Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "*.domain" Fields to ECS "email" Schema #2149

Open
MakoWish opened this issue Jan 25, 2023 · 1 comment · May be fixed by #2392
Open

Add "*.domain" Fields to ECS "email" Schema #2149

MakoWish opened this issue Jan 25, 2023 · 1 comment · May be fixed by #2392
Labels
enhancement New feature or request

Comments

@MakoWish
Copy link

MakoWish commented Jan 25, 2023
edited
Loading

Summary

Add *.domain fields to ECS email schema.

Motivation:

I have been using email.* fields for quite some time now, and I just realized there is now an official email schema for ECS. I have always parsed the full email addresses to also get the domain component of the address. This helps to visualize and report on domain names involved in email transmissions for the sake of both DLP and threat IOC's.

I noticed there are no official *.domain fields to mimic what I have been using, so I would like to propose those be added to the schema.

Detailed Design:

Provide additional details around the design of the proposed changes.

  • Field names
    • email.cc.domain
    • email.from.domain
    • email.reply_to.domain
    • email.sender.domain
    • email.to.domain
  • Example values for the fields
    • foo.org
    • contoso.com
  • Suggested appropriate datatypes
    • keyword
  • Any example events that map to the proposed use case(s)
    • All email events that contain email addresses, such as email.from.address, email.to.address, email.cc.address, etc. may be parsed (e.g. either a split or Grok on '@') for just the domain component of the address.

This could later be extended to the related ECS schema to include things such as related.email.address and related.email.domain to assist with investigating DLP and threat IOC's for emails.

I appreciate your consideration on this!

Eric
@MakoWish MakoWish added the enhancement New feature or request label Jan 25, 2023
@MakoWish MakoWish changed the title Include "domain" to ECS "email" Schema Add "*.domain" Fields to ECS "email" Schema Jan 25, 2023
@MakoWish
Copy link
Author

MakoWish commented Oct 24, 2024
edited
Loading

Nothing on this? I am already using these fields in a "catch all" ingest pipeline on our cluster, but it would be nice to see these fields added officially.

I have contributed to beats and integrations in the past, but I am not sure of this team's processes for making a minor change like this to ecs. I could create a PR for these changes, but please be gentle on me if I am missing a step this team likes to see in their PR's.

This was referenced Oct 24, 2024
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add domain to email.* Fields MakoWish/ecs
1 participant
@MakoWish