- name: email
  title: Email
  group: 2
  short: Describes an email transaction.
  description: >
    Event details relating to an email transaction.

    This field set focuses on the email message header, body, and attachments. Network protocols that send and receive
    email messages such as SMTP are outside the scope of the `email.*` fields.
  type: group
  fields:
    - name: attachments
      level: extended
      type: nested
      short: List of objects describing the attachments.
      description: >
        A list of objects describing the attachment files sent along with an email message.

      normalize:
        - array

    - name: attachments.file.extension
      level: extended
      type: keyword
      short: Attachment file extension.
      description: >
        Attachment file extension, excluding the leading dot.
      example: "txt"

    - name: attachments.file.mime_type
      level: extended
      type: keyword
      short: MIME type of the attachment file.
      description: >
        The MIME media type of the attachment.

        This value will typically be extracted from the `Content-Type` MIME header field.
      example: "text/plain"

    - name: attachments.file.name
      level: extended
      type: keyword
      short: Name of the attachment file.
      description: >
        Name of the attachment file including the file extension.
      example: "attachment.txt"

    - name: attachments.file.size
      level: extended
      type: long
      short: Attachment file size.
      description: >
        Attachment file size in bytes.
      example: 64329

    - name: bcc.address
      level: extended
      type: keyword
      short: Email address of BCC recipient
      description: >
        The email address of BCC recipient
      example: "bcc.user1@example.com"
      normalize:
        - array

    - name: cc.address
      level: extended
      type: keyword
      short: Email address of CC recipient
      description: >
        The email address of CC recipient
      example: "cc.user1@example.com"
      normalize:
        - array

    - name: content_type
      level: extended
      type: keyword
      short: MIME type of the email message.
      description: >
        Information about how the message is to be displayed.

        Typically a MIME type.
      example: "text/plain"

    - name: delivery_timestamp
      level: extended
      type: date
      short: Date and time when message was delivered.
      description: >
        The date and time when the email message was received by the service or client.
      example: "2020-11-10T22:12:34.8196921Z"

    - name: direction
      level: extended
      type: keyword
      short: Direction of the message.
      description: >
        The direction of the message based on the sending and receiving domains.
      example: inbound

    - name: from.address
      level: extended
      type: keyword
      short: The sender's email address.
      description: >
        The email address of the sender, typically from the RFC 5322 `From:` header field.
      example: "sender@example.com"
      normalize:
        - array

    - name: local_id
      level: extended
      type: keyword
      short: Unique identifier given by the source.
      description: >
        Unique identifier given to the email by the source that created the event.

        Identifier is not persistent across hops.
      example: "c26dbea0-80d5-463b-b93c-4e8b708219ce"

    - name: message_id
      level: extended
      type: wildcard
      short: Value from the Message-ID header.
      description: >
        Identifier from the RFC 5322 `Message-ID:` email header that refers to a particular email
        message.
      example: "81ce15$8r2j59@mail01.example.com"

    - name: origination_timestamp
      level: extended
      type: date
      short: Date and time the email was composed.
      description: >
        The date and time the email message was composed. Many email clients will fill in this value
        automatically when the message is sent by a user.
      example: "2020-11-10T22:12:34.8196921Z"

    - name: reply_to.address
      level: extended
      type: keyword
      short: Address replies should be delivered to.
      description: >
        The address that replies should be delivered to based on the value in the RFC 5322 `Reply-To:` header.
      example: "reply.here@example.com"
      normalize:
        - array

    - name: sender.address
      level: extended
      type: keyword
      short: Address of the message sender.
      description: >
        Per RFC 5322, specifies the address responsible for the actual transmission of
        the message.

    - name: subject
      level: extended
      type: keyword
      short: The subject of the email message.
      description: >
        A brief summary of the topic of the message.
      example: "Please see this important message."
      multi_fields:
      - type: match_only_text
        name: text

    - name: to.address
      level: extended
      type: keyword
      short: Email address of recipient
      description: >
        The email address of recipient
      example: "user1@example.com"
      normalize:
        - array

    - name: x_mailer
      level: extended
      type: keyword
      short: Application that drafted email.
      description: >
        The name of the application that was used to draft and send the original email message.
      example: "Spambot v2.5"