-Spam Engine |
|
|
| mailWholeHeader | dynamic | true | - | The name and email address of the sender in the From header detected by Trend Micro Anti-Spam Engine | <sample_email@trendmicro.com> |
|
| mailXMailer | string | true | - | The X-Mailer header of the email |
|
|
| malName | string | true | - | The name of the detected malware |
|
|
| mExternalUid | string | true | - | The unique ID of the email | 11111111-1111-1111-1111-111111111111 |
|
| msgId | string | true | EmailMessageID | The internet message ID |
|
|
| msgUuid | string | true | - | The unique email ID |
|
|
| msgUuid | string | true | - | Internal email UUID to identify each email message | 11111111-1111-1111-1111-111111111111 |
|
| msgUuidChain | string | true | - | The internal UUID chain for each email in Trend Micro Feedback Engine | 11111111-1111-1111-1111-111111111111;00000000-0000-0000-0000-000000000000 |
|
| orgId | string | true | - | The organization ID |
|
|
| orgId | string | true | - | The organization ID | 11111111-1111-1111-1111-111111111111 |
|
| pname | string | true | - | The internal product ID |
|
|
| pname | string | true | - | Internal product code (depricated) |
|
|
| remarks | string | true | - | The additional information |
|
|
| rt | string | false | - | The Unix time of the log generation | 1656324260000 |
|
| ruleName | string | true | - | The name of the rule that triggered the event |
|
|
| ruleVer | string | true | - | The rule version |
|
|
| scanTs | string | true | - | The time the email was scanned | 1657135700000 |
|
| scanType | string | true | - | The scan type |
|
|
| scanType | string | true | - | Manual or real-time scan |
|
|
| subRuleName | string | true | - | The subrule name |
|
|
| suser | dynamic | true | EmailSender | The email sender | sample_email@trendmicro.com |
|
Generated by XDR Common Schema Public Doc Generator V2