Skip to content

Class: EmailMessage

_The Email Message Object represents an instance of an email message. _

URI: attack:EmailMessage

 classDiagram
    class EmailMessage
    click EmailMessage href "../EmailMessage/"
      CyberObservableObject <|-- EmailMessage
        click CyberObservableObject href "../CyberObservableObject/"

      EmailMessage : additional_header_fields

      EmailMessage : bcc_refs

      EmailMessage : body

      EmailMessage : body_multipart





        EmailMessage --> "*" MimePartType : body_multipart
        click MimePartType href "../MimePartType/"



      EmailMessage : cc_refs

      EmailMessage : content_type

      EmailMessage : defanged

      EmailMessage : description

      EmailMessage : email_date

      EmailMessage : extensions

      EmailMessage : from_ref

      EmailMessage : granular_markings





        EmailMessage --> "*" GranularMarking : granular_markings
        click GranularMarking href "../GranularMarking/"



      EmailMessage : id

      EmailMessage : is_multipart

      EmailMessage : message_id

      EmailMessage : name

      EmailMessage : object_marking_refs

      EmailMessage : raw_email_ref

      EmailMessage : received_lines

      EmailMessage : sender_ref

      EmailMessage : spec_version





        EmailMessage --> "0..1" SpecVersionEnum : spec_version
        click SpecVersionEnum href "../SpecVersionEnum/"



      EmailMessage : subject

      EmailMessage : to_refs

      EmailMessage : type

Inheritance

Slots

Name Cardinality and Range Description Inheritance
email_date 0..1
Datetime		 Date/time the email message was sent direct
content_type 0..1
String		 Specifies the value of the 'Content-Type' header of the email message direct
from_ref 0..1
StixIdentifier		 Sender mailbox reference direct
sender_ref 0..1
StixIdentifier		 Sender reference direct
to_refs *
StixIdentifier		 To-recipient references direct
cc_refs *
StixIdentifier		 Cc-recipient references direct
bcc_refs *
StixIdentifier		 Bcc-recipient references direct
message_id 0..1
String		 Message identifier field direct
subject 0..1
String		 Subject value direct
received_lines *
String		 Received header lines direct
additional_header_fields 0..1
String		 Additional email headers direct
raw_email_ref 0..1
StixIdentifier		 Reference to raw email artifact direct
is_multipart 0..1
Boolean		 Indicates whether the email body contains multiple MIME parts direct
body 0..1
String		 Specifies a string containing the email body direct
body_multipart *
MimePartType		 List of MIME parts comprising the email body (multipart emails only) direct
type 1
StixTypeName		 STIX object type StixEntity, CyberObservableCore
spec_version 0..1
SpecVersionEnum		 STIX specification version CyberObservableCore
id 1
StixIdentifier		 STIX object identifier StixEntity, CyberObservableCore
object_marking_refs *
StixIdentifier		 Marking definition references applied to this object CyberObservableCore
granular_markings *
GranularMarking		 Granular markings that apply to selected content CyberObservableCore
defanged 0..1
Boolean		 Defines whether or not the data contained within the object has been defanged CyberObservableCore
extensions *
String		 Open-ended extension payloads CyberObservableCore
name 0..1
String		 Human-readable name StixEntity
description 0..1
String		 Human-readable description StixEntity

In Subsets

Comments

  • jsonschema_rule: oneOf validator_hint: enforce-email-message-multipart-constraints jsonschema_source: https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/email-message.json

Notes

  • JSON Schema includes oneOf multipart semantics between body and body_multipart.

Identifier and Mapping Information

Schema Source

  • from schema: https://w3id.org/lmodel/attack

Mappings

Mapping Type Mapped Value
self attack:EmailMessage
native attack:EmailMessage
exact unified_cyber_ontology:EmailMessage

LinkML Source

Direct

name: EmailMessage
description: 'The Email Message Object represents an instance of an email message. '
notes:
- JSON Schema includes oneOf multipart semantics between body and body_multipart.
comments:
- 'jsonschema_rule: oneOf validator_hint: enforce-email-message-multipart-constraints
  jsonschema_source: https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/email-message.json'
in_subset:
- observables
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:EmailMessage
is_a: CyberObservableObject
slots:
- email_date
- content_type
- from_ref
- sender_ref
- to_refs
- cc_refs
- bcc_refs
- message_id
- subject
- received_lines
- additional_header_fields
- raw_email_ref
- is_multipart
- body
- body_multipart
slot_usage:
  id:
    name: id
    pattern: ^email-message--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
  type:
    name: type
    pattern: ^email-message$
  to_refs:
    name: to_refs
    comments:
    - 'jsonschema_minItems: "1"'
  cc_refs:
    name: cc_refs
    comments:
    - 'jsonschema_minItems: "1"'
  bcc_refs:
    name: bcc_refs
    comments:
    - 'jsonschema_minItems: "1"'

Induced

name: EmailMessage
description: 'The Email Message Object represents an instance of an email message. '
notes:
- JSON Schema includes oneOf multipart semantics between body and body_multipart.
comments:
- 'jsonschema_rule: oneOf validator_hint: enforce-email-message-multipart-constraints
  jsonschema_source: https://github.com/oasis-open/cti-stix2-json-schemas/tree/master/schemas/observables/email-message.json'
in_subset:
- observables
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:EmailMessage
is_a: CyberObservableObject
slot_usage:
  id:
    name: id
    pattern: ^email-message--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
  type:
    name: type
    pattern: ^email-message$
  to_refs:
    name: to_refs
    comments:
    - 'jsonschema_minItems: "1"'
  cc_refs:
    name: cc_refs
    comments:
    - 'jsonschema_minItems: "1"'
  bcc_refs:
    name: bcc_refs
    comments:
    - 'jsonschema_minItems: "1"'
attributes:
  email_date:
    name: email_date
    description: Date/time the email message was sent.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: email_date
    owner: EmailMessage
    domain_of:
    - EmailMessage
    range: datetime
  content_type:
    name: content_type
    description: Specifies the value of the 'Content-Type' header of the email message.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: content_type
    owner: EmailMessage
    domain_of:
    - EmailMessage
    - MimePartType
    range: string
  from_ref:
    name: from_ref
    description: Sender mailbox reference.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: from_ref
    owner: EmailMessage
    domain_of:
    - EmailMessage
    range: stix_identifier
  sender_ref:
    name: sender_ref
    description: Sender reference.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: sender_ref
    owner: EmailMessage
    domain_of:
    - EmailMessage
    range: stix_identifier
  to_refs:
    name: to_refs
    description: To-recipient references.
    comments:
    - 'jsonschema_minItems: "1"'
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: to_refs
    owner: EmailMessage
    domain_of:
    - EmailMessage
    range: stix_identifier
    multivalued: true
  cc_refs:
    name: cc_refs
    description: Cc-recipient references.
    comments:
    - 'jsonschema_minItems: "1"'
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: cc_refs
    owner: EmailMessage
    domain_of:
    - EmailMessage
    range: stix_identifier
    multivalued: true
  bcc_refs:
    name: bcc_refs
    description: Bcc-recipient references.
    comments:
    - 'jsonschema_minItems: "1"'
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: bcc_refs
    owner: EmailMessage
    domain_of:
    - EmailMessage
    range: stix_identifier
    multivalued: true
  message_id:
    name: message_id
    description: Message identifier field.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: message_id
    owner: EmailMessage
    domain_of:
    - EmailMessage
    range: string
  subject:
    name: subject
    description: Subject value.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: subject
    owner: EmailMessage
    domain_of:
    - EmailMessage
    - X509Certificate
    range: string
  received_lines:
    name: received_lines
    description: Received header lines.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: received_lines
    owner: EmailMessage
    domain_of:
    - EmailMessage
    range: string
    multivalued: true
  additional_header_fields:
    name: additional_header_fields
    description: Additional email headers.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: additional_header_fields
    owner: EmailMessage
    domain_of:
    - EmailMessage
    range: string
  raw_email_ref:
    name: raw_email_ref
    description: Reference to raw email artifact.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: raw_email_ref
    owner: EmailMessage
    domain_of:
    - EmailMessage
    range: stix_identifier
  is_multipart:
    name: is_multipart
    description: Indicates whether the email body contains multiple MIME parts.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: is_multipart
    owner: EmailMessage
    domain_of:
    - EmailMessage
    range: boolean
  body:
    name: body
    description: Specifies a string containing the email body. This field MAY only
      be used if is_multipart is false.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: body
    owner: EmailMessage
    domain_of:
    - EmailMessage
    - MimePartType
    range: string
  body_multipart:
    name: body_multipart
    description: List of MIME parts comprising the email body (multipart emails only).
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: body_multipart
    owner: EmailMessage
    domain_of:
    - EmailMessage
    range: MimePartType
    multivalued: true
    inlined: true
  type:
    name: type
    description: STIX object type.
    from_schema: https://w3id.org/lmodel/attack
    related_mappings:
    - unified_cyber_ontology:state
    rank: 1000
    alias: type
    owner: EmailMessage
    domain_of:
    - StixEntity
    - Bundle
    - Core
    - CyberObservableCore
    - ExtensionDefinition
    - LanguageContent
    - MarkingDefinition
    - File
    range: stix_type_name
    required: true
    pattern: ^email-message$
  spec_version:
    name: spec_version
    description: STIX specification version.
    from_schema: https://w3id.org/lmodel/attack
    close_mappings:
    - unified_cyber_ontology:specVersion
    rank: 1000
    alias: spec_version
    owner: EmailMessage
    domain_of:
    - Core
    - CyberObservableCore
    - MarkingDefinition
    range: SpecVersionEnum
  id:
    name: id
    description: STIX object identifier.
    from_schema: https://w3id.org/lmodel/attack
    related_mappings:
    - unified_cyber_ontology:externalReference
    rank: 1000
    alias: id
    owner: EmailMessage
    domain_of:
    - StixEntity
    - Bundle
    - Core
    - CyberObservableCore
    - ExtensionDefinition
    - LanguageContent
    - MarkingDefinition
    - File
    range: stix_identifier
    required: true
    pattern: ^email-message--[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$
  object_marking_refs:
    name: object_marking_refs
    description: Marking definition references applied to this object.
    comments:
    - 'jsonschema_minItems: "1"'
    from_schema: https://w3id.org/lmodel/attack
    close_mappings:
    - unified_cyber_ontology:objectMarking
    rank: 1000
    alias: object_marking_refs
    owner: EmailMessage
    domain_of:
    - Core
    - CyberObservableCore
    - MarkingDefinition
    range: stix_identifier
    multivalued: true
  granular_markings:
    name: granular_markings
    description: Granular markings that apply to selected content.
    comments:
    - 'jsonschema_minItems: "1"'
    from_schema: https://w3id.org/lmodel/attack
    narrow_mappings:
    - unified_cyber_ontology:objectMarking
    rank: 1000
    alias: granular_markings
    owner: EmailMessage
    domain_of:
    - Core
    - CyberObservableCore
    - MarkingDefinition
    range: GranularMarking
    multivalued: true
  defanged:
    name: defanged
    description: Defines whether or not the data contained within the object has been
      defanged.
    from_schema: https://w3id.org/lmodel/attack
    rank: 1000
    alias: defanged
    owner: EmailMessage
    domain_of:
    - CyberObservableCore
    range: boolean
  extensions:
    name: extensions
    description: Open-ended extension payloads.
    notes:
    - JSON Schema uses patternProperties for extension keys; exact key validation
      is delegated to validator tooling.
    comments:
    - 'jsonschema_rule: patternProperties validator_hint: validate-extension-keys-and-values'
    from_schema: https://w3id.org/lmodel/attack
    related_mappings:
    - unified_cyber_ontology:hasFacet
    rank: 1000
    alias: extensions
    owner: EmailMessage
    domain_of:
    - Core
    - CyberObservableCore
    - MarkingDefinition
    - File
    range: string
    multivalued: true
  name:
    name: name
    description: Human-readable name.
    from_schema: https://w3id.org/lmodel/attack
    exact_mappings:
    - unified_cyber_ontology:name
    rank: 1000
    alias: name
    owner: EmailMessage
    domain_of:
    - RelatedAsset
    - StixEntity
    - ExtensionDefinition
    - MarkingDefinition
    - AutonomousSystem
    - File
    range: string
  description:
    name: description
    description: Human-readable description.
    from_schema: https://w3id.org/lmodel/attack
    close_mappings:
    - unified_cyber_ontology:description
    rank: 1000
    alias: description
    owner: EmailMessage
    domain_of:
    - RelatedAsset
    - MutableElement
    - StixEntity
    - ExtensionDefinition
    - ExternalReference
    range: string