Add "*.domain" Fields to ECS "email" Schema

[MakoWish]

Summary

Add *.domain fields to ECS email schema.

Motivation:

I have been using email.* fields for quite some time now, and I just realized there is now an official email schema for ECS. I have always parsed the full email addresses to also get the domain component of the address. This helps to visualize and report on domain names involved in email transmissions for the sake of both DLP and threat IOC's.

I noticed there are no official *.domain fields to mimic what I have been using, so I would like to propose those be added to the schema.

Detailed Design:

Provide additional details around the design of the proposed changes.

• Field names
  • email.cc.domain
  • email.from.domain
  • email.reply_to.domain
  • email.sender.domain
  • email.to.domain
• Example values for the fields
  • foo.org
  • contoso.com
• Suggested appropriate datatypes
  • keyword
• Any example events that map to the proposed use case(s)
  • All email events that contain email addresses, such as email.from.address, email.to.address, email.cc.address, etc. may be parsed (e.g. either a split or Grok on '@') for just the domain component of the address.

This could later be extended to the related ECS schema to include things such as related.email.address and related.email.domain to assist with investigating DLP and threat IOC's for emails.

I appreciate your consideration on this!

Eric

[MakoWish]

Nothing on this? I am already using these fields in a "catch all" ingest pipeline on our cluster, but it would be nice to see these fields added officially.

I have contributed to beats and integrations in the past, but I am not sure of this team's processes for making a minor change like this to ecs. I could create a PR for these changes, but please be gentle on me if I am missing a step this team likes to see in their PR's.