misp-objects/objects/email/definition.json

{
  "name": "email",
  "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
  "meta-category": "network",
  "description": "Email object describing an email with meta-information",
  "version": 14,
  "attributes": {
    "reply-to": {
      "description": "Email address the reply will be sent to",
      "misp-attribute": "email-reply-to",
      "ui-priority": 1,
      "categories": [
        "Payload delivery"
      ]
    },
    "message-id": {
      "description": "Message ID",
      "misp-attribute": "email-message-id",
      "disable_correlation": true,
      "ui-priority": 0,
      "categories": [
        "Payload delivery"
      ]
    },
    "to": {
      "description": "Destination email address",
      "misp-attribute": "email-dst",
      "disable_correlation": true,
      "ui-priority": 1,
      "categories": [
        "Payload delivery"
      ],
      "multiple": true
    },
    "cc": {
      "description": "Carbon copy",
      "misp-attribute": "email-dst",
      "disable_correlation": true,
      "ui-priority": 1,
      "categories": [
        "Payload delivery"
      ],
      "multiple": true
    },
    "to-display-name": {
      "description": "Display name of the receiver",
      "misp-attribute": "email-dst-display-name",
      "ui-priority": 1,
      "categories": [
        "Payload delivery"
      ],
      "multiple": true
    },
    "subject": {
      "description": "Subject",
      "misp-attribute": "email-subject",
      "ui-priority": 1,
      "categories": [
        "Payload delivery"
      ]
    },
    "screenshot": {
      "description": "Screenshot of email",
      "misp-attribute": "attachment",
      "disable_correlation": true,
      "ui-priority": 1,
      "categories": [
        "External analysis"
      ]
    },
    "attachment": {
      "description": "Attachment",
      "misp-attribute": "email-attachment",
      "ui-priority": 0,
      "categories": [
        "Payload delivery"
      ],
      "multiple": true
    },
    "received-header-ip": {
      "description": "Extracted IP address from parsed headers",
      "misp-attribute": "ip-src",
      "ui-priority": 0,
      "multiple": true
    },
    "received-header-hostname": {
      "description": "Extracted hostname from parsed headers",
      "misp-attribute": "hostname",
      "ui-priority": 0,
      "multiple": true
    },
    "x-mailer": {
      "description": "X-Mailer generally tells the program that was used to draft and send the original email",
      "misp-attribute": "email-x-mailer",
      "disable_correlation": true,
      "ui-priority": 0,
      "categories": [
        "Payload delivery"
      ]
    },
    "header": {
      "description": "Full headers",
      "misp-attribute": "email-header",
      "disable_correlation": true,
      "ui-priority": 0,
      "categories": [
        "Payload delivery"
      ],
      "multiple": true
    },
    "send-date": {
      "description": "Date the email has been sent",
      "misp-attribute": "datetime",
      "ui-priority": 0,
      "disable_correlation": true,
      "categories": [
        "Other"
      ]
    },
    "mime-boundary": {
      "description": "MIME Boundary",
      "misp-attribute": "email-mime-boundary",
      "disable_correlation": true,
      "ui-priority": 0,
      "categories": [
        "Payload delivery"
      ]
    },
    "thread-index": {
      "description": "Identifies a particular conversation thread",
      "misp-attribute": "email-thread-index",
      "disable_correlation": true,
      "ui-priority": 0,
      "categories": [
        "Payload delivery"
      ]
    },
    "from": {
      "description": "Sender email address",
      "misp-attribute": "email-src",
      "ui-priority": 1,
      "categories": [
        "Payload delivery"
      ]
    },
    "return-path": {
      "description": "Message return path",
      "misp-attribute": "email-src",
      "ui-priority": 1,
      "categories": [
        "Payload delivery"
      ]
    },
    "from-display-name": {
      "description": "Display name of the sender",
      "misp-attribute": "email-src-display-name",
      "ui-priority": 1,
      "categories": [
        "Payload delivery"
      ]
    },
    "email-body": {
      "description": "Body of the email",
      "misp-attribute": "email-body",
      "disable_correlation": true,
      "ui-priority": 1,
      "categories": [
        "Payload delivery"
      ]
    },
    "user-agent": {
      "description": "User Agent of the sender",
      "misp-attribute": "text",
      "ui-priority": 0,
      "disable_correlation": true
    },
    "ip-src": {
      "description": "Source IP address of the email sender",
      "misp-attribute": "ip-src",
      "ui-priority": 0,
      "multiple": true
    },
    "eml": {
      "description": "Full EML",
      "misp-attribute": "attachment",
      "disable_correlation": true,
      "ui-priority": 1
    }
  },
  "requiredOneOf": [
    "from",
    "from-display-name",
    "to",
    "to-display-name",
    "subject",
    "attachment",
    "message-id",
    "reply-to",
    "send-date",
    "mime-boundary",
    "thread-index",
    "header",
    "x-mailer",
    "return-path",
    "email-body",
    "eml"
  ]
}
email object added 2016-12-07 16:06:52 +01:00			`{`
JQ all the things 2017-02-13 11:18:42 +01:00			`"name": "email",`
Add and enforce UUID in the object definitions 2017-03-17 17:31:09 +01:00			`"uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",`
Enforce meta-category 2017-06-28 11:18:10 +02:00			`"meta-category": "network",`
JQ all the things 2017-02-13 11:18:42 +01:00			`"description": "Email object describing an email with meta-information",`
chg: [email] ip-src added in the email object templated as requested by Norberto Chavez Ref: https://twitter.com/NORBERTOCHAVEZ/status/1225213457429127170 2020-02-06 11:03:33 +01:00			`"version": 14,`
JQ all the things 2017-02-13 11:18:42 +01:00			`"attributes": {`
disable_correlation added 2017-03-15 07:42:14 +01:00			`"reply-to": {`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`"description": "Email address the reply will be sent to",`
disable_correlation added 2017-03-15 07:42:14 +01:00			`"misp-attribute": "email-reply-to",`
ui-priority 2017-07-03 16:42:40 +02:00			`"ui-priority": 1,`
JQ all the things 2017-02-13 11:18:42 +01:00			`"categories": [`
			`"Payload delivery"`
			`]`
			`},`
disable_correlation added 2017-03-15 07:42:14 +01:00			`"message-id": {`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`"description": "Message ID",`
disable_correlation added 2017-03-15 07:42:14 +01:00			`"misp-attribute": "email-message-id",`
chg: Update email template 2018-05-03 20:49:48 +02:00			`"disable_correlation": true,`
ui-priority 2017-07-03 16:42:40 +02:00			`"ui-priority": 0,`
JQ all the things 2017-02-13 11:18:42 +01:00			`"categories": [`
			`"Payload delivery"`
			`]`
			`},`
			`"to": {`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`"description": "Destination email address",`
JQ all the things 2017-02-13 11:18:42 +01:00			`"misp-attribute": "email-dst",`
chg: Update email template 2018-05-03 20:49:48 +02:00			`"disable_correlation": true,`
ui-priority 2017-07-03 16:42:40 +02:00			`"ui-priority": 1,`
JQ all the things 2017-02-13 11:18:42 +01:00			`"categories": [`
			`"Payload delivery"`
			`],`
			`"multiple": true`
			`},`
Carbon copy field added 2017-09-27 16:43:21 +02:00			`"cc": {`
			`"description": "Carbon copy",`
			`"misp-attribute": "email-dst",`
chg: Update email template 2018-05-03 20:49:48 +02:00			`"disable_correlation": true,`
Carbon copy field added 2017-09-27 16:43:21 +02:00			`"ui-priority": 1,`
			`"categories": [`
			`"Payload delivery"`
			`],`
			`"multiple": true`
			`},`
JQ all the things 2017-02-13 11:18:42 +01:00			`"to-display-name": {`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`"description": "Display name of the receiver",`
JQ all the things 2017-02-13 11:18:42 +01:00			`"misp-attribute": "email-dst-display-name",`
ui-priority 2017-07-03 16:42:40 +02:00			`"ui-priority": 1,`
JQ all the things 2017-02-13 11:18:42 +01:00			`"categories": [`
			`"Payload delivery"`
			`],`
			`"multiple": true`
			`},`
			`"subject": {`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`"description": "Subject",`
JQ all the things 2017-02-13 11:18:42 +01:00			`"misp-attribute": "email-subject",`
ui-priority 2017-07-03 16:42:40 +02:00			`"ui-priority": 1,`
JQ all the things 2017-02-13 11:18:42 +01:00			`"categories": [`
			`"Payload delivery"`
			`]`
			`},`
Added file attribute screenshot to email object 2017-11-09 16:07:54 +01:00			`"screenshot": {`
			`"description": "Screenshot of email",`
			`"misp-attribute": "attachment",`
chg: Update email template 2018-05-03 20:49:48 +02:00			`"disable_correlation": true,`
Added file attribute screenshot to email object 2017-11-09 16:07:54 +01:00			`"ui-priority": 1,`
			`"categories": [`
			`"External analysis"`
			`]`
			`},`
JQ all the things 2017-02-13 11:18:42 +01:00			`"attachment": {`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`"description": "Attachment",`
JQ all the things 2017-02-13 11:18:42 +01:00			`"misp-attribute": "email-attachment",`
ui-priority 2017-07-03 16:42:40 +02:00			`"ui-priority": 0,`
JQ all the things 2017-02-13 11:18:42 +01:00			`"categories": [`
			`"Payload delivery"`
			`],`
			`"multiple": true`
			`},`
chg: [email] IP and hostname fields from extracted headers 2019-02-14 14:33:39 +01:00			`"received-header-ip": {`
			`"description": "Extracted IP address from parsed headers",`
			`"misp-attribute": "ip-src",`
			`"ui-priority": 0,`
			`"multiple": true`
			`},`
			`"received-header-hostname": {`
			`"description": "Extracted hostname from parsed headers",`
			`"misp-attribute": "hostname",`
			`"ui-priority": 0,`
			`"multiple": true`
			`},`
disable_correlation added 2017-03-15 07:42:14 +01:00			`"x-mailer": {`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`"description": "X-Mailer generally tells the program that was used to draft and send the original email",`
Fix #14 2017-07-03 11:59:25 +02:00			`"misp-attribute": "email-x-mailer",`
chg: Update email template 2018-05-03 20:49:48 +02:00			`"disable_correlation": true,`
ui-priority 2017-07-03 16:42:40 +02:00			`"ui-priority": 0,`
JQ all the things 2017-02-13 11:18:42 +01:00			`"categories": [`
			`"Payload delivery"`
			`]`
			`},`
disable_correlation added 2017-03-15 07:42:14 +01:00			`"header": {`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`"description": "Full headers",`
disable_correlation added 2017-03-15 07:42:14 +01:00			`"misp-attribute": "email-header",`
chg: Update email template 2018-05-03 20:49:48 +02:00			`"disable_correlation": true,`
ui-priority 2017-07-03 16:42:40 +02:00			`"ui-priority": 0,`
JQ all the things 2017-02-13 11:18:42 +01:00			`"categories": [`
			`"Payload delivery"`
disable_correlation added 2017-03-15 07:42:14 +01:00			`],`
			`"multiple": true`
JQ all the things 2017-02-13 11:18:42 +01:00			`},`
			`"send-date": {`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`"description": "Date the email has been sent",`
JQ all the things 2017-02-13 11:18:42 +01:00			`"misp-attribute": "datetime",`
ui-priority 2017-07-03 16:42:40 +02:00			`"ui-priority": 0,`
disable_correlation added 2017-03-15 07:42:14 +01:00			`"disable_correlation": true,`
JQ all the things 2017-02-13 11:18:42 +01:00			`"categories": [`
			`"Other"`
			`]`
			`},`
			`"mime-boundary": {`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`"description": "MIME Boundary",`
JQ all the things 2017-02-13 11:18:42 +01:00			`"misp-attribute": "email-mime-boundary",`
chg: Update email template 2018-05-03 20:49:48 +02:00			`"disable_correlation": true,`
ui-priority 2017-07-03 16:42:40 +02:00			`"ui-priority": 0,`
JQ all the things 2017-02-13 11:18:42 +01:00			`"categories": [`
			`"Payload delivery"`
			`]`
			`},`
			`"thread-index": {`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`"description": "Identifies a particular conversation thread",`
JQ all the things 2017-02-13 11:18:42 +01:00			`"misp-attribute": "email-thread-index",`
chg: Update email template 2018-05-03 20:49:48 +02:00			`"disable_correlation": true,`
ui-priority 2017-07-03 16:42:40 +02:00			`"ui-priority": 0,`
JQ all the things 2017-02-13 11:18:42 +01:00			`"categories": [`
			`"Payload delivery"`
			`]`
			`},`
disable_correlation added 2017-03-15 07:42:14 +01:00			`"from": {`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`"description": "Sender email address",`
disable_correlation added 2017-03-15 07:42:14 +01:00			`"misp-attribute": "email-src",`
ui-priority 2017-07-03 16:42:40 +02:00			`"ui-priority": 1,`
JQ all the things 2017-02-13 11:18:42 +01:00			`"categories": [`
			`"Payload delivery"`
disable_correlation added 2017-03-15 07:42:14 +01:00			`]`
JQ all the things 2017-02-13 11:18:42 +01:00			`},`
return-path added in email object 2017-09-25 20:37:02 +02:00			`"return-path": {`
			`"description": "Message return path",`
chg: Update email template 2018-05-03 20:49:48 +02:00			`"misp-attribute": "email-src",`
return-path added in email object 2017-09-25 20:37:02 +02:00			`"ui-priority": 1,`
			`"categories": [`
			`"Payload delivery"`
			`]`
			`},`
disable_correlation added 2017-03-15 07:42:14 +01:00			`"from-display-name": {`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`"description": "Display name of the sender",`
disable_correlation added 2017-03-15 07:42:14 +01:00			`"misp-attribute": "email-src-display-name",`
ui-priority 2017-07-03 16:42:40 +02:00			`"ui-priority": 1,`
JQ all the things 2017-02-13 11:18:42 +01:00			`"categories": [`
			`"Payload delivery"`
			`]`
Add email-body to the email object definition 2018-01-30 01:12:53 +01:00			`},`
			`"email-body": {`
			`"description": "Body of the email",`
			`"misp-attribute": "email-body",`
chg: Update email template 2018-05-03 20:49:48 +02:00			`"disable_correlation": true,`
Add email-body to the email object definition 2018-01-30 01:12:53 +01:00			`"ui-priority": 1,`
			`"categories": [`
			`"Payload delivery"`
			`]`
new: Add EML to the email template 2018-04-27 14:20:10 +02:00			`},`
chg: Update email template 2018-05-03 20:49:48 +02:00			`"user-agent": {`
			`"description": "User Agent of the sender",`
			`"misp-attribute": "text",`
			`"ui-priority": 0,`
			`"disable_correlation": true`
			`},`
chg: [email] ip-src added in the email object templated as requested by Norberto Chavez Ref: https://twitter.com/NORBERTOCHAVEZ/status/1225213457429127170 2020-02-06 11:03:33 +01:00			`"ip-src": {`
			`"description": "Source IP address of the email sender",`
			`"misp-attribute": "ip-src",`
			`"ui-priority": 0,`
			`"multiple": true`
			`},`
new: Add EML to the email template 2018-04-27 14:20:10 +02:00			`"eml": {`
			`"description": "Full EML",`
			`"misp-attribute": "attachment",`
chg: Update email template 2018-05-03 20:49:48 +02:00			`"disable_correlation": true,`
new: Add EML to the email template 2018-04-27 14:20:10 +02:00			`"ui-priority": 1`
JQ all the things 2017-02-13 11:18:42 +01:00			`}`
			`},`
			`"requiredOneOf": [`
fix: Fixed an issue with the email object not having the correct requiredoneof fieldnames, fixes MISP/MISP#2481 2017-09-17 12:31:50 +02:00			`"from",`
			`"from-display-name",`
			`"to",`
			`"to-display-name",`
			`"subject",`
			`"attachment",`
			`"message-id",`
			`"reply-to",`
JQ all the things 2017-02-13 11:18:42 +01:00			`"send-date",`
fix: Fixed an issue with the email object not having the correct requiredoneof fieldnames, fixes MISP/MISP#2481 2017-09-17 12:31:50 +02:00			`"mime-boundary",`
			`"thread-index",`
			`"header",`
return-path added in email object 2017-09-25 20:37:02 +02:00			`"x-mailer",`
chg: [email] add email-body in requiredOneOf 2018-04-26 15:05:19 +02:00			`"return-path",`
new: Add EML to the email template 2018-04-27 14:20:10 +02:00			`"email-body",`
			`"eml"`
JQ all the things 2017-02-13 11:18:42 +01:00			`]`
email object added 2016-12-07 16:06:52 +01:00			`}`