Add email.return_path.address
#1947
Conversation
@MarkVanAcker, from your experiences, do |
|
@ebeahan thank you for working on this so quickly. According to the RFC:
It is not supposed to have > 1 addresses nor have I experienced this, but in theory a badly coded SMTP client could add it. For this reason allowing an array of values would be beneficial to detect anomalies. |
|
Updated change to set |
I'm not sure about this, it sets a theoretical precedent for permitting an Array of almost any field in order to detect anomalies. @MarkVanAcker have you seen any example in the field where this occurs, otherwise would it be possible to detect such potential anomalies in the process of mapping to ECS rather than after the fact? |
|
@djptek As per RFC, a SMTP system should not send a message that already contains a However, I have never seen any example of this behavior. I also don't know how modern mail servers behave when dealing with multiple return-paths. We map our fields to ECS before they enter the Elastic SIEM, so detecting anomalies before that would be a bit tricky. |
|
@ebeahan Any updates on the progress of this change? |
|
This PR is stale because it has been open for 60 days with no activity. |
Overview
As described in #1934, security analysts find the
Return-Pathheader useful for examining email events, and the field is a good addition to theemail.*field set.Open questions
RFC 5322
Return-Pathholding a single value, so I've createdemail.return_path.addressto expect only one value.Any known use cases where
Return-Pathwould hold more than one value, and would it benefitreturn_path.addressto hold an array of values?Resolves #1934