Class: Email
The Email object describes the email metadata such as sender, recipients, and
direction, and can include embedded URLs and files.
URI: ocsf:Email
classDiagram
class Email
click Email href "../Email/"
DataClassificationProfile <|-- Email
click DataClassificationProfile href "../DataClassificationProfile/"
Object <|-- Email
click Object href "../Object/"
Email : cc
Email : cc_mailboxes
Email : data_classification
Email --> "0..1 _recommended_" DataClassification : data_classification
click DataClassification href "../DataClassification/"
Email : data_classifications
Email --> "* _recommended_" DataClassification : data_classifications
click DataClassification href "../DataClassification/"
Email : delivered_to
Email : delivered_to_list
Email : files
Email --> "*" File : files
click File href "../File/"
Email : from_
Email : from_list
Email : from_mailbox
Email : from_mailboxes
Email : http_headers
Email --> "*" HttpHeader : http_headers
click HttpHeader href "../HttpHeader/"
Email : is_read
Email : message_uid
Email : raw_header
Email : reply_to
Email : reply_to_list
Email : reply_to_mailboxes
Email : return_path
Email : sender
Email : sender_mailbox
Email : size
Email : smtp_from
Email : smtp_to
Email : subject
Email : to
Email : to_mailboxes
Email : uid
Email : urls
Email --> "*" Url : urls
click Url href "../Url/"
Email : x_originating_ip
Inheritance
- OcsfObject
- Object
- Email [ DataClassificationProfile]
- Object
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| cc | * EmailT |
The machine-readable email header Cc values, as defined by RFC 5322 | direct |
| cc_mailboxes | * String |
The human-readable email header Cc Mailbox values | direct |
| delivered_to | 0..1 EmailT |
The machine-readable Delivered-To email header field | direct |
| delivered_to_list | * EmailT |
The machine-readable Delivered-To email header values | direct |
| files | * File |
The files embedded or attached to the email | direct |
| from_ | 0..1 recommended EmailT |
The machine-readable email header From value, as defined by RFC 5322 | direct |
| from_list | * EmailT |
The machine-readable email header From values | direct |
| from_mailbox | 0..1 String |
The human-readable email header From Mailbox value | direct |
| from_mailboxes | * EmailT |
The human-readable email header From Mailbox values | direct |
| http_headers | * HttpHeader |
Additional HTTP headers of an HTTP request or response | direct |
| is_read | 0..1 Boolean |
The indication of whether the email has been read | direct |
| message_uid | 0..1 recommended String |
The email header Message-ID value, as defined by RFC 5322 | direct |
| raw_header | 0..1 String |
The email authentication header | direct |
| reply_to | 0..1 recommended EmailT |
The machine-readable email header Reply-To value, as defined by RFC 5322 | direct |
| reply_to_list | * EmailT |
The machine-readable email header Reply-To values, as defined by RFC 5322 | direct |
| reply_to_mailboxes | * String |
The human-readable email header Reply To Mailbox values | direct |
| return_path | 0..1 EmailT |
The address found in the 'Return-Path' header, which indicates where bounce | direct |
| sender | 0..1 EmailT |
The machine readable email address of the system or server that actually | direct |
| sender_mailbox | 0..1 String |
The human readable email address of the system or server that actually | direct |
| size | 0..1 recommended Integer |
The size in bytes of the email, including attachments | direct |
| smtp_from | 0..1 recommended EmailT |
The value of the SMTP MAIL FROM command | direct |
| smtp_to | * recommended EmailT |
The value of the SMTP envelope RCPT TO command | direct |
| subject | 0..1 recommended String |
The email header Subject value, as defined by RFC 5322 | direct |
| to | * recommended EmailT |
The machine-readable email header To values, as defined by RFC 5322 | direct |
| to_mailboxes | * String |
The human-readable email header To Mailbox values | direct |
| uid | 0..1 recommended String |
The unique identifier of the email thread | direct |
| urls | * Url |
The URLs embedded in the email | direct |
| x_originating_ip | * IpT |
The X-Originating-IP header identifying the emails originating IP address(es) | direct |
| data_classification | 0..1 recommended DataClassification |
The Data Classification object includes information about data classification | DataClassificationProfile |
| data_classifications | * recommended DataClassification |
A list of Data Classification objects, that include information about data | DataClassificationProfile |
Usages
| used by | used in | type | used |
|---|---|---|---|
| Osint | range | ||
| Evidences | range | ||
| ManagedEntity | range | ||
| EmailActivity | range | ||
| WindowsEvidences | range |
Rules
| Rule Applied | Preconditions | Postconditions | Elseconditions |
|---|---|---|---|
| any_of | [{'slot_conditions': {'from_': {'required': True}}}, {'slot_conditions': {'to': {'required': True}}}] |
In Subsets
Aliases
See Also
Notes
- D3FEND™ Ontology d3f:Email. — https://d3fend.mitre.org/dao/artifact/d3f:Email/
Identifier and Mapping Information
Annotations
| property | value |
|---|---|
| ocsf_constraints | {"at_least_one": ["from", "to"]} |
| observable_id | 22 |
Schema Source
- from schema: https://w3id.org/lmodel/ocsf
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | ocsf:Email |
| native | ocsf:Email |
| exact | stix:EmailMessage, uco_master:EmailMessage |
LinkML Source
Direct
name: Email
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["from", "to"]}'
observable_id:
tag: observable_id
value: 22
description: 'The Email object describes the email metadata such as sender, recipients,
and
direction, and can include embedded URLs and files.'
notes:
- D3FEND™ Ontology d3f:Email. — https://d3fend.mitre.org/dao/artifact/d3f:Email/
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:Email/
aliases:
- Email
exact_mappings:
- stix:EmailMessage
- uco_master:EmailMessage
is_a: Object
mixins:
- DataClassificationProfile
slots:
- cc
- cc_mailboxes
- delivered_to
- delivered_to_list
- files
- from_
- from_list
- from_mailbox
- from_mailboxes
- http_headers
- is_read
- message_uid
- raw_header
- reply_to
- reply_to_list
- reply_to_mailboxes
- return_path
- sender
- sender_mailbox
- size
- smtp_from
- smtp_to
- subject
- to
- to_mailboxes
- uid
- urls
- x_originating_ip
slot_usage:
delivered_to:
name: delivered_to
deprecated: Use the <code> delivered_to_list </code> attribute instead.
files:
name: files
description: The files embedded or attached to the email.
from_:
name: from_
recommended: true
message_uid:
name: message_uid
recommended: true
reply_to:
name: reply_to
deprecated: Use the <code> reply_to_list </code> attribute instead.
recommended: true
size:
name: size
description: The size in bytes of the email, including attachments.
recommended: true
smtp_from:
name: smtp_from
deprecated: Use the <code> from </code> attribute instead.
recommended: true
smtp_to:
name: smtp_to
deprecated: Use the <code> to </code> attribute instead.
recommended: true
subject:
name: subject
description: The email header Subject value, as defined by RFC 5322.
recommended: true
to:
name: to
recommended: true
uid:
name: uid
description: The unique identifier of the email thread.
recommended: true
urls:
name: urls
description: The URLs embedded in the email.
rules:
- postconditions:
any_of:
- slot_conditions:
from_:
name: from_
required: true
- slot_conditions:
to:
name: to
required: true
description: 'OCSF at_least_one: at least one of [''from_'', ''to''] must be set.'
Induced
name: Email
annotations:
ocsf_constraints:
tag: ocsf_constraints
value: '{"at_least_one": ["from", "to"]}'
observable_id:
tag: observable_id
value: 22
description: 'The Email object describes the email metadata such as sender, recipients,
and
direction, and can include embedded URLs and files.'
notes:
- D3FEND™ Ontology d3f:Email. — https://d3fend.mitre.org/dao/artifact/d3f:Email/
in_subset:
- objects_subset
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://d3fend.mitre.org/dao/artifact/d3f:Email/
aliases:
- Email
exact_mappings:
- stix:EmailMessage
- uco_master:EmailMessage
is_a: Object
mixins:
- DataClassificationProfile
slot_usage:
delivered_to:
name: delivered_to
deprecated: Use the <code> delivered_to_list </code> attribute instead.
files:
name: files
description: The files embedded or attached to the email.
from_:
name: from_
recommended: true
message_uid:
name: message_uid
recommended: true
reply_to:
name: reply_to
deprecated: Use the <code> reply_to_list </code> attribute instead.
recommended: true
size:
name: size
description: The size in bytes of the email, including attachments.
recommended: true
smtp_from:
name: smtp_from
deprecated: Use the <code> from </code> attribute instead.
recommended: true
smtp_to:
name: smtp_to
deprecated: Use the <code> to </code> attribute instead.
recommended: true
subject:
name: subject
description: The email header Subject value, as defined by RFC 5322.
recommended: true
to:
name: to
recommended: true
uid:
name: uid
description: The unique identifier of the email thread.
recommended: true
urls:
name: urls
description: The URLs embedded in the email.
attributes:
cc:
name: cc
description: 'The machine-readable email header Cc values, as defined by RFC 5322.
For
example <code>example.user@usersdomain.com</code>.'
notes:
- RFC 5322 — https://www.rfc-editor.org/rfc/rfc5322
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc5322
aliases:
- Cc
rank: 1000
alias: cc
owner: Email
domain_of:
- Email
range: EmailT
multivalued: true
cc_mailboxes:
name: cc_mailboxes
description: 'The human-readable email header Cc Mailbox values. For example <code>''Example
User <example.user@usersdomain.com>''</code>.'
notes:
- RFC 5322 — https://www.rfc-editor.org/rfc/rfc5322#section-3.4
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc5322#section-3.4
aliases:
- Cc Mailboxes
rank: 1000
alias: cc_mailboxes
owner: Email
domain_of:
- Email
range: string
multivalued: true
delivered_to:
name: delivered_to
description: 'The machine-readable <strong>Delivered-To</strong> email header
field. For
example <code>example.user@usersdomain.com</code>'
deprecated: Use the <code> delivered_to_list </code> attribute instead.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Delivered To
rank: 1000
alias: delivered_to
owner: Email
domain_of:
- Email
range: EmailT
delivered_to_list:
name: delivered_to_list
description: 'The machine-readable <strong>Delivered-To</strong> email header
values. For
example <code>example.user@usersdomain.com</code>'
notes:
- RFC 9228 — https://www.rfc-editor.org/rfc/rfc9228
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc9228
aliases:
- Delivered To List
rank: 1000
alias: delivered_to_list
owner: Email
domain_of:
- Email
range: EmailT
multivalued: true
files:
name: files
description: The files embedded or attached to the email.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Files
rank: 1000
alias: files
owner: Email
domain_of:
- Email
- Malware
range: File
multivalued: true
from_:
name: from_
description: 'The machine-readable email header From value, as defined by RFC
5322. For
example <code>example.user@usersdomain.com</code>.'
notes:
- RFC 5322 — https://www.rfc-editor.org/rfc/rfc5322
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc5322
aliases:
- From
rank: 1000
alias: from_
owner: Email
domain_of:
- Email
- EmailActivity
range: EmailT
recommended: true
from_list:
name: from_list
description: 'The machine-readable email header From values. This array should
contain the
value in <code>from</code>. For example
<code>example.user@usersdomain.com</code>.'
notes:
- RFC 5322 — https://www.rfc-editor.org/rfc/rfc5322#section-3.4
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc5322#section-3.4
aliases:
- From List
rank: 1000
alias: from_list
owner: Email
domain_of:
- Email
range: EmailT
multivalued: true
from_mailbox:
name: from_mailbox
description: 'The human-readable email header From Mailbox value. For example
<code>''Example
User <example.user@usersdomain.com>''</code>.'
notes:
- RFC 5322 — https://www.rfc-editor.org/rfc/rfc5322#section-3.4
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc5322#section-3.4
aliases:
- From Mailbox
rank: 1000
alias: from_mailbox
owner: Email
domain_of:
- Email
range: string
from_mailboxes:
name: from_mailboxes
description: 'The human-readable email header From Mailbox values. This array
should contain
the value in <code>from_mailbox</code>. For example <code>''Example User
<example.user@usersdomain.com>''</code>.'
notes:
- RFC 5322 — https://www.rfc-editor.org/rfc/rfc5322#section-3.4
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc5322#section-3.4
aliases:
- From Mailboxes
rank: 1000
alias: from_mailboxes
owner: Email
domain_of:
- Email
range: EmailT
multivalued: true
http_headers:
name: http_headers
description: Additional HTTP headers of an HTTP request or response.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- HTTP Headers
rank: 1000
alias: http_headers
owner: Email
domain_of:
- Email
- HttpRequest
- HttpResponse
range: HttpHeader
multivalued: true
is_read:
name: is_read
description: The indication of whether the email has been read.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Read
rank: 1000
alias: is_read
owner: Email
domain_of:
- Email
range: boolean
message_uid:
name: message_uid
annotations:
observable_id:
tag: observable_id
value: 42
ocsf_source:
tag: ocsf_source
value: Message-ID
description: The email header Message-ID value, as defined by RFC 5322.
notes:
- RFC 5322 — https://www.rfc-editor.org/rfc/rfc5322
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc5322
aliases:
- Message UID
rank: 1000
alias: message_uid
owner: Email
domain_of:
- Email
range: string
recommended: true
raw_header:
name: raw_header
description: The email authentication header.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Raw Header
rank: 1000
alias: raw_header
owner: Email
domain_of:
- Email
range: string
reply_to:
name: reply_to
description: 'The machine-readable email header Reply-To value, as defined by
RFC 5322. For
example <code>example.user@usersdomain.com</code>'
deprecated: Use the <code> reply_to_list </code> attribute instead.
notes:
- RFC 5322 — https://www.rfc-editor.org/rfc/rfc5322
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc5322
aliases:
- Reply To
rank: 1000
alias: reply_to
owner: Email
domain_of:
- Email
range: EmailT
recommended: true
reply_to_list:
name: reply_to_list
description: 'The machine-readable email header Reply-To values, as defined by
RFC 5322. For
example <code>example.user@usersdomain.com</code>'
notes:
- RFC 5322 — https://www.rfc-editor.org/rfc/rfc5322
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc5322
aliases:
- Reply To List
rank: 1000
alias: reply_to_list
owner: Email
domain_of:
- Email
range: EmailT
multivalued: true
reply_to_mailboxes:
name: reply_to_mailboxes
description: 'The human-readable email header Reply To Mailbox values. For example
<code>''Example User <example.user@usersdomain.com>''</code>.'
notes:
- RFC 5322 — https://www.rfc-editor.org/rfc/rfc5322#section-3.4
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc5322#section-3.4
aliases:
- Reply To Mailboxes
rank: 1000
alias: reply_to_mailboxes
owner: Email
domain_of:
- Email
range: string
multivalued: true
return_path:
name: return_path
description: 'The address found in the ''Return-Path'' header, which indicates
where bounce
messages (non-delivery reports) should be sent. This address is often set by
the sending system and may differ from the ''From'' or ''Sender'' addresses.
For
example, <code>mailer-daemon@senderserver.com</code>.'
notes:
- RFC 5322 — https://www.rfc-editor.org/rfc/rfc5322
- 'RFC 5321 - Simple Mail Transfer Protocol —
https://datatracker.ietf.org/doc/html/rfc5321#section-4.4'
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc5322
- https://datatracker.ietf.org/doc/html/rfc5321#section-4.4
aliases:
- Return Path
rank: 1000
alias: return_path
owner: Email
domain_of:
- Email
range: EmailT
sender:
name: sender
description: 'The machine readable email address of the system or server that
actually
transmitted the email message, extracted from the email headers per RFC 5322.
This differs from the <code>from</code> field, which shows the message author.
The sender field is most commonly used when multiple addresses appear in the
<code> from_list </code> field, or when the transmitting system is different
from the message author (such as when sending on behalf of someone else).'
notes:
- RFC 5322 — https://www.rfc-editor.org/rfc/rfc5322
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc5322
aliases:
- Sender
rank: 1000
alias: sender
owner: Email
domain_of:
- Email
range: EmailT
sender_mailbox:
name: sender_mailbox
description: 'The human readable email address of the system or server that actually
transmitted the email message, extracted from the email headers per RFC 5322.
This differs from the <code>from_mailbox</code> field, which shows the message
author. The sender mailbox field is most commonly used when multiple addresses
appear in the <code> from_mailboxes </code> field, or when the transmitting
system is different from the message author (such as when sending on behalf
of
someone else).'
notes:
- RFC 5322 — https://www.rfc-editor.org/rfc/rfc5322
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc5322
aliases:
- Sender Mailbox
rank: 1000
alias: sender_mailbox
owner: Email
domain_of:
- Email
range: string
size:
name: size
description: The size in bytes of the email, including attachments.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Size
rank: 1000
alias: size
owner: Email
domain_of:
- Advisory
- Container
- DataClassification
- Database
- Databucket
- Email
- File
- KbArticle
- Table
- MalwareScanInfo
- MemoryActivity
range: integer
recommended: true
smtp_from:
name: smtp_from
description: The value of the SMTP MAIL FROM command.
deprecated: Use the <code> from </code> attribute instead.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- SMTP From
rank: 1000
alias: smtp_from
owner: Email
domain_of:
- Email
range: EmailT
recommended: true
smtp_to:
name: smtp_to
description: The value of the SMTP envelope RCPT TO command.
deprecated: Use the <code> to </code> attribute instead.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- SMTP To
rank: 1000
alias: smtp_to
owner: Email
domain_of:
- Email
range: EmailT
recommended: true
multivalued: true
subject:
name: subject
description: The email header Subject value, as defined by RFC 5322.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Subject Details
rank: 1000
alias: subject
owner: Email
domain_of:
- Certificate
- Email
range: string
recommended: true
to:
name: to
description: 'The machine-readable email header To values, as defined by RFC 5322.
For
example <code>example.user@usersdomain.com</code>'
notes:
- RFC 5322 — https://www.rfc-editor.org/rfc/rfc5322
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc5322
aliases:
- To
rank: 1000
alias: to
owner: Email
domain_of:
- Email
- EmailActivity
range: EmailT
recommended: true
multivalued: true
to_mailboxes:
name: to_mailboxes
description: 'The human-readable email header To Mailbox values. For example <code>''Example
User <example.user@usersdomain.com>''</code>.'
notes:
- RFC 5322 — https://www.rfc-editor.org/rfc/rfc5322#section-3.4
from_schema: https://w3id.org/lmodel/ocsf
see_also:
- https://www.rfc-editor.org/rfc/rfc5322#section-3.4
aliases:
- To Mailboxes
rank: 1000
alias: to_mailboxes
owner: Email
domain_of:
- Email
range: string
multivalued: true
uid:
name: uid
description: The unique identifier of the email thread.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Unique ID
rank: 1000
alias: uid
owner: Email
domain_of:
- Osint
- Package
- ProgrammaticCredential
- RelatedEvent
- Request
- Sbom
- Scim
- Script
- Session
- Span
- Sso
- Ticket
- Token
- Trace
- Entity
- Resource
- Account
- Advisory
- Agent
- AiModel
- Aircraft
- Analytic
- ApplicationObject
- Assessment
- Certificate
- Check
- ClassifierDetails
- Container
- Cve
- Cwe
- D3fTactic
- D3fTechnique
- DataClassification
- Database
- Databucket
- DomainContact
- Edge
- Email
- Endpoint
- Evidences
- Extension
- Feature
- File
- FindingObject
- FindingInfo
- Graph
- Group
- HttpRequest
- Idp
- Image
- KbArticle
- LoadBalancer
- Logger
- Malware
- ManagedEntity
- MessageContext
- Metadata
- Mitigation
- NetworkConnectionInfo
- NetworkEndpoint
- NetworkInterface
- Node
- Organization
- PeripheralDevice
- Policy
- ProcessEntity
- Product
- QueryInfo
- Reporter
- Rule
- Scan
- Service
- SubTechnique
- Table
- Tactic
- Technique
- Trait
- TransformationInfo
- UnmannedAerialSystem
- User
- WebResource
- Device
- WinResource
range: string
recommended: true
urls:
name: urls
description: The URLs embedded in the email.
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- URLs
rank: 1000
alias: urls
owner: Email
domain_of:
- Email
range: Url
multivalued: true
x_originating_ip:
name: x_originating_ip
description: The X-Originating-IP header identifying the emails originating IP
address(es).
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- X-Originating-IP
rank: 1000
alias: x_originating_ip
owner: Email
domain_of:
- Email
range: IpT
multivalued: true
data_classification:
name: data_classification
annotations:
group:
tag: group
value: context
description: 'The Data Classification object includes information about data classification
levels and data category types.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Data Classification
rank: 1000
alias: data_classification
owner: Email
domain_of:
- DataClassificationProfile
range: DataClassification
recommended: true
data_classifications:
name: data_classifications
annotations:
group:
tag: group
value: context
description: 'A list of Data Classification objects, that include information
about data
classification levels and data category types, identified by a classifier.'
from_schema: https://w3id.org/lmodel/ocsf
aliases:
- Data Classification
rank: 1000
alias: data_classifications
owner: Email
domain_of:
- DataClassificationProfile
range: DataClassification
recommended: true
multivalued: true
rules:
- postconditions:
any_of:
- slot_conditions:
from_:
name: from_
required: true
- slot_conditions:
to:
name: to
required: true
description: 'OCSF at_least_one: at least one of [''from_'', ''to''] must be set.'