Email File Activity (4011)

Email File Activity events report files within emails.

Category: Network Activity
Extends: base_event
UID: 4011

Attributes

Classification

category_uid

Type: integer_t
Requirement: required
Values:
- 4 - Network Activity: Network Activity events.

The category unique identifier of the event.

class_uid

Type: integer_t
Requirement: required
Values:
- 4011 - Email File Activity: Email File Activity events report files within emails.

The unique identifier of a class. A Class describes the attributes available in an event.

severity_id

Type: integer_t
Requirement: required
Values:
- 0 - Unknown: The event severity is not known.
- 1 - Informational: Informational message. No action required.
- 2 - Low: The user decides if action is needed.
- 3 - Medium: Action is required but the situation is not serious at this time.
- 4 - High: Action is required immediately.
- 5 - Critical: Action is required immediately and the scope is broad.
- 6 - Fatal: An error occurred but it is too late to take remedial action.
- 99 - Other: The event severity is not mapped. See the severity attribute, which contains a data source specific value.

The normalized identifier of the event severity.The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.

type_uid

Type: integer_t
Requirement: required
Values:
- 401100 - Email File Activity: Unknown
- 401101 - Email File Activity: Send
- 401102 - Email File Activity: Receive
- 401103 - Email File Activity: Scan: Email file being scanned (example: security scanning).
- 401199 - Email File Activity: Other

The event type ID. It identifies the event’s semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.

activity_name

Type: string_t
Requirement: optional

The event activity name, as defined by the activity_id.

category_name

Type: string_t
Requirement: optional

The event category name, as defined by category_uid value: Network Activity.

class_name

Type: string_t
Requirement: optional

The event class name, as defined by class_uid value: Email File Activity.

severity

Type: string_t
Requirement: optional

The event severity, normalized to the caption of the severity_id value. In the case of ‘Other’, it is defined by the event source.

type_name

Type: string_t
Requirement: optional

The event type name, as defined by the type_uid.

Context

metadata

Type: metadata
Requirement: required

The metadata associated with the event.

activity_id

Type: integer_t
Requirement: optional
Values:
- 0 - Unknown: The event activity is unknown.
- 1 - Send
- 2 - Receive
- 3 - Scan: Email file being scanned (example: security scanning).
- 99 - Other: The event activity is not mapped.

The normalized identifier of the activity that triggered the event.

api cloud

Type: api
Requirement: optional

Describes details about a typical API (Application Programming Interface) call.

enrichments

Type: enrichment
Requirement: optional

The additional information from an external data source, which is associated with the event. For example add location information for the IP address in the DNS answers:[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]

raw_data

Type: string_t
Requirement: optional

The event data as received from the event source.

unmapped

Type: object
Requirement: optional

The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.

Occurrence

time

Type: timestamp_t
Requirement: required

The normalized event occurrence time.

timezone_offset

Type: integer_t
Requirement: recommended

The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.

count

Type: integer_t
Requirement: optional

The number of times that events in the same logical group occurred during the event Start Time to End Time period.

duration

Type: integer_t
Requirement: optional

The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.

end_time

Type: timestamp_t
Requirement: optional

The end time of a time period, or the time of the most recent event included in the aggregate event.

end_time_dt datetime

Type: datetime_t
Requirement: optional

The end time of a time period, or the time of the most recent event included in the aggregate event.

start_time

Type: timestamp_t
Requirement: optional

The start time of a time period, or the time of the least recent event included in the aggregate event.

start_time_dt datetime

Type: datetime_t
Requirement: optional

The start time of a time period, or the time of the least recent event included in the aggregate event.

time_dt datetime

Type: datetime_t
Requirement: optional

The normalized event occurrence time.

Primary

cloud cloud

Type: cloud
Requirement: required

Describes details about the Cloud environment where the event was originally created or logged.

disposition_id security_control

Type: integer_t
Requirement: required
Values:
- 0 - Unknown
- 1 - Allowed
- 2 - Blocked
- 3 - Quarantined
- 4 - Isolated
- 5 - Deleted
- 6 - Dropped
- 7 - Custom Action: Executed custom action such as run a command script.
- 8 - Approved
- 9 - Restored
- 10 - Exonerated: No longer suspicious (re-scored).
- 11 - Corrected
- 12 - Partially Corrected
- 13 - Uncorrected
- 14 - Delayed: Requires reboot to finish the operation.
- 15 - Detected
- 16 - No Action
- 17 - Logged
- 18 - Tagged: Marked with extended attributes.
- 99 - Other

When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product.

email_uid

Type: string_t
Requirement: required

The unique identifier of the email, used to correlate related email alert and activity events.

file

Type: file
Requirement: required

The email file attachment.

attacks security_control

Type: attack
Requirement: recommended

An array of attacks associated with an event.

device host

Type: device
Requirement: recommended

An addressable device, computer system or host.

message

Type: string_t
Requirement: recommended

The description of the event, as defined by the event source.

status_id

Type: integer_t
Requirement: recommended
Values:
- 0 - Unknown
- 1 - Success
- 2 - Failure
- 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.

The normalized identifier of the event status.

actor host

Type: actor
Requirement: optional

The actor object describes details about the user/role/process that was the source of the activity.

disposition security_control

Type: string_t
Requirement: optional

The event disposition name, normalized to the caption of the disposition_id value. In the case of ‘Other’, it is defined by the event source.

malware security_control

Type: malware
Requirement: optional

The list of malware identified by a finding.

observables

Type: observable
Requirement: optional

The observables associated with the event.

status

Type: string_t
Requirement: optional

The event status, normalized to the caption of the status_id value. In the case of ‘Other’, it is defined by the event source.

status_code

Type: string_t
Requirement: optional

The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of ‘Failure Code’, e.g. 0x18.

status_detail

Type: string_t
Requirement: optional

The status details contains additional information about the event outcome.